Cyber risk remains a real and significant risk for companies, especially in our hyper-connected world. Whether it’s potential attacks by external parties or internal sabotage or even mere mistakes, the threats to business are real.

One place where the noise is quieting at least a bit, however, may be when it comes to the SEC’s focus on cyber disclosure.

Recall that the prior administration both implemented new cyber disclosure rules and took an expansive view of its enforcement powers. The latter notably included using internal control rules to pursue an enforcement action against a company that was the victim of a cyberattack.

The signals coming from the current administration are very different. For example, the SEC has pulled back proposed cyber rules for investment companies and investment advisors.

Industry groups and others are advocating the elimination or modification of the SEC rules mandating rapid disclosure of cyber incidents by issuers, something many issuers decried as problematic when the rules were first proposed.

Issuers may well get their way. This will not eliminate the obligations issuers have to disclose material events, but it will ameliorate the pressure to do so under a timeline of four business days. Instead, issuers can disclose information as events evolve and facts become known.