Companies that fall victim to cybersecurity incidents have much more than hackers to worry about.
Several recent U.S. Securities and Exchange enforcement actions highlight the agency’s aggressive stance against companies that it believes file inadequate disclosures following cyber incidents.
Fenwick partner Michael S. Dicke was quoted extensively on the matter in a recent two-part Cybersecurity Law Report article examining key takeaways from the SEC actions, practical recommendations for avoiding mistakes, and unpacking the politics of SEC enforcement.
“It strikes a lot of people as wrong that companies who are victims of a cyber incident are being forced to admit to SEC violations, pay significant monetary penalties and be subject to a continuing cease-and-desist order going forward. Conceptually, you shouldn’t punish a victim twice,” Michael told Cybersecurity Law Report.
In the article, Michael provides tips on what to include in a disclosure—with a focus on using meaningful numbers to quantify incident details and convey their importance, as well as strengthening channels for reporting upward.
Read the full article here (subscription required).