Acting SEC enforcement director Stephanie Avakian says the agency may file formal enforcement actions against public companies that fall short of cyber incident and risk reporting requirements. While the agency has yet to do so since issuing guidance on the topic in 2011, Avakian told a recent panel session of the International Association of Privacy Professionals' Global Privacy Summit she could foresee circumstances where it would be necessary to file suit. Despite the SEC's willingness to pursue an enforcement action, Avakian also sought to reassure it would not target companies that make "good faith disclosure decisions" that nonetheless fall short of expectations.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.