SEC Enforcement Action Following a Cyber Incident Is a Heightened Risk
Grewal acknowledged that, whatever its precautions, a company will experience cyber incidents. As Grewal noted at the outset of his remarks, “cyber resilience is a concept that recognizes that breaches and cyber incidents are likely going to happen, and that firms must be prepared to respond appropriately when they do. In other words, it’s not a matter of if, but when.”
Despite the inevitability of these incidents, Grewal exhibited little sympathy for companies that mishandle reporting obligations when faced with the crisis of responding to a cyber incident. He stated that he had “zero tolerance for gamesmanship around the disclosure decision.” He advised executives to disclose concerns about a data breach to the SEC “sooner rather than later”—even if you only “think you might” have a material event to disclose—and regardless of whether your company has finished its internal investigation into the incident.
Grewal emphasized that, when there are cyberattacks on publicly traded companies, the SEC considers the investing public to be potential victims of those incidents….
