Recent SEC Enforcement Actions Emphasize Importance of Robust Disclosure Controls

On October 22, 2024, the Securities and Exchange Commission (SEC) announced enforcement actions against several technology companies for making materially misleading disclosures regarding cybersecurity risks and intrusions. One company was also charged with disclosure controls violations. The enforcement actions reinforce that companies should: Carefully consider updating disclosures in the wake of cybersecurity incidents, particularly when a company’s […]

Recent SEC Enforcement Actions Emphasize Importance of Robust Disclosure Controls
Posted by Anita B. Bandy, Raquel Fox, and William E. Ridgway, Skadden, Arps, Slate, Meagher & Flom LLP, on Wednesday, November 27, 2024
Editor's Note:

Anita B. Bandy, Raquel Fox, and William E. Ridgway are Partners at Skadden, Arps, Slate, Meagher & Flom LLP. This post is based on their Skadden memorandum.

On October 22, 2024, the Securities and Exchange Commission (SEC) announced enforcement actions against several technology companies for making materially misleading disclosures regarding cybersecurity risks and intrusions. One company was also charged with disclosure controls violations.

The enforcement actions reinforce that companies should:

  • Carefully consider updating disclosures in the wake of cybersecurity incidents, particularly when a company’s risk profile changes as a result of an incident.
  • Maintain policies and procedures to facilitate prompt escalation of cybersecurity incidents to disclosure decision-makers.
  • Understand the SEC’s view of materiality and avoid minimizing cybersecurity incidents in disclosures.

The charges against the companies are the result of the SEC’s investigation of public companies potentially impacted by the SolarWinds’ Orion software vulnerability and other related activity. The penalties in the enforcement actions range from $990,000 to $4 million.

Notably, two SEC commissioners issued another strong dissenting statement to these actions. We anticipate that a new SEC administration will take a different approach to cyber-related enforcement actions.

(more…)