The SEC charged four public companies with making materially misleading disclosures regarding cybersecurity risks and intrusions following the SolarWinds Orion hack. Penalties ranged from $990,000 to $4 million. The SEC criticized the firms for framing cybersecurity risks as hypothetical or generically when they knew that the risks had already materialized. While these cases involve public company disclosures, investment advisers and private fund managers must likewise be cautious in downplaying cybersecurity risks or making misleading statements or inferences in risk disclosures where they have experienced material cybersecurity events.