May 9, 2023
It is no secret among public companies and their counsel that the US Securities and Exchange Commission has steadily adopted a more aggressive stance on cybersecurity controls and disclosure and incident response recordkeeping. SEC Senior Counsel Arsen Ablaev recently highlighted the Commission’s cybersecurity priorities at the annual Incident Response Forum Masterclass. SEC Chair Gary Gensler also emphasized risks in cyber and information security in the March 29 budget hearing with the House Appropriations Committee, and endorsed U.S. President Joe Biden’s request to earmark a record $2.4 billion in funding for the regulator in 2024. Last month saw yet another example of the SEC’s mounting focus on cyber disclosures as an enforcement priority with the announcement that cloud computing company Blackbaud agreed to pay a $3-million civil penalty to settle administrative charges for alleged “materially misleading disclosures” about a 2020 ransomware attack.
As we foreshadowed in our 2023 U.S. Cybersecurity and Data Privacy Outlook and Review, the increase in SEC enforcement resources (e.g., doubling the size of its Crypto Assets and Cyber Unit Ablaev sits in), in combination with the promulgation of cybersecurity risk management, strategy, governance, and incident disclosure rules Ablaev confirmed will be finalized in coming months, signal that cybersecurity will continue to be an area of heightened enforcement activity for the SEC. In light of these developments, it is critical companies take stock of their cyber hygiene policies and incident response protocols, and not only manage cybersecurity risks and prevent attacks, but also respond to them with proper disclosures.
Reproduced with permission from the May 4, 2023 edition of Legaltech News. Copyright 2023 ALM Global Properties, LLC.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Privacy, Cybersecurity & Data Innovation practice group, or the authors:
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, [email protected])
David Woodcock – Dallas (+1 214-698-3211, [email protected])
Vivek Mohan – Palo Alto (+1 650-849-5345, [email protected])
Mashoka Maimona, an associate working in the firm’s San Francisco office who is admitted only in Ontario, Canada, also contributed to this article.