SEC Vows to Step up Cybersecurity Disclosure Enforcement

On May 12, 2022, the Security and Exchange Commission laid out its regulatory agenda last week at the Securities Enforcement Forum West 2022. According to JD Supra, “Recent enforcement actions have made clear that a company may not publicly characterize cybersecurity risk in a hypothetical way when the company already has information that the risk has manifested. See, e.g., Yahoo!, Pearson.”

In addition, SEC officials, citing Yahoo!, explained it is “critical” that public companies maintain adequate internal controls to bridge the gap between the information security team and those responsible for assessing the company’s disclosure obligations (e.g., attorneys and outside auditors).”