Cybersecurity is one of the gravest threats facing public companies, the markets, and the economy at large today. Because of this pressing threat, the SEC has increased its attention to cybersecurity. In 2018 interpretive guidance, consistent with the mandatory disclosure regime established by federal securities regulation, the SEC stipulated that public companies have a duty to disclose those cybersecurity risks and incidents that are material to investors. The 2018 guidance added little, however, and instead parroted earlier guidance from the SEC’s Division of Corporation Finance. Moreover, the SEC itself has been plagued by cybersecurity problems. This Note asserts that to regulate cybersecurity effectively, the SEC must both strengthen its own cybersecurity and further expand upon, rather than simply repeat, the obligation of public companies to disclose cybersecurity risks and incidents.
Rebecca Rabinowitz, From Securities to Cybersecurity: The SEC Zeroes In on Cybersecurity, 61 B.C.L. Rev. 1535 (2020), https://lawdigitalcommons.bc.edu/bclr/vol61/iss4/7