After years of relatively gentle guidance when it came to disclosing cyber risk and cyber breaches, the SEC signaled that the kid gloves had come off when it proposed and ultimately adopted its new cyber disclosure rules.
The SEC had also already been signaling its changing enforcement posture, including a 2021 penalty of $500,000 it imposed on American Title Company and a $1 million penalty on Pearson plc for disclosure issues related to cyber events.
After all of this, no one should be surprised that the SEC is now making enforcement personal. It’s typical for the SEC to look for a particularly strong case to make its point. SolarWinds fits the bill.
Being a CISO is hard enough; these folks need to be able to sleep at night. Indeed, companies that take steps to protect their CISOs will, in the long run, have the most effective CISOs. Training a CISO on relevant corporate governance issues, making sure you have appropriate cyber insurance, and especially providing a CISO with an indemnification agreement and protection under the company’s D&O insurance program will increasingly become table stakes for talented CISOs. And these are, after all, exactly the people companies need to lead the charge when it comes to avoiding and mitigating devastating cyber catastrophes in the first place.
‘Enforcement 40’ for 2020
Join Us On LinkedIn
Join the Securities Litigation and Enforcement Group on LinkedIn