CISO Trainings , Legislation & Litigation , Standards, Regulations & Compliance
CISOs on the Hook: SEC Tightens Cybersecurity Disclosures
Lee of Jenner & Block on How SolarWinds Case Ushered in New Era of Risk ManagementThe SolarWinds case has redefined cybersecurity disclosure obligations, especially for chief information security officers. The SEC's novel theories in this case have set a precedent for how organizations must present their cybersecurity practices, said Jennifer Lee, partner at Jenner & Block. While the judge dismissed some SEC claims, the case has confirmed the SEC's power to enforce cybersecurity regulations.
See Also: The State of Enterprise Mobile App Security 2023: Results Analysis
CISOs are now responsible for ensuring that their companies' security statements align with actual practices, Lee said. Failure to align internal practices with public statements could expose companies to significant regulatory risks.
"SEC is going to be looking at CISOs as a subject matter expert. What CISOs need to do is have clarity on what it is that they are being asked to approve. They can no longer be passive," she said.
In this interview with Information Security Media Group at Black Hat 2024, Lee also discussed:
- The increased scrutiny on CISOs related to new cybersecurity reporting rules;
- The importance of accurate cybersecurity disclosures;
- The disconnect between CISOs' influence and their legal accountability.
Lee has nearly two decades of experience in litigation, specializing in business litigation, data privacy and cybersecurity, and securities laws. Previously, she served as assistant regional director at the U.S. Securities and Exchange Commission's Division of Enforcement, where she oversaw complex investigations and enforcement actions.