Insights

On July 26, 2023, the SEC finalized long-awaited disclosure rules (the “Final Rules”) regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the Securities Exchange Act of 1934.  While the end results are substantially similar to rules proposed by the SEC in March 2022, there are some key distinctions. 

The risks faced by companies in light of new federal cybersecurity regulations are particularly acute for government contractors, who must also be aware of compounded exposure from the False Claims Act (FCA). The U.S. government is increasingly scrutinizing corporate cybersecurity programs, and companies are vulnerable to new risks of civil and criminal liability related to data breaches. The specter of individual criminal liability looms large since the 2022 conviction of the chief security officer at a leading rideshare company for actions related to his response to data breaches. And now, the SEC has charged the CISO of SolarWinds in his individual capacity with securities fraud related to the company’s cybersecurity regime. All companies—especially government contractors—should consider mitigating risk by auditing their cybersecurity protocols and updating their incident response plans.

With stronger rules requiring disclosure of cyber risk and cyber breaches, 2023 has seen heightened SEC enforcement of companies’ obligations in cyber breaches and, notably, enforcement charges brought directly against Chief Information Security Officers (CISOs).