The U.S. Securities and Exchange Commission has filed civil charges against Meridian Financial Holdings, a publicly traded financial services company, for allegedly misleading investors about the severity of a data breach disclosed in mid-2025. The enforcement action represents the most significant test of the SEC’s cybersecurity disclosure rules since they took effect in December 2023.
Case overview
| Attribute | Details |
|---|
| Defendant | Meridian Financial Holdings |
| Individual defendants | CISO David Rourke, General Counsel Patricia Hanover |
| Breach discovery | April 2025 |
| Records compromised | ~14.2 million customers |
| Filing date | January 17, 2026 |
| Stock impact | -12% after-hours |
What the SEC alleges
According to the SEC’s complaint, Meridian discovered a breach of its customer data systems in April 2025 that compromised the personally identifiable information of approximately 14.2 million customers, including Social Security numbers, financial account details, and transaction histories.
Disclosure vs. reality
| What was disclosed | What was true |
|---|
| ”Limited subset of customer records” | 14.2 million customers affected |
| ”Primarily contact information” | SSNs, financial data, transaction histories |
| No mention of SSNs | Full Social Security numbers exposed |
| No mention of financial data | Bank accounts and transaction details compromised |
The SEC alleges that Meridian’s CISO and General Counsel were both aware of the full scope of the breach at the time the 8-K was filed. Internal communications obtained during the investigation reportedly show executives discussing the decision to minimize the disclosed impact to avoid stock price volatility ahead of a planned secondary offering.
“Companies that downplay the severity of a breach to protect their stock price are engaging in securities fraud, plain and simple.”
— SEC Acting Chair Jaime Lizárraga
Prior SEC cybersecurity enforcement
The Meridian charges follow a pattern of increasingly aggressive SEC enforcement on cyber disclosures.
October 2024 enforcement actions
| Company | Penalty | Allegation |
|---|
| Unisys Corp. | $4 million | Misleading disclosures + disclosure control violations |
| Avaya Holdings | $1 million | Misleading cyber disclosures |
| Check Point | $995,000 | Misleading cyber disclosures |
| Mimecast | $990,000 | Misleading cyber disclosures |
All four companies were impacted by the SolarWinds Orion compromise. The SEC found they “downplayed the extent of a material cybersecurity breach” by framing known risks “hypothetically or generically when the companies knew the warned of risks had already materialized.”
Key findings from October 2024 cases
| Company | Specific issue |
|---|
| Unisys | Described cyber risks as hypothetical despite knowing two SolarWinds-related intrusions had occurred |
| Unisys | Exfiltration of gigabytes of data not disclosed |
| Avaya | Minimized known incident scope |
| Check Point | Generic risk language despite specific knowledge |
| Mimecast | Similar pattern of understating known risks |
SolarWinds case evolution
| Date | Development |
|---|
| October 2023 | SEC files charges against SolarWinds and CISO Timothy Brown |
| July 2024 | Federal judge dismisses portions of the case |
| November 20, 2025 | SEC voluntarily dismisses remaining claims with prejudice |
The SolarWinds dismissal in late 2025 marked a significant shift. It was the first SEC cybersecurity enforcement action against an individual CISO and the first to assert accounting control claims based on technical cybersecurity failings. The SEC’s decision to drop the case signals a change in enforcement philosophy under new leadership.
Shifting enforcement landscape
The SEC under Chairman Paul Atkins (appointed April 2025) has signaled a different approach than the prior administration.
Leadership transition
| Factor | Change |
|---|
| Chairman | Paul Atkins (April 2025) |
| Philosophy | Focus on “genuine harm” to investors |
| Criticism of prior approach | Large corporate fines unfairly penalize shareholders |
| Core mission | ”Hold accountable those who lie, cheat, and steal” |
2025-2026 enforcement priorities
| Focus area | Status |
|---|
| Cybersecurity disclosures | Still active, but refined |
| Material misrepresentations | Primary focus |
| Pre-breach security posture claims | Reduced emphasis |
| Post-incident disclosure accuracy | Increased emphasis |
| Investor harm | Required for enforcement |
“Consistent with Atkins’ stated goal of focusing on ‘genuine harm,’ the SEC is expected to continue to police material cybersecurity misrepresentations and omissions that led to investor harm.”
— Cleary Gottlieb 2025 Year-in-Review
Cyber and Emerging Technologies Unit
The SEC created a Cyber and Emerging Technologies Unit (CETU) focused on:
- Public issuer fraudulent disclosure relating to cybersecurity
- Combating misconduct in emerging technology areas
- Investigating material misrepresentations that harm investors
How the disclosure rules work
The SEC’s cybersecurity disclosure rules (adopted July 2023, effective December 18, 2023):
8-K requirements
| Requirement | Deadline |
|---|
| Material incident disclosure | 4 business days after materiality determination |
| Nature of incident | Must be described |
| Scope of incident | Must be described |
| Timing of incident | Must be described |
| Material impact | Must be described |
10-K requirements
| Annual disclosure | Content |
|---|
| Risk management | Description of cybersecurity program |
| Strategy | How cyber risk affects business strategy |
| Governance | Board oversight description |
| Management role | Who assesses and manages cyber risk |
Charges and potential penalties
| Charge | Basis |
|---|
| Securities fraud | Section 10(b) and Rule 10b-5 |
| Disclosure control violations | Section 13(a) |
| Aiding and abetting | Against individual defendants |
Sought remedies
| Remedy | Target |
|---|
| Disgorgement of profits | Corporate and individual |
| Civil monetary penalties | Potentially hundreds of millions |
| Officer-and-director bars | Both individual defendants |
Meridian issued a statement saying it “disagrees with the SEC’s characterization of events” and intends to “vigorously defend” against the allegations.
Cumulative enforcement context
SEC FY2025 enforcement activity
The SEC announced record enforcement actions in the first quarter of fiscal year 2025, signaling continued aggressive posture on disclosure violations.
| Metric | Status |
|---|
| Q1 FY2025 enforcement | Record levels |
| Cybersecurity focus | Maintained |
| Individual accountability | Emphasized |
| Investor harm requirement | Primary criterion |
Cases under review
The Division of Enforcement is reportedly reviewing more than a dozen cases involving potentially misleading breach notifications filed since December 2023.
Implications for security leaders
Incident response process changes
| Area | Recommendation |
|---|
| Materiality determinations | Document thoroughly with clear rationale |
| Internal communications | Treat as potential evidence from day one |
| CISO involvement | Ensure not pressured to minimize findings |
| Board oversight | Document disclosure decisions |
| Legal review | Independent review of technical findings |
CISO liability considerations
| Development | Impact |
|---|
| SolarWinds precedent | CISOs named individually in SEC actions |
| Meridian charges | Extended to post-incident disclosures |
| D&O insurance | Many policies now explicitly cover CISOs |
| Indemnification | Organizations updating agreements |
“Every CISO I know is watching this case. The message is clear: if you know the breach is bad and you sign off on a disclosure that says otherwise, you are personally on the hook.”
— Jake Williams, former NSA hacker and cybersecurity consultant
Industry response
| Perspective | Position |
|---|
| Pro-enforcement | Necessary for investor transparency |
| Cautious | May discourage CISOs from disclosure roles |
| Legal | Post-incident disclosure cases easier to prove |
| Practical | Documentation requirements increasing |
2026 outlook
Expected trends
| Trend | Likelihood |
|---|
| More post-incident disclosure cases | High |
| Individual CISO charges | Moderate |
| Large corporate penalties | High |
| Focus on investor harm | Required |
| Pre-breach posture cases | Reduced |
Enforcement philosophy
| Prior approach | Current approach |
|---|
| Broad cybersecurity program claims | Focus on specific misrepresentations |
| Proactive security posture assertions | Post-incident disclosure accuracy |
| Technical security failings | Material impact on investors |
| Internal controls | Fraudulent disclosure |
Recommendations
For public companies
| Priority | Action |
|---|
| Immediate | Review incident response disclosure procedures |
| High | Ensure legal independence in materiality determinations |
| High | Document all disclosure decisions and rationale |
| Ongoing | Train executives on disclosure obligations |
| Critical | Preserve all communications during incidents |
For CISOs
| Priority | Action |
|---|
| Immediate | Review D&O insurance coverage |
| High | Establish clear escalation procedures |
| High | Document technical findings independently |
| Ongoing | Understand personal liability exposure |
| Critical | Do not sign off on disclosures you believe are inaccurate |
Disclosure best practices
| Practice | Rationale |
|---|
| Err toward disclosure | Understatement creates liability |
| Update as facts emerge | Initial filings can be amended |
| Document materiality analysis | Show good faith process |
| Separate technical from legal | Independent assessments |
| Board involvement | Demonstrates governance |
Context
The Meridian case establishes that the SEC will pursue enforcement not just for inaccurate pre-breach security claims, but for misleading post-incident disclosures. The combination of individual liability and substantial corporate penalties creates strong incentives for accurate, complete disclosure.
| Reality | Implication |
|---|
| Post-incident cases easier to prove | Higher enforcement risk |
| Individual liability established | Personal exposure for executives |
| Documentation is evidence | Every email matters |
| Investor harm is key | Tie disclosure to material impact |
The shift under Chairman Atkins—emphasizing “genuine harm” and the SEC’s core mission—suggests enforcement will focus on clear cases of misleading investors rather than technical cybersecurity program deficiencies. However, the Meridian charges demonstrate that the SEC remains willing to pursue aggressive action when companies materially misrepresent breach severity to protect stock prices.
Organizations should treat breach disclosure as a high-stakes compliance exercise requiring the same rigor applied to financial reporting.
