Remarks of SEC Enforcement Director on Cyber Resilience

Remarks of SEC Enforcement Director on Cyber Resilience

Blog Keeping Current: Disclosure and Governance Developments

On June 22, 2023, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, spoke on the topic of cyber resilience at the Financial Times Cyber Resilience Summit. Director Grewal defined cyber resilience as a guiding concept: because cybersecurity incidents are likely to occur, companies must be prepared to respond and react appropriately when they do.

While not weighing in on the SEC’s pending rulemaking activity for new cybersecurity disclosure requirements, Director Grewal shared five principles that guide the Enforcement Division’s approach to a company’s cybersecurity and disclosure obligations.

  1. The Division views the investing public, not just the public company being attacked, as potential victims due to the impact on customers whose information has been compromised and the potential materiality of that information to investors. The Division’s goal is to ensure that investors receive timely and accurate disclosure in order to prevent additional victimization.
  2. Companies need “real” cybersecurity policies, not generic form policies, in place and must implement those policies, including by instructing and educating employees on how to identify and address cybersecurity risks and how to respond to incidents.
  3. Companies need to regularly review and update their cybersecurity policies to keep up with the evolving threats.  “What worked 12 months ago probably isn’t going to work today, or at a minimum may be less effective,” Director Grewal said.  As part of this effort, companies should review the SEC’s enforcement actions and public statements.
  4. Companies need to have internal processes in place so that information about potential cybersecurity incidents is timely reported to senior executives responsible for the company’s disclosure.
  5. Companies need to prioritize their disclosure obligations over other concerns such as the risk of reputational damage.  Director Grewal stressed that the Division has “zero tolerance for gamesmanship,” such as “hyper technical readings of the rules” as a basis for not making disclosure.

Director Grewal also noted that failure to disclose cyber incidents may lead to stiffer penalties and encouraged companies that have, or think they may have had, a material cyber incident to talk to the SEC sooner rather than later.

Authors

More from this series

Notice

Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.