The SEC’s action is noteworthy in a number of respects, not least of which because it not only targets the company, but also targets the company’s Chief Information Security Officer (CISO). The SEC’s action in that regard is sure to send a shiver down the collective spines of the CISO community. The Journal article notes that it “unusual’ for the SEC to target public company officials “who don’t directly oversee or prepare the company’s financial statements.”
The SEC’s allegations concerning the company’s December 2020 disclosure of the hack are also interesting. The fact that the agency targeted the company’s incident disclosure is particularly significant in light of the incident disclosure requirements in the agency’s recently issued cybersecurity disclosure guidelines; the agency is clearly signaling that it will be policing the adequacy of cybersecurity incident disclosures.
The bottom line is that cybersecurity disclosure is clearly at the center of the agency’s radar screen. The agency wants companies to know that companies’ disclosures about their cybersecurity risks are material, and are being monitored and policed.
Source: SEC Files Cybersecurity Disclosure Suit Against SolarWinds and Exec | The D&O Diary
