Skip to main content


Cybersecurity is one of the gravest threats facing public companies, the markets, and the economy at large today. Because of this pressing threat, the SEC has increased its attention to cybersecurity. In 2018 interpretive guidance, consistent with the mandatory disclosure regime established by federal securities regulation, the SEC stipulated that public companies have a duty to disclose those cybersecurity risks and incidents that are material to investors. The 2018 guidance added little, however, and instead parroted earlier guidance from the SEC’s Division of Corporation Finance. Moreover, the SEC itself has been plagued by cybersecurity problems. This Note asserts that to regulate cybersecurity effectively, the SEC must both strengthen its own cybersecurity and further expand upon, rather than simply repeat, the obligation of public companies to disclose cybersecurity risks and incidents.


File nameDate UploadedVisibilityFile size
6 Sep 2022
382 kB



  • Subject
    • Business Organizations Law

    • Internet Law

    • Science and Technology Law

    • Securities Law

  • Journal title
    • Boston College Law Review

  • Volume
    • 61

  • Issue
    • 4

  • Pagination
    • 1535

  • Date submitted

    6 September 2022