The No. 1 priority at the Securities and Exchange Commission (SEC) after organizations are impacted by a cybersecurity incident is that investors receive timely and accurate disclosures, according to the agency’s enforcement head.

The SEC understands firms have to make quick decisions when responding to a cyberattack, including around disclosures, said Gurbir Grewal during a speech at a cyber resilience summit on June 22.

“But we cannot lose focus of the fact that those decisions directly impact customers” and might be material to investors, Grewal said. Publicly traded companies, investment advisers, and broker-dealers collect and hold an extensive amount of data about organizations and client accounts, plus personally identifiable information about individuals that’s valuable to bad actors, Grewal said.