The SEC charged Ashford Inc., a former public company, with providing misleading information in public filings regarding a cyber incident involving a ransom attempt by a threat actor. According to the SEC, the company falsely or negligently stated in multiple filings that it had completed its investigation of the incident and had not identified that any customer information was exposed. However, records clearly indicated that the compromised files included sensitive personally identifiable information and financial information for certain customers. The firm was further faulted with failing to follow its incident response plan that outlined a process to determine whether customer information and/or financial data was exfiltrated in a security incident. As registered investment advisers prepare for compliance with amended Regulation S-P, which will specifically require robust procedures regarding security incidents and notification to the SEC when sensitive information is reasonably likely to be compromised, the case serves as a reminder of effectively developing an following an incident response plan. Moreover, it is critical that disclosures to clients and investors regarding security breaches are accurate and do not underplay the impact of such events.