SEC announces creation of new ‘Cyber Unit’

Chairman Jay Clayton of the U.S. Securities and Exchange Commission has reaffirmed that “[c]ybersecurity is an area that is vitally important to the SEC.” Clayton made this statement in his first testimony before a Senate committee on Tuesday while also discussing initiatives resulting from a general cybersecurity review that commenced in May. The chairman’s testimony echoes sentiments expressed in June by Steve Peikin, co-director of the SEC’s Enforcement Division, who described cybersecurity as the “greatest threat to our markets.”

The SEC’s acknowledgment of cybersecurity concerns is not new. Under the Obama administration, the SEC brought enforcement actions, performed audits of cybersecurity controls, and issued risk alerts and related advisories. For example, in September 2015, the SEC charged a registered investment adviser for violating Rule 30(a) of Regulation S-P under the Securities Act of 1933, aka the “Safeguards Rule,” because of a failure to establish adequate cybersecurity policies and procedures in advance of a cyber-breach. In 2016, the SEC similarly charged a registered broker dealer and its principals with violating the rule because they had used personal email addresses for business matters and did not have adequate written procedures to protect personally identifiable information. Months later, the SEC announced an unprecedented $1 million penalty for an investment advisory firm that failed to take adequate steps to protect investors’ personally identifiable information.

While expressions of concern regarding cybersecurity are not necessarily new, SEC cybersecurity enforcement is certainly trending upward. Indeed, just last month, the SEC’s Office of Compliance Inspections and Examinations issued a report detailing the results of a cybersecurity examination of 75 registered investment firms, and noted that “cybersecurity remains one of the top compliance risks for financial firms.” While most firms had cyber security policies and procedures, according to OCIE, a majority failed to adhere to those policies in practice by neglecting to provide sufficient instruction to employees, and failing to conduct required training and reviews.

The SEC’s announcement on Monday that it has created a new Cyber Unit to specifically target cyber-related misconduct, coupled with Clayton’s testimony the following day, suggests that this trend is just beginning. Both the announcement and the testimony deserve special focus.

The SEC’s New Cyber Unit

The newly announced SEC Cyber Unity has reportedly “been in the planning stages for months,” and will be helmed by Robert A. Cohen, former co-chief of the SEC’s Market Abuse Unit. The SEC has identified six specific cyber misconduct examples that the Cyber Unit will target: (1) market manipulation schemes involving false information spread through electronic and social media; (2) hacking to obtain material nonpublic information; (3) violations involving distributed ledger technology and initial coin offerings; (4) misconduct perpetrated using the dark web; (5) intrusions into retail brokerage accounts; and (6) cyber-related threats to trading platforms and other critical market infrastructure.

According to Stephanie Avakian, co-director of the SEC’s Enforcement Division, the Cyber Unit “will enhance [the SEC’s] ability to detect and investigate cyber threats through increasing expertise in an area of critical national importance.” Avakian’s comments are noteworthy, as she has been outspoken regarding cyber crimes for several months, noting back in June that the “cyber threat” to the nation’s markets and investors “will continue to emerge,” and that there has been an “uptick” in SEC cyber-crime investigations.

Seemingly, the Cyber Unit will enable this “uptick” to continue, perhaps even at a more fervent pace.

Chairman Clayton’s Cybersecurity Testimony

While Chairman Clayton’s Sept. 26 testimony addressed many topics, his decision to address cybersecurity before all other topics further confirms that cybersecurity is at the apex of the SEC’s priority list. Indeed, according to Clayton, upon joining the SEC in May, he initiated an assessment of the SEC’s cybersecurity risk profile and preparedness. That assessment, while ongoing, appears to have spurred the chairman’s testimony and the creation of the Cyber Unit.

One of the principal results of the SEC’s cybersecurity assessment has been the discovery of a possible intrusion into the test filing component of the SEC’s EDGAR system in 2016. This intrusion is especially concerning because EDGAR “is a critical component of our disclosure-based market system and accepts filings virtually continuously during the week.” Indeed, according to Clayton, the intruder(s) may have been able to access nonpublic EDGAR filing information to use for illicit trading gains.

While the investigation into the EDGAR intrusion is ongoing, the chairman testified that the SEC presently believes the intrusion did not result in unauthorized access to personally identifiable information, jeopardize SEC operations, or cause systemic risk. Nevertheless, Clayton has formally requested that the Office of the Inspector General begin a review into what led to the intrusion, the scope of any compromised nonpublic information and the SEC’s response efforts, and provide recommendations to the SEC for remediation. He has also authorized the hiring of additional staff to protect the SEC network, systems, and data, and directed existing staff to “enhance our escalation protocols for cybersecurity incidents.”

In addition to discussing the 2016 EDGAR intrusion, Clayton testified that he is concerned about the adequacy of company disclosures to investors concerning cybersecurity risks: “I still am not confident that the Main Street investor has received a sufficient package of information from issuers, intermediaries and other market participants to understand the substantial risks resulting from cybersecurity and related issues.”

Based on this concern, Clayton noted that the SEC is “continuing to examine whether public companies are taking appropriate action to inform investors, including after a breach has occurred, and [] will investigate issuers that mislead investors about material cybersecurity risks or data breaches.”

Conclusion

Chairman Clayton’s testimony and the SEC’s announcement of a new Cyber Unit are significant. Two takeaways stand out: First, the testimony and public announcement confirm that it is not sufficient for public companies and regulated entities to have a theoretical plan for addressing cyber incidents or to rely on generic risk disclosure statements. The SEC’s expectation appears to be that regulated entities create comprehensive cybersecurity programs mapped against the elements identified by the SEC as areas of concern, and that regulated entities issue clear public disclosures that inform investors of cybersecurity risks. Second, the SEC’s focus on cybersecurity and protection of personally identifiable information is not going to subside. Cybersecurity is a front-burner issue for the SEC, and, as a result, public companies and regulated entities should expect more regulatory inquiries, and an increase — maybe even an exponential increase — in related enforcement actions.