What to Expect from the SEC as Cybersecurity Hits the Docket

The New York Times reported on Sunday that the Securities and Exchange Commission has enforcement with cybersecurity implications on the schedule.  The authors speculated about something that we have all known for years, the SEC is going for high-profile or impact cases. Currently, this means addressing cybersecurity.  Today’s enforcement surrounding Insider Trading and Fraud on the part of a number of market participants is only the beginning, and we expect to see more “cyber impact” enforcements in the coming months. Avoid entanglement with regulators by considering these points.

In their article “On the Defensive, the S.E.C. Quietly Pursues High-Profile Cases,” Alexandra Stevenson and Matthew Goldstein state:

In one case, the S.E.C., in tandem with other authorities, is poised to file charges soon in an unusual investigation that combines insider trading with cybersecurity, according to people briefed on the investigation but not authorized to speak publicly.

Today, we know the specifics of this enforcement.  Beyond this news, we have heard mention of Insider Trading, Intellectual Property, and Cybersecurity from Commissioner Aguilar lately.  In the Commissioner’s recent keynote address at the SINET Innovation Summit in June, Mr. Aguilar referenced the nefarious activities of the “FIN 4” Group, which had reportedly employed spear-phishing tactics in an attempt to steal confidential information regarding market impacting news and merger negotiations from over 100 companies.  (See Aguilar Discusses Cybersecurity Enforcement)

The Commissioner stated in no uncertain terms, that the SEC is heading down the road of examining data breach:

It should not be a surprise that cybersecurity has become a focal point for the SEC’s enforcement efforts in recent years, and it has been reported that the SEC’s Division of Enforcement is currently investigating multiple data breaches. Moreover, the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority, and how that authority might need to be broadened to meet emerging cybersecurity threats.

Accordingly, it should be no surprise to investment advisers, broker dealers, or financial services companies that the SEC is going to press the enforcement side of the cybersecurity initiative.  This is clear following the Division of Investment Management’s Cybersecurity Guidance Alert of late April in which the SEC tied IT security failures to current rules and regulations, paving the way for this connection in future enforcements.  (See SEC Offers Cybersecurity Guidance).

What Can Firms do Today?

While it may take several years for the tenor of the SEC cybersecurity enforcement to be fully understood, there are already some things SEC-governed entities can do, like conducting firm assessments, to avoid certain major pitfalls and reduce both business and regulatory risk.

  1. Management of breach and proper disclosures:  Two of the first questions a CCO or General Counsel can expect based on the Cybersecurity Sweep Document request and FINRA’s Risk Control Assessment:
  • Have you been breached?
  • How did you manage it? 

In addition to facing legal liability for failing to disclose breach of Personal Identifiable Information (PII) per specific State requirements, the SEC will likely now emphasize the disclosure of material cybersecurity events to both the Agency and investors.  The most sensitive notion here may be the “omission” of such disclosure and the potential tie to the concept of Fraud as defined in the Investment Advisers Act of 1940.  The rationale being: if you have had breach, you need to manage it appropriately, including considering the extent of disclosures.  Remember, the SEC, through the Guidance Alert has already asked investors to periodically assess “the impact should the information or technology systems become compromised.”

  1. Securing Intellectual Property (IP) of clients and third parties:  Shifting concerns of securing data to areas outside of PII could become critical for firms based upon Privacy and Confidentiality representations to both clients and business partners.  The Times Article suggests this may be fodder for the SEC in the future:

In its cybersecurity case, the investigation centers on whether overseas hackers broke into the networks of American companies to secure inside information about corporate deals, later passing on that information to traders.

Failing to secure sensitive information, especially if it results in damages, could be of chief concern for regulators going forward.  Investment advisers and broker-dealers should already be taking this into account vis-à-vis their Data Classification Policy or Program, which is the first assessment suggested in the Guidance Alert:  “the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses.”

An example of the types of sensitive information that the SEC wants firms to protect, in addition to PII, includes that which pertains to any confidential investment processes, investment in early stage (venture) scenarios, scaling-up to private corporations or Private Equity investments in portfolio companies.  Of course, Commissioner Aguilar and the Times, are also likely referencing inside information such as material non-public information (MNPI) for public companies.  No matter how you slice it, failing to protect such information/data, especially if it results in damages, could be an avenue for enforcement.

  1. Failure of process:  The SEC has made it clear that all firms should have policies and procedures in place with respect to IT Security.  As stated in the DIM Guidance, every firm needs to:

Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.

Since many financial firms have minimal programs in place and are just coming up to speed on IT security issues, it will be no surprise to see the SEC reference Rule 206(4)-7 and the failure “to adopt and implement written policies and procedures reasonably designed to prevent violation of federal securities law.”  The DIM Guidance referenced the areas of identity theft, fraud, and business continuity, all of which can be tied, in the event of failures, to existing law and the concept of fiduciary responsibility.

In addition to connecting IT security/cybersecurity enforcement to existing rules and regulations, we expect the SEC and other regulators to emphasize the much ballyhooed subjects of Public and Private and interagency cooperation.  The SEC will also likely rely on existing precedent from Gramm-Leach-Bliley and the resultant FTC Safeguards Rule.  Regardless of what direction the SEC heads specifically, today’s enforcement is an announcement that it is “open season” on cyber issues.  Regulated entities ignore this salvo at their peril.

As cybersecurity best practices and expectations translate to issues of enforcement, we are available to discuss the measures your firm can take to reduce both business and regulatory risk.

For Further Reading:

SEC Charges 32 Defendants in Scheme to Trade on Hacked News Releases

The New York Times “On The Defensive, The SEC Quietly Pursues High Profile Cases” – August 9th, 2015

Aguilar Discusses Cybersecurity and Enforcement

SEC Offers Cybersecurity Guidance

Division of Investment Management Guidance Alert