When a data security incident has been identified, a company’s initial priorities include understanding, containing and remedying the vulnerabilities. In the aftermath of a data security incident, however, companies often have to focus nearly as quickly on responding to inquiries from an expanding array of federal, state, and local regulators and law enforcement agencies, including state attorneys general and the FTC. The SEC is a more recent entrant into the cybersecurity enforcement arena. It has dramatically increased its focus on these issues in the last four years, and it has signaled an intent to continue to expand its efforts. This is true not only for financial institutions subject to extensive SEC oversight – such as broker-dealers and investment advisers – but for all publicly-traded companies. In a guest article, Daniel F. Schubert and Jonathan G. Cedarbaum, partners at WilmerHale, and Leah Schloss, a WilmerHale associate, explain the SEC’s role in cybersecurity enforcement, the SEC’s two primary theories in cyber-related enforcement actions and another theory that the SEC may use to broaden its cyber enforcement authority.