SEC’s Historic Low Activity Despite New Cybersecurity and AI Rules in FY 2024
Introduction
It often felt like most of 2024 was spent talking about the Securities and Exchange Commission (SEC). However, in Fiscal Year 2024, the SEC reported a significant reduction in enforcement activity despite introducing new rules targeting cybersecurity and artificial intelligence AI. This decline in actions comes when CISOs are balancing litigation risks with the rapid integration of AI in business processes. Despite fewer enforcement actions, financial remedies reached a record high, highlighting a focus on imposing penalties with substantial financial impact. This article explores how the SEC’s shifting approach affects CISOs and the broader regulatory environment.
Enforcement Trends in FY 2024
The SEC recorded its lowest enforcement levels in a decade, excluding pandemic years, with standalone enforcement actions dropping to 431 cases. The decrease reflects internal factors, such as transitional leadership and the reallocation of resources toward high-profile cases. For instance, the Terraform Labs judgment accounted for a large portion of financial remedies, emphasizing the SEC’s strategic focus on impactful cases over volume. Despite fewer actions, the $8.2 billion in financial remedies shows a clear intent to deter misconduct through significant penalties.
Standalone actions fell by 14 percent from the previous year, while follow-on proceedings and delinquency-related cases declined more sharply. These reductions contrast with the SEC’s expanded headcount and earlier rhetoric advocating aggressive enforcement. However, resource-intensive investigations into complex issues like digital assets and cybersecurity may explain this trend. The drop in case numbers highlights a strategic pivot that prioritized major financial outcomes over the breadth of enforcement activity.
New Cybersecurity and AI Regulations
In 2024, the SEC finalized rules requiring companies to disclose cybersecurity incidents and provide annual updates on risk management practices. These regulations aim to increase transparency in how businesses handle emerging threats. The rules also mandate detailed descriptions of how AI is used in operations, alongside assessments of associated risks. This approach seeks to provide investors with actionable information, ensuring companies critically evaluate and disclose technological risks.
The new requirements have lead to a stronger focus on governance frameworks for cybersecurity and AI risk management. Public companies must now articulate their approaches to managing these risks in their annual disclosures. This shift has caused heightened scrutiny from some investors, requiring organizations to align internal controls with these external demands. Companies that adopt proactive strategies are likely to improve both regulatory compliance and operational resilience.
Implications for CISOs
CISOs face significant challenges in meeting the SEC’s new documentation requirements. Ensuring timely and accurate disclosures for filings adds complexity to existing risk management efforts. Communicating these risks to non-technical stakeholders, such as board members, is another hurdle. CISOs must translate technical information into business-relevant terms, fostering alignment with organizational priorities. Strategies like training programs and scenario-based explanations can support this effort.
Integrating AI into compliance frameworks introduces additional challenges. Organizations must now evaluate and disclose AI-related risks, requiring collaboration across technical and non-technical teams. These demands require a strategic approach to security and compliance, ensuring day-to-day operations align with regulatory expectations.
Recommended by LinkedIn
Focus on Financial Remedies
In FY 2024, the SEC emphasized financial penalties as a deterrent, securing $8.2 billion in remedies despite fewer enforcement actions. High-profile cases, such as the Terraform Labs judgment, accounted for much of this amount. The emphasis on monetary consequences signals the SEC’s intent to hold violators accountable while encouraging companies to strengthen compliance practices. This shift highlights the agency’s preference for impactful enforcement actions rather than pursuing a high volume of cases. Interestingly, SolarWinds and the related mini-sweep in October 2024 didn’t warrant a mention in the SEC’s November 22nd press release.
The Role of AI in Business Operations
AI continues to reshape business practices, offering opportunities for efficiency and growth. However, the SEC has highlighted the risks of overstating AI’s capabilities. Misleading disclosures can lead to regulatory scrutiny and reputational damage. Companies must ensure public statements about AI are accurate and grounded in practical applications. This approach supports investor confidence and mitigates potential risks.
The European Union’s proactive AI regulations, such as the EU AI Act, contrast with the SEC’s focus on disclosures. The EU imposes stricter controls, emphasizing safety and ethical considerations. These differences in regulatory priorities reflect varied approaches to managing AI’s influence across jurisdictions.
Future Enforcement Trends
Under the Trump administration, the SEC is expected to scale back aggressive enforcement strategies, focusing instead on traditional cases of investor harm. Leadership changes may result in fewer novel legal theories, emphasizing clarity in enforcement priorities. This expected shift could align with broader goals to streamline regulatory processes while supporting economic growth.
Conclusion
The SEC’s reduced enforcement activity in FY 2024 reflects a period of transition and recalibration. The introduction of new rules for cybersecurity and AI underscored the need for transparency and robust governance practices. While fewer cases were brought, the emphasis on financial penalties illustrates a commitment to deterring misconduct. For CISOs, the expanding regulatory landscape requires balancing compliance with operational demands. By meeting disclosure requirements and addressing technological risks, companies can strengthen both investor trust and organizational resilience.
#cybersecurity #GRC #risk #SEC
SEC Enforcement Results for FY2024 ➡️ https://www.sec.gov/newsroom/press-releases/2024-186
Helping SMEs automate and scale their operations with seamless tools, while sharing my journey in system automation and entrepreneurship
2wThe new cybersecurity and AI rules are a huge shift! It's good to see more transparency in risk management, especially with emerging threats. 💯
Managing Principal/Co-founder
2wKayne - great piece - thanks for sharing!