Skip to main content
close search
site logo

SEC cybersecurity enforcement outlook uncertain as Trump 2.0 looms

With issues such as cryptocurrency and climate change facing the next SEC chair, it’s unclear whether rolling back cybersecurity rules will be high on the priority list.

Published Dec. 17, 2024
Alexei Alexis's headshot
Reporter
whistleblower program, Peirce, Uyeda, confidentiality
Securities and Exchange Commission building in Washington, D.C. hapabapa via Getty Images

Much of the public company filings resulting from the Securities and Exchange Commission’s first year of implementing a rule requiring the disclosure of “material” cybersecurity breaches have been vague and confusing, producing little value for investors, legal analysts said.

The lack of Republican support for the rule at the SEC coupled with questions over its usefulness — as implemented so far — place it at risk of being rescinded or at least scaled back after President-elect Donald Trump takes office, they said.

“As something that was intended to provide information for investors, it’s a failure,” Scott Kimpel, a partner at law firm Hunton Andrews Kurth, said in an interview. “Whether the agency goes through the trouble of trying to repeal it in the future remains to be seen.”

Trump has vowed to bring about massive regulatory cuts across the federal government.

Earlier this month, he announced the selection of Paul Atkins, a business consultant and cryptocurrency industry lobbyist, to become the next chairman of the SEC. If confirmed, Atkins is widely expected to help advance Trump’s vision of delivering regulatory relief to companies.

However, with a host of controversial issues facing the SEC in the next administration — including cryptocurrency and climate change — it’s unclear whether rolling back cybersecurity rules will be high on the priority list, Kimpel said.

Breach disclosure ‘balancing act’

The SEC’s cybersecurity rule requires a “material” breach to be disclosed to the agency within four days of a determination that it is material. It was intended to provide investors with timely and “decision-useful” cybersecurity information, according to the SEC, but companies have disclosed minimal breach details in many cases, according to Kimpel.

“Very rarely do any of the filings tell you anything interesting or useful about the incident other than the fact that the company had an incident, there was a temporary disruption in operations, and it was fixed,” he said. “That doesn’t seem to be the sort of information that’s either material or decision-useful for investors.”

Similar views were expressed by Matthew Richardson, a partner at the law firm Brown Rudnick.

“There’s a balancing act to be struck, and I’m afraid that the current way it’s being done is probably not correctly balanced,” he told CFO Dive.

The cybersecurity rule presents public companies with a dilemma, according to Richardson. While there’s a need for investors to understand the risks associated with a breach, companies also need to worry about the possibility of disclosing details that could be exploited by hackers.

Besides offering scant details in many cases, some filings have also opened the door to investor confusion, according to Kimpel.

Among early disclosures, there were instances of companies including Microsoft, HP Enterprise and Prudential Financial reporting a breach they deemed immaterial after a preliminary investigation. This prompted the SEC in May to issue guidance clarifying that its new breach reporting rule wasn’t intended to sweep in immaterial incidents.

Republican opposition

The SEC adopted the rule in the summer of last year as part of a broader package of cybersecurity requirements. It was a party-line 3-2 vote by the commission, with Republicans Hester Peirce and Mark Uyeda dissenting.

The breach disclosure provision was among the most contentious aspects of the rulemaking. It requires companies to determine the materiality of an incident “without unreasonable delay following discovery and, if the incident is determined material, file an Item 1.05 Form 8-K generally within four business days of such determination,” according to a fact sheet.

The sweeping package also calls for public companies to annually describe on form 10-K their board of directors’ oversight of cybersecurity risks.

Wednesday marks the one-year anniversary since the breach disclosure mandate kicked in.

An analysis by BreachRx, a provider of cybersecurity incident management software, found that a total of 71 8-Ks disclosing breaches were filed by 47 companies as of Nov. 18.

“The results reveal confusion and caution on whether and when to file and a general failure to provide enough information that could effectively protect companies from future SEC enforcement actions,” said a report on the findings.

Less than half (48%) of filings in the sample provided specific insights into the organization’s incident response procedures. The remaining 52% provided “only boilerplate information,” the report said.

SolarWinds Litigation

Before the rules took effect, the SEC’s cybersecurity enforcement program was governed by agency guidance.

In one high-profile case brought in October 2023 — after the rules were adopted but before they kicked in — the SEC sued Austin, Texas-based software provider SolarWinds and its chief information security officer, Timothy Brown, for allegedly defrauding investors by mischaracterizing cybersecurity practices that were in place at the company leading up to a major breach discovered in December 2020. The company has denied the charges.

Much of the suit was thrown out in a July ruling. However, core charges have survived.

The SEC’s cybersecurity rules themselves haven’t yet resulted in any enforcement actions. The agency announced in October that it agreed to settle with four companies over charges they made misleading disclosures in connection with the 2020 hack of SolarWinds, but the rules did not apply in those cases.

“The companies involved in those cases experienced cybersecurity incidents before the new cybersecurity incident disclosure requirements went into effect,” Lenin Lopez, an attorney specializing in corporate governance and securities law at insurance brokerage firm Woodruff Sawyer, said in an email.

Lopez said the lack of cases directly stemming from the rules isn’t surprising given that it has only been a year since they kicked in. Also, it’s clear the agency has at the very least been closely monitoring how companies are disclosing cybersecurity incidents based on comment letters responding to filings and the guidance that was issued earlier this year, he said.

“As to the outlook for 2025, while some are theorizing that the cyber disclosure rules will be pared back or repealed entirely, either of those outcomes will take time and companies would be best served in operating without those possibilities in mind,” Lopez said.

Michael Diver, a partner at Katten Muchin Rosenman, said it’s possible the SEC could loosen some of the cybersecurity reporting obligations, but a wholesale repeal is unlikely.

“There’s a low probability the rules will be rescinded because there’s too much risk to companies with cyber events,” he said in an email.

Recommended Reading

Editors' picks

Company Announcements

View all | Post a press release
Celonis Appoints Benoit Fouilland as Chief Financial Officer to Drive Next Phase of Growth
From Celonis
December 05, 2024
CFOs at a Crossroads: 2025 Document Automation Trends Show Divide Between Automation Potential…
From Rossum
December 12, 2024
Senior Commodities Analyst Kurush Mistry Backs Transformative Microfinance Initiative in East …
From Chencomms
December 03, 2024
Editors' picks
Latest in Compliance
Industry Dive is an Informa TechTarget business.
© 2024 TechTarget, Inc. or its subsidiaries. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell
This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world's technology buyers and sellers. All copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.'s registered office is 275 Grove St. Newton, MA 02466.