Securities,
Government,
Corporate,
Administrative/Regulatory
Sep. 28, 2017
SEC announces creation of new ‘Cyber Unit’
Chairman Jay Clayton of the U.S. Securities and Exchange Commission has reaffirmed that “[c]ybersecurity is an area that is vitally important to the SEC.” Clayton made this statement in his first testimony before a Senate committee on Tuesday while also discussing initiatives resulting from a general cybersecurity review that commenced in May.
Nicolas Morgan
Partner, Paul Hastings LLP
Phone: (213) 683-6181
Email: nicolasmorgan@paulhastings.com
Nicolas is a partner in the firm's Litigation Department. He served as senior trial counsel in the SEC's Los Angeles office.
Robert Silvers
Partner, Paul Hastings LLP
Email: robertsilvers@paulhastings.com
Robert is a partner in the firm's White Collar Investigations and Privacy and Cybersecurity practices and is based in the firm's Washington, D.C. office.
Thomas A. Zaccaro
Senior Counsel, Hueston Hennigan LLP
Phone: (213) 788-4039
Email: tzaccaro@hueston.com
Boston College Law School
Thomas is a partner in the firm's Litigation Department. He served as regional trial counsel in the SEC's Los Angeles office.
Adam Reich
Associate, Paul Hastings LLP
Email: adamreich@paulhastings.com
USC Law School
Adam is an associate in the firm's Litigation practice and is based in the Los Angeles office
Chairman Jay Clayton of the U.S. Securities and Exchange Commission has reaffirmed that “[c]ybersecurity is an area that is vitally important to the SEC.” Clayton made this statement in his first testimony before a Senate committee on Tuesday while also discussing initiatives resulting from a general cybersecurity review that commenced in May. The chairman’s testimony echoes sentiments expressed in June by Steve Peikin, co-director of the SEC’s Enforcement Division, who described cybersecurity as the “greatest threat to our markets.”
The SEC’s acknowledgment of cybersecurity concerns is not new. Under the Obama administration, the SEC brought enforcement actions, performed audits of cybersecurity controls, and issued risk alerts and related advisories. For example, in September 2015, the SEC charged a registered investment adviser for violating Rule 30(a) of Regulation S-P under the Securities Act of 1933, aka the “Safeguards Rule,” because of a failure to establish adequate cybersecurity policies and procedures in advance of a cyber-breach. In 2016, the SEC similarly charged a registered broker dealer and its principals with violating the rule because they had used personal email addresses for business matters and did not have adequate written procedures to protect personally identifiable information. Months later, the SEC announced an unprecedented $1 million penalty for an investment advisory firm that failed to take adequate steps to protect investors’ personally identifiable information.
While expressions of concern regarding cybersecurity are not necessarily new, SEC cybersecurity enforcement is certainly trending upward. Indeed, just last month, the SEC’s Office of Compliance Inspections and Examinations issued a report detailing the results of a cybersecurity examination of 75 registered investment firms, and noted that “cybersecurity remains one of the top compliance risks for financial firms.” While most firms had cyber security policies and procedures, according to OCIE, a majority failed to adhere to those policies in practice by neglecting to provide sufficient instruction to employees, and failing to conduct required training and reviews.
The SEC’s announcement on Monday that it has created a new Cyber Unit to specifically target cyber-related misconduct, coupled with Clayton’s testimony the following day, suggests that this trend is just beginning. Both the announcement and the testimony deserve special focus.
The SEC’s New Cyber Unit
The newly announced SEC Cyber Unity has reportedly “been in the planning stages for months,” and will be helmed by Robert A. Cohen, former co-chief of the SEC’s Market Abuse Unit. The SEC has identified six specific cyber misconduct examples that the Cyber Unit will target: (1) market manipulation schemes involving false information spread through electronic and social media; (2) hacking to obtain material nonpublic information; (3) violations involving distributed ledger technology and initial coin offerings; (4) misconduct perpetrated using the dark web; (5) intrusions into retail brokerage accounts; and (6) cyber-related threats to trading platforms and other critical market infrastructure.
According to Stephanie Avakian, co-director of the SEC’s Enforcement Division, the Cyber Unit “will enhance [the SEC’s] ability to detect and investigate cyber threats through increasing expertise in an area of critical national importance.” Avakian’s comments are noteworthy, as she has been outspoken regarding cyber crimes for several months, noting back in June that the “cyber threat” to the nation’s markets and investors “will continue to emerge,” and that there has been an “uptick” in SEC cyber-crime investigations.
Seemingly, the Cyber Unit will enable this “uptick” to continue, perhaps even at a more fervent pace.
Chairman Clayton’s Cybersecurity Testimony
While Chairman Clayton’s Sept. 26 testimony addressed many topics, his decision to address cybersecurity before all other topics further confirms that cybersecurity is at the apex of the SEC’s priority list. Indeed, according to Clayton, upon joining the SEC in May, he initiated an assessment of the SEC’s cybersecurity risk profile and preparedness. That assessment, while ongoing, appears to have spurred the chairman’s testimony and the creation of the Cyber Unit.
One of the principal results of the SEC’s cybersecurity assessment has been the discovery of a possible intrusion into the test filing component of the SEC’s EDGAR system in 2016. This intrusion is especially concerning because EDGAR “is a critical component of our disclosure-based market system and accepts filings virtually continuously during the week.” Indeed, according to Clayton, the intruder(s) may have been able to access nonpublic EDGAR filing information to use for illicit trading gains.
While the investigation into the EDGAR intrusion is ongoing, the chairman testified that the SEC presently believes the intrusion did not result in unauthorized access to personally identifiable information, jeopardize SEC operations, or cause systemic risk. Nevertheless, Clayton has formally requested that the Office of the Inspector General begin a review into what led to the intrusion, the scope of any compromised nonpublic information and the SEC’s response efforts, and provide recommendations to the SEC for remediation. He has also authorized the hiring of additional staff to protect the SEC network, systems, and data, and directed existing staff to “enhance our escalation protocols for cybersecurity incidents.”
In addition to discussing the 2016 EDGAR intrusion, Clayton testified that he is concerned about the adequacy of company disclosures to investors concerning cybersecurity risks: “I still am not confident that the Main Street investor has received a sufficient package of information from issuers, intermediaries and other market participants to understand the substantial risks resulting from cybersecurity and related issues.”
Based on this concern, Clayton noted that the SEC is “continuing to examine whether public companies are taking appropriate action to inform investors, including after a breach has occurred, and [] will investigate issuers that mislead investors about material cybersecurity risks or data breaches.”
Conclusion
Chairman Clayton’s testimony and the SEC’s announcement of a new Cyber Unit are significant. Two takeaways stand out: First, the testimony and public announcement confirm that it is not sufficient for public companies and regulated entities to have a theoretical plan for addressing cyber incidents or to rely on generic risk disclosure statements. The SEC’s expectation appears to be that regulated entities create comprehensive cybersecurity programs mapped against the elements identified by the SEC as areas of concern, and that regulated entities issue clear public disclosures that inform investors of cybersecurity risks. Second, the SEC’s focus on cybersecurity and protection of personally identifiable information is not going to subside. Cybersecurity is a front-burner issue for the SEC, and, as a result, public companies and regulated entities should expect more regulatory inquiries, and an increase — maybe even an exponential increase — in related enforcement actions.
Submit your own column for publication to Diana Bosetti
For reprint rights or to order a copy of your photo:
Email
jeremy@reprintpros.com
for prices.
Direct dial: 949-702-5390
Send a letter to the editor:
Email: letters@dailyjournal.com