Skip to main content
Skip to navigation

Regulatory Enforcement

SEC’s Grewal spotlights enforcement focus on cyber disclosures

By Adrianne Appel2023-06-29T21:32:00

The No. 1 priority at the Securities and Exchange Commission (SEC) after organizations are impacted by a cybersecurity incident is that investors receive timely and accurate disclosures, according to the agency’s enforcement head.

The SEC understands firms have to make quick decisions when responding to a cyberattack, including around disclosures, said Gurbir Grewal during a speech at a cyber resilience summit on June 22.

“But we cannot lose focus of the fact that those decisions directly impact customers” and might be material to investors, Grewal said. Publicly traded companies, investment advisers, and broker-dealers collect and hold an extensive amount of data about organizations and client accounts, plus personally identifiable information about individuals that’s valuable to bad actors, Grewal said.

THIS IS MEMBERS-ONLY CONTENT

You are not logged in and do not have access to members-only content.

If you are already a registered user or a member, SIGN IN now.

Related articles

Premium
Preparing for SEC cybersecurity rules an opportunity for collaboration

2023-08-25T13:40:00Z By Adrianne Appel

Businesses can prepare for the Securities and Exchange Commission’s upcoming cybersecurity disclosure rule by going through it and identifying key gaps in compliance.
Premium
Risks, opportunities under SEC’s cyber incident disclosure rule

2023-08-02T19:57:00Z By Adrianne Appel

The clock is ticking for public companies to put in place policies and practices to meet the requirements of the Securities and Exchange Commission’s newly approved cybersecurity incident disclosure rule.
News Brief
SEC adopts rule requiring cyber incident disclosures within four days

2023-07-26T16:30:00Z By Kyle Brasseur

The Securities and Exchange Commission finalized its controversial rule requiring public companies to disclose the nature, scope, timing, and impact of cybersecurity incidents deemed to be material within four business days.

More from Regulatory Enforcement

Article
Georgia Tech to pay $875,000 for allegations brought by compliance officers

2025-10-07T16:08:00Z By Adrianne Appel

Georgia Tech Research Corp. (GTRC) has agreed to pay $875,000 to settle allegations first raised by two compliance officers that its cybersecurity protocols violated acceptable standards for defense contractors, the Department of Justice (DOJ) said.
Article
Tractor Supply Company hit with $1.35M fine for alleged California privacy violations

2025-10-06T17:12:00Z By Adrianne Appel

Tractor Supply Company has agreed to get into compliance with California’s consumer privacy law and to pay a $1.35 million fine—the largest yet by California—to settle allegations it violated the privacy rights of customers and job applicants.
Basic Page
LuminUltra fined $685K by BIS for illegal shipment to Iran

2025-10-06T16:46:00Z By Aly McDevitt

A single $33,000 shipment to Iran triggered a six-figure penalty and years of compliance oversight for biotechnology company LuminUltra Technologies, Inc.