“The SEC is inching closer to clarity on cybersecurity requirements” by Jonathan D. Uslaner and Jasmine Cooper-Little Published in Reuters

April 20, 2023

Jon Uslaner and Jasmine Cooper-Little.png

In this Reuters article, “The SEC is inching closer to clarity on cybersecurity requirements,” BLB&G Partner Jon Uslaner and Associate Jasmine Cooper-Little consider the SEC’s promising start in protecting investors from harmful cyber incidents, and the department’s cybersecurity-focused agenda.

In 2022, the SEC nearly doubled the size of its Enforcement Division's Cyber and Crypto Assets Unit. Since that time, the unit has brought enforcement actions against several SEC-regulated entities for failing to maintain adequate cybersecurity controls and for failing to appropriately disclose cyber-related risks and incidents. Jon and Jasmine note that the SEC is also bringing forth enforcement actions against individuals for wrongdoing related to cybersecurity breaches. These SEC enforcement actions have resulted in charges, fines, and settlements for both groups.

At present, shareholders await the SEC’s decision regarding a rule proposed in March 2022, which, among other things, would: (1) further enhance and standardize disclosure requirements regarding cybersecurity risk management, strategy, governance, and incident reporting, (2) require public companies to report material cybersecurity incidents on Form 8-K, (3) mandate periodic disclosures regarding a registrant's policies and procedures to identify and manage cybersecurity risks, management's role in implementing cybersecurity policies and procedures, and the board of directors' cybersecurity expertise, if any, and (4) require companies to provide updates about previously reported cybersecurity incidents.

Jon and Jasmine also evaluate the SEC’s continuing momentum. Most notably, in March 2023, the agency reopened the comment period for proposed rules and amendments related to cybersecurity risk management and cybersecurity-related disclosure for registered investment advisers, registered investment companies, and business development companies. The SEC’s energetic pursuit of a more cohesive cybersecurity regulatory regime continues, but the implications for the regulated entities and public companies under its jurisdiction remains to be seen.