Former SEC Lawyer, Danette Edwards Interview
Navigating SEC Cyber Enforcement – An Interview with Danette Edwards
In this engaging episode of Gula Tech Adventures, Ron Gula sits down with Danette Edwards, a seasoned attorney currently with Katten Muchin Rosenman LLP, to discuss the evolving cybersecurity landscape from a legal perspective — particularly regarding the Securities and Exchange Commission (SEC). Edwards brings a unique insider-outsider perspective, having spent 12 years as an SEC enforcement attorney and now representing clients navigating investigations and enforcement actions.
A Career from Both Sides of the SEC
Edwards began her legal journey on the defense side, starting her career at a large national law firm. Her very first case involved criminal defense for an Enron executive. After eight years, she moved to the SEC’s Division of Enforcement, where she handled a wide range of cases — from insider trading and Ponzi schemes to accounting fraud. In 2022, she transitioned back into private practice, now helping companies and individuals defend against government scrutiny.
The SEC Steps into Cybersecurity
A key focus of the interview is the SEC’s increasing involvement in cybersecurity regulation. Edwards breaks down two pivotal developments:
Public Company Cyber Disclosure Rules (July 2023):
Publicly traded companies must now disclose material cybersecurity incidents within four business days of determining materiality. Additionally, annual reports must include details of cybersecurity risk management and governance.Safeguards Rule Amendments (May 2024):
These updates apply to broker-dealers, investment advisers, and crowdfunding platforms, requiring stronger protections for customer data and direct notification of affected individuals in the event of certain breaches.
What This Means for CISOs
CISOs (Chief Information Security Officers) now find themselves under more pressure than ever. In addition to managing day-to-day security, they’re expected to help draft 8-K reports, evaluate breach materiality, and potentially defend their actions during enforcement investigations.
Edwards points out the risks, especially for companies lacking mature security processes or where CISOs don’t have strong support from the board. SolarWinds is a cautionary tale: in late 2023, the SEC filed a high-profile complaint against the company and its CISO. The case alleges that numerous “red flags” were ignored and not reported to investors, which could have helped mitigate damage from their infamous supply chain attack.
The SEC’s Strategy: Messaging Through High-Profile Cases
The SEC doesn’t have unlimited resources, so it picks “message cases” — enforcement actions against recognizable names meant to set examples. A recent one is ICE (Intercontinental Exchange), parent of the New York Stock Exchange, which settled for $10 million after failing to promptly report a cyber intrusion under the Regulation SCI framework.
High-profile targets like ICE are selected in part because they amplify the regulatory message across industries. As Edwards explains, regulators try to benchmark penalties based on precedent and perceived egregiousness — not just based on financial damage or breach size.
Unintended Consequences: Hackers Join the Fray
A bizarre twist in the new cyber disclosure landscape emerged when ransomware group BlackCat used the SEC’s online tip portal to report a company it had hacked — for not disclosing the breach fast enough. While BlackCat can’t qualify for whistleblower rewards due to “unclean hands,” the incident underscores how attackers now leverage regulations as a form of extortion.
Advice for CISOs: Protect Yourself
So what can CISOs do in this high-pressure environment? Edwards strongly recommends that they:
Secure personal liability coverage through D&O insurance (directors and officers), or at least negotiate indemnification agreements with their companies.
Keep formal records of risk decisions — especially when compromises are made for cost reasons. The difference between a defensible choice and negligence may hinge on whether decisions were documented and shared with the board.
Be wary of informal communications. Slack, Signal, and similar platforms may not comply with recordkeeping laws and could become legal liabilities in a breach investigation.
Engage legal counsel early, especially when discussing potentially material incidents, to ensure privileged and defensible decision-making.
Cyber as a Trusted Profession
Edwards and Gula also explore the cultural legitimacy of the cybersecurity profession. Unlike doctors or lawyers, cybersecurity professionals don’t yet enjoy the same universal public respect — despite holding C-suite positions like “CISO.” But with major incidents in the headlines nearly every day, Edwards believes it’s only a matter of time before cybersecurity is seen as essential to both national security and enterprise health.
Lessons for Startups and Private Companies
Although many assume these regulations apply only to large, public corporations, Edwards warns that private tech companies aren’t off the hook. If a Series C startup raises money through private securities offerings and makes misleading statements about cybersecurity posture or fails to disclose significant breaches, the SEC can still investigate.
Even third parties like law firms, IT vendors, and accounting partners can be subpoenaed if they hold information related to public companies under scrutiny. The SEC’s jurisdiction, in other words, is far-reaching — and not limited to those who consider themselves "regulated entities."
Final Thoughts
The cybersecurity legal landscape is rapidly evolving, and Danette Edwards brings a unique lens to help CISOs, tech founders, and executives understand the stakes. Her key takeaways:
Expect more regulation, not less.
Document cybersecurity decisions as part of your governance and budgeting process.
Get insurance or indemnification to reduce personal exposure.
Treat communications about risk seriously, especially during or after an incident.
Stay informed — and don’t go it alone when the stakes are high.
To learn more or connect with Danette Edwards, visit her firm bio at Katten’s website or reach out directly. You can also watch the full interview on the Gula Tech Adventures YouTube Channel for further insights into SEC trends and cybersecurity best practices.