Companies and their Chief Information Security Officers (CISOs) are now under increased scrutiny by the US Securities and Exchange Commission (SEC) as a result of new cybersecurity and data breach disclosure rules that have recently taken effect. Failure to comply with these rules could result in significant fines and penalties for businesses.
In the event of an investigation by the SEC, companies may face a range of enforcement actions, from injunctions to blocking individuals from serving on boards of other companies. The fines imposed by the SEC can escalate rapidly, potentially resulting in substantial financial losses for organizations.
Jena Valdetero, a cybersecurity expert at law firm Greenberg Traurig, LLP, emphasizes the importance of empowering CISOs to ensure compliance with SEC regulations. She notes that the SEC has made it clear that cybersecurity enforcement is a top priority, placing significant responsibility on CISOs to safeguard their organizations from potential penalties.
The monetary penalties imposed by the SEC can be significant, starting at $5,000 per violation and increasing to $100,000 per violation depending on the severity of the breach. In addition to financial penalties, companies may also face reputational damage, shareholder lawsuits, and legal fees associated with investigations.
The recent SEC enforcement actions against SolarWinds and its CISO Timothy Brown serve as a wake-up call for executives, highlighting the potential costs and repercussions of non-compliance. CISOs now face heightened personal liability for cybersecurity incidents, adding to the complexity of their roles within organizations.
As a result, CISOs are experiencing a shift in their responsibilities and are seeking greater support and guidance from legal and compliance teams. Companies are expected to invest in enhanced Directors and Officers (D&O) liability insurance to protect CISOs in the event of investigations or legal challenges.
Despite the challenges and uncertainties surrounding SEC enforcement actions, there is a silver lining for organizations that have established policies and procedures in place. Kathleen McGee, a legal expert, advises companies to document their decision-making processes and ensure transparency in addressing cybersecurity incidents to demonstrate good faith and compliance with SEC regulations.
Ultimately, companies and CISOs that prioritize cybersecurity readiness and maintain proactive measures are better positioned to navigate the evolving regulatory landscape and mitigate the risks associated with SEC enforcement actions. By fostering a culture of security awareness and accountability, organizations can safeguard against potential financial and reputational losses in the event of a cybersecurity incident.