On April 20, in response to a Jones Day moderator at the 2017 IAPP Global Privacy Summit, the Securities and Exchange Commission's ("SEC") Acting Enforcement Director commented on the absence of SEC actions against public companies for failing to report cyber incidents and risks. She noted that the absence should not be mistaken for the agency's unwillingness to bring such actions, but she added that "we [SEC] are not looking to second-guess good-faith disclosure decisions."

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.