In the space of 2 months, the SEC went from “Companies also may have disclosure obligations” for breaches to paying $35 million for failure to disclose. When the expectations change so quickly, it is important for companies to think strategically not only about where enforcement action has been but where it is going. It is now clear that the SEC is operating in the cyber enforcement space and that they expect fast answers. What, however do they want?
via The Clock is Ticking!: The Types of Cybersecurity Disclosures Required by the Securities and Exchange Commission | Privacy & Security Law Blog.