Regulation: lower SEC actions, higher expectations

The Securities and Exchange Commission filed fewer enforcement cases in fiscal 2024, but companies still paid a record $8.2 billion as older matters reached judgment. (sec.gov) The agency said it brought 583 total enforcement actions in the year ended September 30, 2024, down 26% from 784 in fiscal 2023. Of those, 431 were new stand-alone cases, down from 501 a year earlier. (sec.gov) The money moved the other way. The SEC said it obtained $6.1 billion in disgorgement and $2.1 billion in civil penalties, with more than half tied to the Terraform Labs judgment against the crypto project and founder Do Kwon. (sec.gov; whitecase.com) At the same time, the commission’s cyber disclosure rule now requires public companies to report a material cybersecurity incident on Form 8-K within four business days after deciding the incident is material. The rule also added annual disclosure requirements on cyber risk management, strategy and governance. (federalregister.gov; sec.gov) Those deadlines took effect first for most issuers on December 18, 2023, with smaller reporting companies following on June 15, 2024. The rule allows delays only if the U.S. attorney general determines disclosure would threaten national security or public safety. (kpmg.com) The Department of Labor tightened the retirement side of the rulebook on April 25, 2024, when it finalized its Retirement Security Rule on when investment advice counts as fiduciary advice under the Employee Retirement Income Security Act. The department said the update was aimed at advice given to retirement investors rolling money out of workplace plans and into other products. (dol.gov; govinfo.gov) That rule did not stay fully in force. Federal judges in Texas issued stays in 2024 blocking the rule’s September 23, 2024 applicability date while litigation continued, leaving firms to operate under the older framework for now. (congress.gov) The result is a split screen for compliance teams. The enforcement headline got softer in 2024, but the disclosure and fiduciary standards companies have to build around became more specific in cyber reporting and retirement advice. (sec.gov; sec.gov; congress.gov) The SEC’s own enforcement page says many cases are investigated in private and become public only when the agency files or settles them. That means one year’s lower case count does not erase the pipeline of older investigations that can still end in large penalties. (sec.gov) For public companies, the practical change is timing: boards, lawyers and security teams now have to decide materiality fast enough to meet a four-business-day clock. For retirement businesses, the fight has shifted to the courts, but the Labor Department’s 2024 rule still shows where regulators want advice standards to go. (federalregister.gov; congress.gov)