On June 22, 2023, Gurbir S. Grewal, Director of the SEC’s Division of Enforcement, spoke on the topic of cyber resilience at the Financial Times Cyber Resilience Summit. Director Grewal defined cyber resilience as a guiding concept: because cybersecurity incidents are likely to occur, companies must be prepared to respond and react appropriately when they do.
While not weighing in on the SEC’s pending rulemaking activity for new cybersecurity disclosure requirements, Director Grewal shared five principles that guide the Enforcement Division’s approach to a company’s cybersecurity and disclosure obligations.
- The Division views the investing public, not just the public company being attacked, as potential victims due to the impact on customers whose information has been compromised and the potential materiality of that information to investors. The Division’s goal is to ensure that investors receive timely and accurate disclosure in order to prevent additional victimization.
- Companies need “real” cybersecurity policies, not generic form policies, in place and must implement those policies, including by instructing and educating employees on how to identify and address cybersecurity risks and how to respond to incidents.
- Companies need to regularly review and update their cybersecurity policies to keep up with the evolving threats. “What worked 12 months ago probably isn’t going to work today, or at a minimum may be less effective,” Director Grewal said. As part of this effort, companies should review the SEC’s enforcement actions and public statements.
- Companies need to have internal processes in place so that information about potential cybersecurity incidents is timely reported to senior executives responsible for the company’s disclosure.
- Companies need to prioritize their disclosure obligations over other concerns such as the risk of reputational damage. Director Grewal stressed that the Division has “zero tolerance for gamesmanship,” such as “hyper technical readings of the rules” as a basis for not making disclosure.
Director Grewal also noted that failure to disclose cyber incidents may lead to stiffer penalties and encouraged companies that have, or think they may have had, a material cyber incident to talk to the SEC sooner rather than later.