Welcome to Reuters Legal News beta. Please enjoy and provide us with your feedback as we continue to improve the Reuters Legal News experience.

Skip to main content
Skip to floating mini video

WilmerHale's Stephanie Avakian on the SEC's cyber crackdown

2 minute read
Register now for FREE unlimited access to Reuters.com
  • Wilmer Cutler Pickering Hale and Dorr LLP

The company and law firm names shown above are generated automatically based on the text of the article. We are improving this feature as we continue to test and develop in beta. We welcome feedback, which you can provide using the feedback tab on the right of the page.

(Reuters) - The U.S. Securities and Exchange Commission's enforcement division has showed a renewed interest in policing corporate failures over cyber security lapses.

This summer, London-based Pearson PLC settled with the agency over its handling of a cybersecurity incident, as did real estate title insurance company First American Financial Corp.

Stephanie Avakian, who was the co-director of enforcement at the SEC before becoming a partner at Wilmer Cutler Pickering Hale and Dorr, spoke with Reuters about the cases and what to expect from the regulator on the cyber front.

Register now for FREE unlimited access to Reuters.com

This conversation has been edited for clarity and length.

REUTERS: We recently saw an uptick in SEC enforcement actions on cybersecurity. Why?

AVAKIAN: The big case that the SEC had brought against a public company for a (cyber security) disclosure failure was the Yahoo case, which was several years ago. This past summer, we saw two more cases against public companies. That suggests a level of focus and increased aggression in looking at the disclosures companies do or don't make in the wake of a cyber incident.

REUTERS: What are you seeing the SEC go after companies for?

AVAKIAN: The case called First American is interesting. The SEC charged the company with failure to maintain disclosure controls and procedures. It wasn't a fraud or misstatement case. It was really this failure to have disclosure controls and procedures that were designed to ensure that management had all the available information so that they could make disclosure decisions.

The agency has brought disclosure control cases before. It's an interesting move to do it in this cyber security space.

REUTERS: Is that an easy decision to decide to disclose?

AVAKIAN: It is often a very difficult determination to make whether there's been a material incident, and if so what you should disclose and when. Companies are cautious, appropriately so, and don't want to be in a position of saying something that turns out to be incorrect.

REUTERS: Cyber risk is on the SEC's rulemaking agenda. What do you expect to see?

AVAKIAN: The chairman in his Senate testimony not too long ago suggested the SEC is looking at both how companies manage cyber risks and looking at incident reporting for breaches, ransomware payments and the like. At least based on early indications, we're likely to at least see a proposal that sort of would lay out a more prescriptive disclosure regime.

Register now for FREE unlimited access to Reuters.com

Our Standards: The Thomson Reuters Trust Principles.

Jody Godoy reports on banking and securities law. Reach her at jody.godoy@thomsonreuters.com

More from Reuters