In October 2024, the SEC announced enforcement actions against several technology companies for materially misleading disclosures related to cybersecurity incidents. The penalties ranged from $990,000 to $4 million. A recent analysis from Skadden breaks down what happened, what the SEC is looking for, and what might change under a new administration.
What the SEC Charged
The enforcement actions stemmed from the SEC's investigation into companies affected by the SolarWinds Orion vulnerability. The charges fell into two categories.
First, some companies disclosed a cybersecurity incident but omitted material details — like the fact that a nation-state actor was likely responsible, that the threat actor had persisted undetected in their systems for an extended period, or the true scope of data exfiltration.
Second, other companies failed to update their disclosures after an incident materially changed their risk profile. Their filings used the same generic, hypothetical language about cybersecurity risks that they'd used before the breach — even though they now faced real, demonstrated threats. One company was also charged with failing to maintain disclosure controls that would ensure cybersecurity incidents reached decision-makers in time.
What This Means for Financial Services Firms
The SEC made clear that materiality assessments should consider whether data protection is critically important to a company's reputation and whether the company holds sensitive data that would interest state-sponsored actors. For financial services firms, the answer to both questions is almost always yes.
The practical takeaway: after any significant cyber incident, firms need to evaluate whether their risk profile has changed and whether existing disclosures still reflect reality. Boilerplate language that treats intrusions as hypothetical won't cut it if you've already experienced one.
A Shift May Be Coming
Notably, two Republican commissioners — Peirce and Uyeda — dissented sharply. They argued the SEC is focusing on immaterial details rather than investor harm, and that the agency should treat breached companies as victims, not perpetrators. Their view: if the disclosure “captures the big picture,” it shouldn't trigger enforcement.
With a change in administration, Skadden anticipates the SEC may adopt a narrower view of materiality, focusing on market impact rather than incident details. The agency may also pull back from aggressive use of controls-based charges given recent litigation setbacks.
The Bottom Line
Regardless of how enforcement priorities shift, the underlying threat isn't going away. Nation-state attacks on financial services surged 300% in 2024. Regulators — whether aggressive or restrained — expect firms to have real controls, not just policies on paper. The firms that treat cybersecurity as a disclosure and compliance problem, rather than an operational one, are the ones most exposed.
The question isn't whether enforcement will come for your sector. It's whether you'll have something to disclose when it does.