46 Coping with Future Potential SEC Cybersecurity Enforcement » The SEC remains committed to cybersecurity enforcement, but the specifics are still developing. The creation of the CETU confirms that cybersecurity disclosures remain a key area of scrutiny. » There is a potential shift towards focusing on “fraudulent” cybersecurity disclosures, possibly moving away from past actions that heavily emphasized negligence-based charges. » This could mean a narrower scope for SEC investigations, charges, and penalties related to cybersecurity disclosures. » Companies must maintain robust disclosure and escalation procedures for cybersecurity incidents. » The SEC expects companies to have well-defined disclosure practices and committees to ensure timely and accurate information flow for materiality assessments. In simpler terms: The SEC is still very interested on cybersecurity, but the SEC may change how it enforces the rules. It might focus more on companies that intentionally lie about cybersecurity issues or fail to promptly disclose such issues. When adopting its Cybersecurity Rules, the SEC recognized that disclosure of immaterial cybersecurity issues may “divert investor attention” and result in “mispricing of securities,” and there is concern that the practical effect of enforcement actions will be an increase in filings reporting on immaterial events. Regardless, companies still need to have policies and procedures in place to address and report material cybersecurity incidents.
RkJQdWJsaXNoZXIy MjgzNzA=