ARTICLE
9 March 2022

A Look At SEC's Last Decade Of Cybersecurity Enforcement Efforts, Part 1: Focus On Public Companies

HB
Haynes and Boone

Contributor

Haynes and Boone logo

Haynes Boone is among the fastest-growing firms in the Am Law 100, providing full-service counsel across sectors, including corporate, energy, financial services, real estate, restructuring, litigation, intellectual property and specialty transactions. The firm represents companies at all stages – many in the Fortune 500 and S&P 500 and hundreds that are well-funded, exchange-listed, privately held and/or in emerging-growth mode. Nearly 700 lawyers practice across 19 global offices in California, Colorado, Illinois, New York, North Carolina, Texas, Virginia, Washington, D.C., London, Mexico City and Shanghai. In 2024, Chambers USA ranked 35 firm practice areas, and Haynes Boone became the first Am Law 100 firm to earn Mental Health America’s Gold Bell Seal for its industry-leading commitment to creating a mentally healthy workplace.

Explore Firm Details
A decade ago, the Securities and Exchange Commission increased its focus on cybersecurity and the impact cybersecurity incidents and risks have on the market and on investors.
United States Corporate/Commercial Law
Kit Addleman,Timothy Newman, and Carrington M. Giammittorio

A decade ago, the Securities and Exchange Commission (SEC) increased its focus on cybersecurity and the impact cybersecurity incidents and risks have on the market and on investors. For public companies, the commission began to focus on what those companies were saying (or not saying) about cybersecurity incidents they suffered or the cybersecurity risks that affect their businesses. For regulated entities, the commission's attention was heightened on cybersecurity controls—i.e., what policies and procedures did registered entities have in place to protect customer data and to prevent, detect, and respond to cybersecurity attacks?

Over the past 10 years, the commission has discussed cybersecurity obligations under federal securities laws through staff-level and commission-level guidance, comment letters, division priorities, and alerts; a section 21(a) report of investigation; and, more recently, enforcement actions. This two-part series looks back at what the SEC has said about cybersecurity, starting with the focus on public company disclosure obligations (in Part I) and following with the focus on registered entities' cybersecurity controls (in Part II).

The Initial Salvo Was Staff-Level Guidance from the SEC's Division of Corporation Finance

On October 13, 2011, the SEC's Division of Corporation Finance released guidance, CF Disclosure Guidance: Topic No. 2—Cybersecurity (Oct. 13, 2011) (the 2011 guidance), outlining its views on public company disclosure obligations related to cybersecurity. This was the first time the commission or any of its divisions spoke explicitly about cybersecurity disclosure obligations. The 2011 guidance did not establish any new disclosure requirements. Instead, it reviewed the existing framework of disclosure obligations, highlighting the following disclosure areas, which might be implicated by cybersecurity incidents or risks: 

  • Risk Factors;
  • Management's Discussion and Analysis of Financial Condition and Results of
  • Operations (MD&A);
  • Description of Business;
  • Legal Proceedings;
  • Financial Statement Disclosures; and
  • Disclosure Controls and Procedures


Excerpted from The American Bar Association. To read the full article, click here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Kit Addleman
Kit Addleman
Photo of Timothy Newman
Timothy Newman
Photo of Carrington M. Giammittorio
Carrington M. Giammittorio
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More