SEC v. Hackers: More Cybersecurity Enforcement On The Horizon?

Cybersecurity may be the SEC’s newest area for enforcement actions. While the SEC first released Disclosure Guidance concerning cybersecurity in 2011, the recent media attention surrounding significant cybersecurity breaches at a number of U.S. companies may cause the SEC to renew interest in the issue, and may result in enforcement actions, as well as shareholder class actions and derivative lawsuits. Companies that fail to disclose cybersecurity events in their public filings may find themselves on the wrong end of an SEC investigation and enforcement action.

Companies may also see an increase in class actions where there is a significant stock drop following disclosure of a cybersecurity breach—however, to date, there is little evidence to suggest the market reacts in a negative way following disclosure of a cybersecurity breach, leaving questions about whether plaintiffs could prove materiality and causation in a securities fraud case. Finally, increased focus on cybersecurity disclosures may result in an increase in shareholder derivative actions against officers and directors, with shareholders alleging that the company breached their fiduciary duties by failing to ensure adequate security measures.

The 2011 SEC guidance included instructions for how companies might consider disclosing cybersecurity risks. In particular, the SEC emphasized that companies are not required to present risks that “could apply to any issuer or any offering, and should avoid generic risk factor disclosure.” Instead, the SEC asked that companies focus on cybersecurity risks that are specific to the company’s business or operations, and include description of cyber incidents that the registrant has experienced, including any response to those incidents.

Despite the 2011 guidance, recent media reports suggest that very few companies have disclosed cybersecurity incidents, including actual hacking events.

 

Topics:  Class Action, Cybersecurity, Data Protection, Disclosure Requirements, SEC

Published In: Business Organization Updates, Business Torts Updates, Privacy Updates, Science, Computers & Technology Updates, Securities Updates

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Orrick - Securities Litigation and Regulatory Enforcement Group | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »