Perhaps the biggest question looming over the future of SEC action on cybersecurity is whether the SEC will initiate enforcement actions against public companies, either for failure to disclose material cyberrisks, or failure to timely report a breach. Speaking in February, then acting director (now Co-Director) of the SEC’s Division of Enforcement, Stephanie Avakian, reportedly said that she did not believe that the Division could “rule out” bringing a case against a company that failed to disclose to the public known cybersecurity vulnerabilities. Following the breach disclosure by Equifax in September and the public outcry that followed, in late October she suggested that the likelihood of an enforcement action had increased since her February statement, calling out “cyber-related disclosure failure by a public company” as an “area of potential enforcement interest” for the Enforcement Division. Recognizing the novelty and uncertainty of the legal landscape in this area, Avakian said that the SEC is “not looking to second-guess reasonable, good faith disclosure decisions.” However, in what might have been an instance of deliberate foreshadowing, she also made clear that she “can certainly envision a case where enforcement action would be appropriate.”
via The SEC’s Cyber Unit: Friend or Foe to Registered Entities? | Corporate Counsel.