The Securities and Exchange Commission (SEC) has created a new cyber unit, no doubt raising questions for cyber insurers about the potential impact of the changes on their liability, including from SEC cyber regulations involving disclosure of cyber attacks.
Called the Cyber and Emerging Technologies Unit (CETU), it’s been formed “to focus on combatting cyber-related misconduct and to protect retail investors from bad actors in the emerging technologies space,” according to the SEC. This includes various forms of fraud, including that involving crypto, but also: “Regulated entities’ compliance with cybersecurity rules and regulations” & “Public issuer fraudulent disclosure relating to cybersecurity.”
We’ve written extensively about SEC rules announced in 2023 that require public companies to file 8K disclosures when they suffer cyber breaches — cyber regulations that have produced fewer disclosures of serious breaches than some had expected.
We wondered if the new unit might drive more regulatory scrutiny of such disclosures and the companies making them. But detailed analysis from law firm King Spalding, which includes an interesting combination of historical, legal and political considerations, suggests that’s unlikely.
“(W)hile public company disclosures and regulated entities’ compliance with cybersecurity rules will remain areas of focus, we expect that cases in those areas will focus on clearcut violations where there is evidence of scienter (CIN: i.e., intent or knowledge of wrongdoing), rather than instances where the SEC is second-guessing language choices or materiality judgments with the benefit of hindsight,” the firm predicts.
Indeed, the law firm calls the move a “rebranding” of the existing SEC unit focused on cyber issues. We’ll see.
Other News: SEC Cracks Down on Cyber Disclosures: Does Cyber Insurance Cover Costs & Fines? (Opens in a new browser tab)
