Introduction to Securities Class Action Lawsuits and Regulatory Developments

As we look forward to the evolving landscape of securities class action lawsuits and regulatory developments in 2026, it is paramount to understand the key drivers shaping this environment. One significant aspect is the increasing frequency and complexity of SEC Enforcement Actions. These actions are crucial in maintaining market integrity and protecting investors from fraudulent activities.

In recent years, the Securities and Exchange Commission (SEC) has ramped up its efforts, focusing on areas such as insider trading, accounting fraud, and misleading disclosures and other corporste governance failures. By 2026, we can expect this trend to continue, with the SEC employing advanced technologies and data analytics to detect and prosecute violations more effectively.

Another critical area of concern is cybersecurity incidents. With the rapid digital transformation of financial markets, companies are more vulnerable than ever to cyber threats. These incidents can have devastating effects on a company’s stock price and overall market confidence and lead to securities class action lawsuits. Consequently, regulatory bodies have become more vigilant, mandating stringent cybersecurity measures and timely reporting of breaches.

By 2026, companies will need to demonstrate robust cybersecurity frameworks to mitigate risks and comply with regulatory requirements and enhance corporate governance. Failure to do so could result in severe penalties and increased susceptibility to securities class action lawsuits from affected investors.

In addition to SEC Enforcement Actions and cybersecurity incidents, other regulatory developments are also expected to influence the securities class actions in 2026. For instance, there may be new regulations aimed at enhancing transparency in corporate governance and financial reporting.

These regulations will likely impose greater accountability on corporate executives and board members, making them more answerable for their actions. Furthermore, advancements in technology will play a pivotal role in both detecting fraudulent activities and defending against securities class action lawsuits. Artificial intelligence and machine learning algorithms will enable regulators and legal professionals to analyze vast amounts of data, identify patterns of misconduct, and build stronger cases.

In conclusion, the future of securities class action lawsuits and regulatory developments will be shaped by a combination of heightened SEC Enforcement Actions, increased focus on cybersecurity incidents, and ongoing regulatory innovations. As companies navigate this complex landscape, they must corporate governance. By doing so, they can protect their interests, maintain investor trust, and contribute to a more secure and transparent financial market.

Regulatory developments and SEC enforcement

• Emphasis on core enforcement. The SEC has signaled a renewed focus on “back-to-basics” enforcement, prioritizing traditional areas like insider trading, accounting fraud, and breaches of fiduciary duty.
• AI and crypto enforcement. New regulatory attention has centered on technologies like AI and cryptocurrency.
  • “AI washing”: The SEC has brought charges against companies that exaggerate their AI capabilities.
  • Crypto regulation: The SEC established a new crypto task force and shifted away from regulation-by-enforcement toward a more consistent regulatory framework for digital assets.
• Individual accountability. Enforcement actions continue to target individual executives, such as the charges brought against former WWE CEO Vince McMahon for failing to disclose settlement agreements. The SEC has also shown a willingness to pursue individual liability in cybersecurity cases, as seen in the lawsuit against SolarWinds’ CISO.
• Scrutiny of disclosure controls. Companies have faced significant penalties for inadequate internal controls and failure to escalate critical information to senior management.
  • In January 2025, Two Sigma Investments was fined $90 million for failing to address known vulnerabilities in its algorithmic trading models.
  • Presto Automation was also charged with misleading statements about its AI capabilities, though no civil penalty was issued due to its cooperation.

Core enforcement priorities

Insider trading

• Shadow trading: Building on a 2024 jury verdict, the SEC is actively prosecuting “shadow trading,” where an insider uses confidential information from their company to trade the stock of an “economically linked” company, such as a competitor.
• Individuals and foreign actors: Recent cases demonstrate the SEC’s focus on individuals and foreign actors involved in insider trading, even when the scheme spans multiple countries.
• Rule 10b5-1 plans: A 2024 DOJ trial victory confirmed that trading based on insider information, even under a Rule 10b5-1 trading plan, can lead to prosecution. 

Accounting and disclosure fraud

• Inflated financial reporting: The SEC continues to pursue cases against companies and executives for falsifying financial records to inflate performance and lack of corporate governance.
• Controls failures: The SEC has levied fines against companies for deficient corporate governance controls that allowed fraud to occur.
• Punishing individual misconduct: In a March 2025 case, the SEC charged a CFO for allegedly falsifying accounting records and lying to an auditor. The company avoided charges partly because its internal controls successfully uncovered the fraud.

Investment advisers

• Breaches of fiduciary duties: The SEC has charged advisers for a variety of fiduciary duty breaches, such as failing to disclose conflicts of interest or misallocating profitable and unprofitable trades between personal and client accounts.
• Targeting fraud: While previous actions targeted registration violations, the current SEC is focusing its limited resources on cases involving demonstrable fraud. For example, the SEC charged a company with fraudulently offering certificates tied to crypto assets that were worth significantly less than claimed.
• Protection of retail investors: The SEC prioritizes cases involving harm to retail investors, with a particular focus on misconduct related to emerging technologies, such as misrepresenting AI capabilities.

New and refined enforcement areas

AI and emerging technologies

• AI washing: The SEC and DOJ have initiated parallel civil and criminal actions against company executives who have allegedly made materially false and misleading statements about their company’s AI capabilities.
• Dedicated unit: The SEC replaced its Crypto Assets and Cyber Unit with the Cyber and Emerging Technologies Unit (CETU). The CETU focuses on technology-driven fraud, including AI washing, social media fraud, account takeovers, and hacking.

Cryptocurrency

• Fraudulent schemes: Enforcement efforts have shifted away from technical registration violations towards combatting fraud and manipulation.
• Higher-profile fraud: Cases now focus on significant scams, such as fraudulent crypto asset pyramid schemes and fake trading platforms.
• Regulatory focus: In 2025, the SEC established a new Crypto Task Force to create clearer regulatory frameworks, suggesting a move toward more transparent regulation rather than solely enforcement.

Market abuse

• Market manipulation schemes: The SEC continues to file complaints against individuals who orchestrate schemes like pump-and-dumps by using deceptive press releases, promotional materials, and manipulative trading tactics.
• Protection of confidential information: Following several high-profile settlements in 2024, the SEC continues to investigate failures to safeguard material non-public information and related market abuse.

Areas of decreased focus

ESG and climate disclosures

• Withdrawal of rules: In a major reversal, the SEC voted in March 2025 to stop defending its climate-related disclosure rules in court.
• Less federal oversight: With the shift in administration, the SEC is expected to reduce its focus on ESG-related enforcement and rulemaking.

Off-channel communications

• Decline in activity: Following a series of large-scale, industry-wide enforcement sweeps in 2024, activity related to “off-channel communications” (such as texting) is expected to decrease in 2025.

Examples of successful insider trading defenses

• The court dismissed claims related to the alleged failure of internal accounting and disclosure controls, ruling that a cybersecurity deficiency does not automatically constitute an “accounting problem”.
• It found that general, public statements about cybersecurity were “corporate puffery” and not specific enough for investors to rely on them.
• The judge also rejected claims that the company’s post-breach disclosures in Form 8-K filings were misleading, acknowledging that the company’s understanding of the incident was still developing at the time.
• Crucially, the defense successfully argued that the two misclassified incidents cited by the SEC were not proof of systemic deficiencies in disclosure controls.

• Case study: In another SEC enforcement action, a  defense attorney may argue that a stock sale was conducted automatically and was part of a pre-existing 10b5-1 plan, showing that the insider had no control over the transaction’s timing once the plan was established.

• Case study: In one instance, a corporate executive successfully defended insider trading charges by demonstrating that the information in question had already been disseminated through public sources prior to the trades.

• Case study: A defense can show that a trading decision was based on a combination of financial reports, industry trends, and analyst calls, rather than on a single piece of inside information in another SEC enforcement actio

Examples of successful accounting fraud defenses in an SEC enforcement action

• Case study: A defendant could show they relied on incorrect, but seemingly legitimate, data, or were acting in good faith based on a legitimate rationale for the trade. Testimony, emails, and other communications can be used to demonstrate an absence of deliberate effort to mislead in a SEC enforcement action.

• Case study: To support this defense againt a SEC enforcement action the defendant must show that all relevant information was shared with their advisor and that the subsequent actions were based on that guidance.

• In the 2017 case Kokesh v. SEC, the Supreme Court ruled that the SEC’s claims for disgorgement are a “penalty” and, therefore, subject to a five-year statute of limitations.
• Impact: This decision has prevented the SEC from pursuing disgorgement for long-running frauds that occurred more than five years prior to the suit.

• Case study: Following the SolarWinds ruling, the defense can argue that the SEC has improperly applied internal accounting control rules to non-financial matters, such as cybersecurity in a SEC Enforcement Action.

Industries SEC Enforcement Focused on the Most

Financial services

• Conflicts of interest: Scrutiny focuses on conflicts of interest, particularly when advisers recommend high-cost or illiquid products that may benefit the adviser over the client.
• Best interest standards: The SEC reviews whether broker-dealers adhere to Regulation Best Interest (Reg BI) by prioritizing the client’s best interests over their own when making recommendations and robust corporate governance.
• Private funds: Examinations of private fund advisers prioritize risks related to market volatility, interest rate changes, and fees and expenses.
• Internal controls: The SEC has levied fines against investment firms for failing to address known vulnerabilities in their algorithmic trading models and for deficiencies in their compliance programs or corporate governance..

Technology

• AI washing: The SEC is actively pursuing cases against companies that exaggerate their AI capabilities to attract investment. Penalties have been levied against executives who mislead investors about their company’s AI capabilities.
• Cybersecurity: The SEC investigates companies for cybersecurity failures, such as deficiencies in internal controls that lead to data breaches and insider trading on the information. The 2025 settlement involving SolarWinds and its CISO suggests the SEC will continue to focus on fraudulent disclosures related to cyber incidents.
• Cryptocurrency: While the SEC shifted away from an enforcement-first approach to crypto, it still targets significant fraud cases involving crypto assets. The agency also works to provide a clear regulatory framework for digital assets through its Crypto Task Force.

Life sciences

• Clinical trial disclosures: Companies must accurately disclose information related to clinical trials, FDA interactions, and product approvals. Misrepresentations in these areas can lead to investigations.
• Insider trading: The abundance of material nonpublic information makes life sciences companies prime targets SEC Enforcement for insider trading investigations, particularly around key events like drug trial results or FDA decisions.
• Financial fraud: Enforcement actions target financial reporting issues, such as inflating sales figures or prematurely recognizing revenue.

Other notable areas

• Market Abuse: Continues to pursue insider trading and market manipulation over lack of corporate governance across all sectors.
• Public Finance Abuse: Focuses on potential fraud related to municipal securities and corporate governance.
• Foreign Corrupt Practices Act (FCPA): Enforcement in this area is less prioritized under the current administration, but companies are still subject to liability.

The Key Elements of a Strong Cybersecurity Program That the SEC Expects Companies to Have

1. Robust risk management and strategy

• Identification and assessment: Companies need to identify, assess, and manage material cybersecurity risks. This involves conducting regular risk assessments that evaluate both the likelihood and potential impact of cybersecurity incidents and cybersecurity program.
• Materiality determination: Companies must have processes in place to determine the materiality of cybersecurity incidents “without unreasonable delay” after discovery.
• Risk mitigation: Companies should implement and manage controls to mitigate identified risks, including regular security audits, continuous monitoring, and updating security measures to adapt to evolving threats.
• Integrating with enterprise risk management: Cybersecurity risk management should be incorporated into the company’s overall enterprise risk management framework and include all cybersecurity incidents. 

2. Strong governance and oversight

• Board oversight: The SEC expects boards to have a clear understanding of the company’s cybersecurity risks and strategy and cybersecurity incidents. This includes detailing the board’s oversight function and the processes for informing the board about cyber threats.
• Management roles and expertise: Companies must disclose management’s role and expertise in assessing and managing material cybersecurity risks and cybersecurity incidents and cybersecurity program.
• Communication channels: Robust disclosure controls and procedures ensure that information about cybersecurity incidents is escalated to the appropriate level of management and accurately presented in public filings and statements.

3. Comprehensive incident response and recovery

• Incident detection and analysis: Companies need the ability to detect and analyze potential cybersecurity attacks and compromises in a timely manner.
• Incident management plan: Companies should have a well-defined incident response plan to contain the effects of cybersecurity incidents.
• Reporting and disclosure: Material cybersecurity incidents must be disclosed within four business days of determining materiality using Form 8-K including cybersecurity incidents.
• Recovery and restoration: The program should facilitate the restoration of assets and operations affected by an incident.

4. Continuous monitoring and threat protection

• Proactive measures: Implementing technologies for threat detection, monitoring, penetration testing, patch management, and endpoint protection is essential to prevent cybersecurity incidents along with overall robust corporate governance.
• Regular assessments and audits: Vulnerability assessments, penetration testing, and compliance audits help identify and address security gaps.
• Security policies and procedures: Clear guidelines should cover password management, data encryption, incident response, and acceptable technology use.

5. Third-party risk management

• Vendor assessments: Evaluate and manage cybersecurity risks posed by third-party vendors and service providers.
• Contractual obligations: Include cybersecurity requirements in contracts and ensure compliance with security standards. 

6. Security awareness and training

• Employee education: Educate employees about cybersecurity risks, best practices, and the company’s policies and procedures. 

Cybersecurity Frameworks Align with SEC Expectations

NIST Cybersecurity Framework (CSF)

• Key functions: The CSF is organized around five core functions:
  • Identify: Understand and manage cybersecurity risk to systems, data, and assets.
  • Protect: Develop and implement safeguards to ensure the delivery of critical services.
  • Detect: Implement continuous monitoring to identify cybersecurity events.
  • Respond: Develop and execute activities to contain the impact of an incident.
  • Recover: Plan for resilience and restore systems or assets affected by a breach.
• Relevance to SEC compliance: The CSF’s structured approach helps companies demonstrate to the SEC that they have a process for:
  • Determining the materiality of cybersecurity incidents “without unreasonable delay.”
  • Maintaining continuous monitoring.
  • Developing effective incident response plans. 

ISO/IEC 27001

• Key components: It focuses on the following principles:
  • Confidentiality: Ensuring data is protected from unauthorized access.
  • Integrity: Safeguarding the accuracy and completeness of information.
  • Availability: Ensuring that authorized users have access to information when needed.
• Relevance to SEC compliance: ISO 27001 helps companies:
  • Address third-party risks.
  • Establish detailed processes for managing incidents and assessing risk.
  • Document their security controls and procedures, aligning with the SEC’s focus on demonstrable governance.

Center for Internet Security (CIS) Controls

• Key components: The controls are organized into three categories:
  • Basic: Essential, high-priority safeguards.
  • Foundational: Advanced measures that build upon the basic controls.
  • Organizational: Policy and procedural controls that support the security program.
• Relevance to SEC compliance: The CIS Controls focus on verifiable, actionable security measures that can provide evidence of a company’s commitment to cybersecurity.

COBIT

• Relevance to SEC compliance: COBIT’s focus on governance and risk management aligns directly with the SEC’s requirements for disclosing management’s role in assessing and managing material cybersecurity risks. It helps ensure that cybersecurity is integrated into the company’s overall risk management strategy.

How to use these frameworks for SEC compliance

• Holistic approach: The most effective strategy is often to combine elements from multiple frameworks. For example, a company might use the high-level guidance of NIST CSF for governance while implementing the technical controls recommended by the CIS Controls.
• Tailored implementation: Organizations should adapt frameworks to their specific needs, risk profiles, and business goals. The SEC focuses on whether a company is taking “reasonable” steps to address cybersecurity, and demonstrating a well-reasoned, customized approach shows a stronger commitment than simply following a checklist.
• Documentation: Regardless of the framework used, documenting the program is crucial. Clear, well-maintained documentation of risk assessments, incident response plans, and governance structure can be used as evidence during SEC scrutiny. 

Board Reporting on Cybersecurity Incidents

• Cyber risk exposure (quantified): Present the likelihood and potential financial impact of various threat scenarios, such as a ransomware attack or data breach. Metrics can include the Annualized Loss Expectancy (ALE) and could lead to securities class action lawsuits.
• Return on security investment (ROSI): Measure the financial benefit of security investments. Show how implementing new controls or tools has reduced potential losses or improved efficiency.
• Third-party risk score: Report on the average security rating of key vendors and partners over time to show how effectively supply chain risk is being managed.
• Board engagement frequency: Track how often cybersecurity is discussed at board meetings and a company’s alignment with its risk appetite statement.

Performance and operational metrics

• Security posture and maturity: Report on the organization’s cybersecurity maturity level based on a recognized framework like NIST CSF. Show how the posture is trending over time.
• Mean Time to Detect (MTTD): Report the average time it takes to detect a cybersecurity incident. A decreasing MTTD shows improving detection capabilities.
• Mean Time to Respond/Remediate (MTTR): Measure how long it takes to contain a threat and restore systems to normal operation.
• Vulnerability management status: Use a simplified metric, like a “patching cadence grade,” to show how quickly the company applies critical security patches or other mators to preventsecurities class actions . 

Compliance and corporate governance metrics

• Compliance score: Report a high-level score indicating compliance with relevant regulations and frameworks (e.g., ISO 27001, NIST). Highlight any significant gaps or changes.
• Audit findings: Summarize the findings of recent internal or external audits, noting any high-risk deficiencies and the plan for remediation.
• Employee awareness: Present results from phishing simulations or training completion rates to demonstrate how human risk is being managed.
• Policy violations: Report on the number of security policy violations, focusing on the most severe ones. 

Threat landscape metrics

• Industry threat trends: Provide updates on key threats and regulatory changes affecting the industry, explaining how the company is adapting.
• Industry benchmarks: Compare the company’s security posture and key metrics against industry peers to assess competitive standing.
• Intrusion attempts: Report the number of intrusion attempts detected and blocked in a given period to contextualize the threat level.

Best practices for presenting metrics to the board

• Start with an executive summary: Lead with a high-level overview of the most critical risks and the company’s overall security posture.
• Use visualizations: Use dashboards, risk heatmaps, and trendlines to make complex data easy to understand at a glance.
• Align metrics with business strategy: Connect security efforts to business outcomes like revenue protection, customer trust, and operational resilience.
• Focus on trends, not just data: Boards are more interested in whether the company is improving over time than in raw, point-in-time data

Other Regulatory Developments

Sector-specific regulations

• FTC Safeguards Rule: Enforced by the Federal Trade Commission, this rule requires financial institutions to implement comprehensive information security programs, including specific criteria for risk assessments, encryption, and incident response plans. The FTC’s jurisdiction has expanded beyond traditional banks to include a broader range of financial service providers.
• FDIC: The Federal Deposit Insurance Corporation focuses on protecting consumer confidence in the banking industry by ensuring banks can withstand economic turmoil. In 2024, the FDIC conducted a major analysis to ensure no institution was “too big to fail”.
• NYDFS Cybersecurity Regulation: The New York State Department of Financial Services (NYDFS) requires financial services companies to have robust cybersecurity programs, including risk assessments, written policies, and incident response protocols.

• HIPAA Security Rule: The Health Insurance Portability and Accountability Act (HIPAA) sets security standards for protecting sensitive patient health information. Covered entities and their business associates must implement administrative, physical, and technical safeguards. The Breach Notification Rule also requires timely notifications to affected individuals and authorities.

• DFARS & CMMC: The Defense Federal Acquisition Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC) outline cybersecurity requirements for defense contractors. DFARS mandates the implementation of NIST SP 800-171 controls to safeguard Controlled Unclassified Information (CUI), while CMMC adds a framework of maturity levels based on the sensitivity of the data handled.

State-level data privacy and security laws

• CCPA/CPRA: The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides California residents with rights over their personal information, such as the right to know what data is collected, request deletion, and opt out of data sales. 

• SHIELD Act: New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act broadened the definition of private information and requires businesses to implement reasonable safeguards. 

• SHIELD Act: New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act broadened the definition of private information and requires businesses to implement reasonable safeguards.

Emerging technology regulations

• AI Regulation: The EU’s AI Act, set to take full effect in 2026, regulates AI based on its risk level. The FTC has also taken action against companies for misleading claims about AI capabilities.
• Crypto Regulation: Several federal agencies, including the FTC and the SEC’s Crypto Task Force, have increased their oversight and enforcement activities in the cryptocurrency sector. 

Global data privacy (GDPR)

• General Data Protection Regulation (GDPR): This EU regulation affects organizations worldwide that process the personal data of EU residents, imposing strict requirements for data handling and breach notification with potential for significant fines.

Securities Class Action Litigation Trends

• Shift to high-value cases. Plaintiff law firms are increasingly focusing on fewer, but larger, high-stakes cases against major companies where the potential recovery is substantial. This trend is especially pronounced in the tech sector.
• Dominance of mega filings. Mega filings—cases with over $5 billion in losses—accounted for most of the total losses in the first half of 2025.
• AI-related claims surge. AI-related class actions have continued to rise, with many alleging “AI washing”—where companies misrepresent or exaggerate their AI capabilities. These claims have been more resilient to motions to dismiss than traditional securities cases.
• Growth in data security cases. Data breach class action lawsuits continue to increase in complexity and frequency. Courts are becoming more lenient on issues of standing, and multimillion-dollar settlements have become commonplace.
• Recent settlements. Notable 2025 settlements include:
  • A $2.5 million settlement with Panera over a March 2024 data breach.
  • A $700,000 settlement with The Computer Merchant over a November 2023 cyberattack.

Conclustion

Visit Our Extensive Investor Hub: Learning for Informed Investors