SEC Enforcement Action for Incomplete Cyber Incident Disclosures

The U.S. Securities and Exchange Commission (SEC) recently charged four companies for insufficient disclosures related to cybersecurity incidents, specifically the SolarWinds Orion hack. These public, or former public companies, allegedly did not fully communicate the nature and impact of the cybersecurity breaches affecting their systems. This raised concerns with the regulator about transparency and risk communication.

The enforcement actions stated the companies' disclosures lacked sufficient detail about the actual impact of the breaches, stating they failed to inform stakeholders of the full extent of the incidents, including potential vulnerabilities and ongoing risks.

Each company faced financial penalties, ranging from $990,000 to $4 million, as part of the settlement for these lapses. Importantly, none of the companies admitted or denied the SEC’s findings, but they all agreed to strengthen their cybersecurity reporting practices.

Our guidance

This enforcement action underscores the SEC's continued focus on cybersecurity and providing investors and the public with accurate and transparent information about cybersecurity risk management and incidents. While incident reporting and disclosures are not yet required for investment advisers, broker-dealers, or funds that would be covered by the SEC’s proposed Cybersecurity Risk Management Rule, these firms should still take note of these enforcement actions, as well as the SEC’s continued focus on cybersecurity in its 2025 Examination Priorities.

To prepare for cybersecurity-focused exams and potential rulemaking, firms should review the effectiveness of their cybersecurity program to ensure it is reasonably designed to manage cybersecurity risks. Additionally, firms should begin planning now for how they will balance the requirements of providing stakeholders with accurate and transparent information about how cybersecurity risk is managed, without providing details that could allow cyber attackers information that could be used in a potential attack.

How we help

ACA Aponix^® can help your firm build your cybersecurity program to strengthen your line of defense against cyberattacks. Our services include:

• Aponix Protect^® is a cybersecurity and technology risk solution that helps you build a comprehensive risk management program tailored to your business needs.
• ACA Signature combines cybersecurity with compliance advisory services,  innovative technology and managed services for a scalable solution that can help you gain expert insight, guidance, and support as you navigate emerging challenges.

Reach out to your ACA consultant, or contact us to find out how ACA can help secure your firm against cyber threats and comply with regulatory expectations. 

Contact us