{"id":2144,"date":"2022-03-08T11:24:28","date_gmt":"2022-03-08T16:24:28","guid":{"rendered":"https:\/\/seci.wpenginepowered.com\/?p=2144"},"modified":"2022-03-08T11:24:28","modified_gmt":"2022-03-08T16:24:28","slug":"chair-gensler-cybersecurity-speech-cybersecurity-and-securities-law","status":"publish","type":"post","link":"https:\/\/seciblog.pli.edu\/index.php\/chair-gensler-cybersecurity-speech-cybersecurity-and-securities-law\/","title":{"rendered":"Chair Gensler Cybersecurity Speech \u2013 Cybersecurity and Securities Law"},"content":{"rendered":"

On March 9, 2022, as you can read in this Meeting Notice<\/a>, the SEC is meeting to consider rule making about “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.”<\/strong><\/p>\n

As a bit of background, on January 24, 2022, Chair Gary Gensler delivered a speech titled \u201cCybersecurity and Securities Laws<\/a>\u201d at the Northwestern Pritzker School of Law\u2019s Annual Securities Regulation Institute.\u00a0 He addressed cybersecurity from a variety of perspectives, including a discussion of what may be the very first \u201chack\u201d, a telegraph scheme in France in 1834!\u00a0 His remarks included this discussion of public company cybersecurity disclosures, which provides important insights for drafting risk factor and related cybersecurity disclosures in 34 Act reports:<\/strong><\/p>\n

Public Companies<\/strong><\/p>\n

Next, let me turn to public companies\u2019 disclosure with respect to cyber risk and cyber events.<\/p>\n

The basic bargain is this: Investors get to decide what risks they wish to take. Companies that are raising money from the public have an obligation to share information with investors on a regular basis.<\/p>\n

Disclosure regimes evolve over the decades. Cybersecurity is an emerging risk with which public issuers increasingly must contend.<\/p>\n

Thus, I\u2019ve asked staff to make recommendations for the Commission\u2019s consideration around companies\u2019 cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.<\/p>\n

A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.<\/p>\n

In addition, I\u2019ve asked staff to make recommendations around whether and how to update companies\u2019 disclosures to investors when cyber events have occurred.<\/p>\n

Make no mistake: Public companies already have certain obligations when it comes to cybersecurity disclosures. If customer data is stolen, if a company paid ransomware, that may be material to investors. As recent cases show, failure to make accurate disclosures of cybersecurity incidents and risks can result in enforcement actions.<\/p>\n

You can find links to discussions of cybersecurity enforcement cases listed in this post about SEC enforcement priorities<\/a>.<\/p>\n

As always, your thoughts and comments are welcome!<\/p>\n","protected":false},"excerpt":{"rendered":"

On March 9, 2022, as you can read in this Meeting Notice, the SEC is meeting to consider rule making about “Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure.” As a bit of background, on January 24, 2022, Chair Gary Gensler delivered a speech titled \u201cCybersecurity and Securities Laws\u201d at the Northwestern Pritzker School of … Continue reading Chair Gensler Cybersecurity Speech \u2013 Cybersecurity and Securities Law<\/span> →<\/span><\/a><\/p>\n","protected":false},"author":9,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[143,242],"tags":[],"coauthors":[154],"class_list":["post-2144","post","type-post","status-publish","format-standard","hentry","category-hot-topic","category-reporting"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"post_mailing_queue_ids":[],"_links":{"self":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/users\/9"}],"replies":[{"embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/comments?post=2144"}],"version-history":[{"count":0,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/posts\/2144\/revisions"}],"wp:attachment":[{"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/media?parent=2144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/categories?post=2144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/tags?post=2144"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/seciblog.pli.edu\/index.php\/wp-json\/wp\/v2\/coauthors?post=2144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}