SEC Keeps Cyber Enforcement Alive

The Securities and Exchange Commission has launched a new cybersecurity enforcement unit — or, more accurately, dropped crypto stuff from its previously existing crypto assets and cybersecurity enforcement unit. Anyway, it’s a reminder that cybersecurity issues are still on the SEC’s radar screen, so corporate audit and financial disclosure teams need to respond accordingly.

Acting SEC chairman Mark Uyeda announced the cybersecurity unit on Thursday. Its full name is the Cyber and Emerging Technologies Unit (CETU, because we can never have enough acronyms in this line of work), and it will be headed by Laura D’Allaird, who has worked on SEC cyber enforcement issues for most of the last decade. The team will have about 30 people.

Uyeda said the unit will “root out those seeking to misuse innovation to harm investors and diminish confidence in new technologies,” and then provided a list of specific misconduct examples that will be on the team’s radar screen:

• Fraud committed using emerging technologies such as artificial intelligence and machine learning;
• Use of social media, the dark web, or false websites to perpetrate fraud;
• Hacking to obtain material nonpublic information;
• Takeovers of retail brokerage accounts;
• Fraud involving blockchain technology and crypto assets;
• Regulated entities’ compliance with cybersecurity rules and regulations;
• Public issuer fraudulent disclosure relating to cybersecurity.

In truth, this “new” unit is neither new nor surprising. The SEC first created an enforcement team dedicated to emerging technology issues in the 1990s, and it’s existed in one form or another ever since. The SEC then elevated crypto enforcement issues under the Biden Administration, but pretty much everyone in the Trump 2.0 Administration is in love with crypto; it was only a matter of time before Uyeda shut down that part of the team. 

What Will Enforcement Look Like?

Corporate compliance and audit teams have a few issues to ponder here. First, to what extent will the SEC still pay attention to companies’ compliance with cybersecurity disclosure rules? In 2023 the agency did adopt new rules for expanded disclosure of material cybersecurity incidents, and we have seen enforcement actions since then fining companies for making insufficient or misleading disclosures about incidents they’ve suffered. 

Well, fun fact: acting chairman Uyeda opposed the 2023 disclosure rules when they were adopted. At the time, he said the forward-looking disclosures that companies would be required to make when they suffer a material cybersecurity incident were too burdensome, and that the annual disclosure of how a company assesses and manages cybersecurity risk would elevate cyber risks above all the other risks a company needs to juggle. Now that Uyeda is in charge of seeing those same rules enforced (at least until SEC chairman nominee Paul Atkins is confirmed into office later this spring), color me skeptical that they’ll be a high priority.

Then again, if we want to parse words closely, notice that final bullet point where the SEC said the cybersecurity unit will police against “public issuer fraudulent disclosure” relating to cybersecurity. 

In most of the cases we saw during the Biden Administration, that’s what the enforcement actions were about: that the offending company framed its cyber incident in a misleading way — usually by discussing data breaches as a potential thing, when in fact the company already knew that data had been lost or compromised. Indeed, the SEC had already been fining companies for that sort of misleading disclosure since before it adopted its 2023 rules — so maybe Uyeda will be on board with that sort of enforcement action after all.

I also wonder how this unit will handle accusations of “AI washing,” where a company tells investors or customers that it’s using artificial intelligence in all sorts of whiz-bang wondrous ways, when in fact the company isn’t really using AI at all. The SEC announced an AI-washing crackdown in 2024 and did fine a few companies for making misleading statements about AI to the public, but those cases were fly-by-night financial firms purporting to use AI to make investment recommendations to customers. That’s not the same as sanctioning an operating company for using AI in some way that creates new risks the company should disclose to investors. 

Remember the Cybersecurity Basics

Regardless of how energetically this enforcement unit does or doesn’t tackle cybersecurity compliance issues, internal auditors, CISOs, and compliance officers do have a larger question to remember here. 

Who cares? A strong cybersecurity program is its own reward because it helps you tame your operational risks — which are at least as important, and probably even more important, than your compliance risks. 

The SEC’s cybersecurity disclosure rule requires a company to “describe the material aspects of the nature, scope, and timing of the incident, and the material impact or reasonably likely material impact on the registrant, including its financial condition and results of operations” — and to do all that within four days of deciding that, yep, the incident you just suffered is indeed material.

Well, if you can’t make all those same disclosures to your board or senior management team within four days, something in your internal controls regime isn’t working right. The board will probably throw you out the nearest open window, and deservedly so. The issue is that you need strong internal controls and cybersecurity teams that can gather such information, period. 

Whether that information then stays within the boardroom as a discussion of operational risk, or goes into an 8-K filing to fulfill a compliance obligation — at least you’ve done your job, and can live to fight another day.