Robert A. Cohen, head of the SEC Enforcement Division’s cyber unit, recently spoke on a panel addressing cybersecurity issues at the 2018 Securities Docket Enforcement Forum. He was joined by two former SEC officials, who gave their views on the current enforcement climate relating to cybersecurity, including the Commission’s actions pertaining to regulated entities and public companies who have experienced cyber breaches. The panel was entitled: "Cybersecurity: Enforcement and Regulation of the ‘Greatest Threat to Our Markets Right Now.’"
According to Cohen, when it comes to whether to disclose a cyberattack, the standard is one of reasonableness. He said that SEC staff conducting examinations "pretty much know on day one" if the firm being examined has thought about cybersecurity risks.
Regulated entities. Michael Liftik, former Deputy Chief of Staff of the SEC and currently a partner at Quinn Emanuel Urquhart & Sullivan LLP, discussed the SEC’s rules on cybersecurity as they pertain to regulated entities. While the disclosure obligations of public companies regarding cyberattacks are still evolving, regulated entities are already subject to a number of rules, including Regulation S-P, Regulation S-ID (known as the "Identity Theft Red Flags Rule"), and Regulation SCI, which is the most prescriptive of the regulated entities cybersecurity rules.
Liftik drew attention the SEC’s recent enforcement action against Voya Financial Advisors, which was the agency’s first under Reg S-ID. The Iowa-based broker-dealer agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised its customers’ personal information. According to Liftik, one of the takeaways from the Voya action was that the firm itself was a victim of hacking; however, it had not gone far enough to prevent the hacking.
Liftik also mentioned what he called the "Yoda Rule"; that is, do or do not, there is no try. Voya had actually taken steps to identify phone numbers associated with fraudulent activity; however, they did not bother to follow through with their oversight. Once a firm identifies a risk and designs controls to mitigate it, it must make sure that the controls are actually being implemented, Liftik said.
Self-reporting of cyber breaches. Moderator Dixie L. Johnson of King & Spalding asked at what point should a target of a cyberattack self-report it. Liftik said that his first though is to inform criminal law enforcement officials. He also observed that sometimes, when reported, the FBI will ask the targeted entity not to disclose it.
Cohen, echoing a sentiment he has expressed in the past, advised that hoping that the cyberattack stays hidden is not an effective strategy. He also noted that the SEC has good relationships with a number of law enforcement agencies and said that there is always a chance the SEC will be communicating with them.
Public companies. Turning to public companies, Johnson noted that, unlike the regulated entities, public companies do not have a checklist of required actions and are not subject to examination staff to quiz them on their cybersecurity practices. Samuel J. Watson, former assistant chief counsel in the SEC’s Enforcement Division and currently a partner at Proskauer Rose LLP, discussed the SEC’s enforcement action against Yahoo, which paid a $35 million civil penalty to settle charges that it failed to disclose one of the world’s largest data breaches. According to Watson, one key takeaway from the Yahoo case is that there is a fundamental premise that a cybersecurity event can be a material event, which means it triggers disclosure obligations.
Watson also observed that what might not be a securities case on its face can become a securities fraud case if an event is not disclosed. As much as the BP Deepwater Horizon oil spill was an environmental issue, it became a securities fraud issue due to fraudulent public statements by BP. A cyberattack may not directly involve the securities laws, but when it is material and is not disclosed, a securities fraud action can ensue, he said.
Internal controls. The panelists also discussed the SEC’s recent report on "business email compromises" in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators. While no issuers were charged, there is a possibility that they could be charged in the future, Watson cautioned. The SEC’s controls regulations under Section 13 of the Exchange Act require that transactions must happen the way that the company intended. It is important that companies implement training programs to combat these threats, Watson said, as they target human vulnerability rather than IT vulnerability.
MainStory: TopStory Enforcement FraudManipulation PublicCompanyReportingDisclosure SECNewsSpeeches
Interested in submitting an article?
Submit your information to us today!Learn More
Securities Regulation Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on securities regulation legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.