The Security and Exchange Commission (SEC) does not force companies to reveal cybersecurity breaches, but it has begun to review public company disclosures.  At present, ‘there is no existing rule, requirement or regulation that actually references cybersecurity,’ Elaine Wolff, a partner at Jenner & Block and moderator of the session on the SEC and cybersecurity, told delegates. She referenced the 2013 data breach at Target Corp for which there was no official protocol to disclose it to shareholders or the SEC.

The primary issue

The SEC will review its own cybersecurity policies in the coming year, and it is currently working on a data breach preparedness test for companies.  Quoting a recent survey, Mary Ellen Callahan, chair of Jenner & Block’s Privacy and Information Governance Practice, said general counsel had  named cybersecurity their primary issue for three years running.  Source: Bloomberg BNA