Whiplash: The (Brief and Tragic?) Life of the SEC’s Cyber Disclosure Rules

These days, life comes at you fast. Over the past couple of years, public companies have spent considerable time and treasure preparing for and then complying with the Securities and Exchange Commission’s Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rules (“the Cyber Rules”). Yet today, less than two years after they were adopted, the Cyber Rules are at significant risk of being repealed. 

In this article, I’ll take a look at the potential fate of the Rules, what may come next, and what it means for public companies trying to comply with disclosure obligations, minimize expenses, and mitigate securities litigation risk. 

Hacking Victims or Securities Fraudsters? 

No public company wants to suffer a significant data breach. When hackers penetrate corporate defenses, there are often material negative consequences for the company, both direct (e.g., business interruption) and indirect (e.g., customer litigation). So, when a business is hacked, everyone agrees that the company is a victim of a crime. 

Most serious observers would also agree that if executives intentionally lie to investors about an enormous and consequential data breach, there should be some consequences under the securities laws. 

The Clayton (Trump 1) and Gensler (Biden) SEC administrations generally agreed with the above propositions. But they departed significantly in how they chose to define the universe of public companies that might be liable for securities fraud in connection with a data breach. 

In 2016, the Director of the SEC Division of Enforcement said: “We do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted.” 

In 2023, the next Enforcement Director struck a markedly different tone, emphasizing that the agency would have “zero tolerance for gamesmanship around the disclosure decision. Here, I am talking about those instances where folks are more concerned about reputational damage than about coming clean with shareholders and the customers whose data is at risk.” 

The difference was not just in tone. In mid-2023, the SEC adopted the Rules, creating an expansive new disclosure regime for public companies. The SEC also pursued highly aggressive cyber enforcement theories through the SolarWinds and Donnelly cases. In the former case, a federal district judge shot down the SEC’s expansive view of its authority under the internal accounting controls provisions of the federal securities laws. 

Since the SolarWinds  fireworks in late 2024, things have been pretty quiet in SEC cyber world as everyone has been waiting for new agency leadership to take the helm. On April 10, Paul Atkins was confirmed as the next SEC Chair. What does this mean for the SEC’s future as a cyber + securities regulator? 

Back to the Future 

When the SEC passed the Cyber Rules, Commissioners Peirce and Uyeda each dissented. Both remain on the Commission today. Here’s what they said about the Cyber Rules in 2023. 

• Commissioner Peirce: “[T]his final cybersecurity disclosure rule continues to ignore both the limits to the SEC’s disclosure authority and the best interests of investors. . . . When companies fail to make the required disclosures about cyber risks or inform investors of a cyber incident in a timely manner, the Commission can bring an enforcement action based on existing disclosure obligations. We do not need additional regulations. However, I could have supported a cyber rule designed to guide public companies in their obligation to disclose material cyber risks and material cyber incidents in a way that would be net-beneficial to investors.”
• Commissioner Uyeda: “Following today’s amendments, investors will have far less insight into how a company manages these other risks relative to cybersecurity, even if the company has not had any material cybersecurity incidents. Why is this? If the Commission elevates one risk above all others, the public deserves to know why the Commission is doing so. Failure to provide a reasoned basis is arbitrary and capricious and ignores the purposes of the Securities Act and the Exchange Act. It is not enough to simply proclaim ‘investor protection’ and ‘public interest.’” 

Both Commissioners worked for Chair Atkins early in their careers, so it is a safe bet that the new SEC leader has a similarly dim view of the Cyber Rules. Chair Atkins didn’t specifically reference the Cyber Rules in his prepared remarks to the Senate Banking Committee prior to confirmation, and I haven’t seen any reporting that he was specifically asked about the Cyber Rules during the hearing (although Senator Elizabeth Warren did send him a letter asking about the fate of the Cyber Rules). 

Regardless, I think it is fair to assume that this general portion of Chair Atkins’ prepared remarks likely represents his view of the Cyber Rules: “Unclear, overly politicized, complicated, and burdensome regulations are stifling capital formation, while American investors are flooded with disclosures that do the opposite of helping them understand the true risks of an investment.” 

But will the SEC take prompt steps to repeal the Cyber Rules? While no one knows for sure, my guess is that the agency will quickly put the Cyber Rules to the knife. In addition to the strong signals described above, in late March, the House Financial Services Committee sent the SEC a list of rules that Republican legislators want repealed. 

Number one on that list? The Cyber Rules. 

The Future of Public Company Cyber + Securities Regulation 

Of course, until and unless the SEC repeals or modifies the Cyber Rules, it’s business as usual for public companies. 

But let’s assume I am right that the Cyber Rules are headed for the wood chipper. How should public companies think about securities law risk in connection with cyber controls and incidents going forward? 

In some ways, you can just pretend the last four years never happened. Look back at the 2018 Commission Statement and Guidance on Public Company Cybersecurity Disclosures. Expect some new guidance to take the place of the defunct Cyber Rules. And, regardless of the specific fate of the Cyber Rules, expect that the Division of Enforcement will pivot from “zero tolerance” back to not second-guessing “good faith disclosure decisions.” 

For public company securities lawyers and disclosure committees, this will come as a significant relief. However, risk will remain. For one thing, the SEC will still retain the ability to sue public companies for cyber-related disclosure decisions in egregious cases. For another, private plaintiffs have brought many cybersecurity-related securities class actions and derivative cases in recent years and will continue to look for opportunities to make money in this space. 

Given these continued risks, public companies will want to leverage the muscular cyber disclosure infrastructure they have put in place over the past few years to continue to mitigate risk, even in an environment of fewer disclosure obligations and lower chances of liability for securities fraud. It’s still a good thing that your cybersecurity team has increased connectivity with the finance and legal functions responsible for making corporate disclosure decisions, and it probably doesn’t make sense to tear up those roads.