Close Close

Regulation and Compliance > Federal Regulation > SEC

SEC Highlights Its Cybersecurity Efforts

Your article was successfully shared with the contacts you provided.

In a panel on Friday at the Rocky Mountain Securities Conference, SEC leaders addressed enforcement priorities at the agency, including cybersecurity, insider trading and financial reporting.

Stephanie Avakian, deputy director for the Division of Enforcement, said that the division views cybersecurity violations in “three different buckets.”

The first is when “registrants fail to take appropriate steps to safeguard information.” Violations of Regulations S-P and S-ID would fall into this category.

Second is when material nonpublic information is stolen to gain market advantage.

The last category of cyber violations is when cyber disclosure is false or misleading, “whether or not there’s actually been an incident.”

There have been cases in the first two buckets, she said, but as of early May, Avakian said “we haven’t brought a case in that third disclosure bucket.”

In enforcements regarding firms’ failures to protect client information and other sensitive data, the agency is looking at whether firms took reasonable steps to prevent breaches, Avakian said. She referred to case in September of the R.T. Jones, which failed to have policies in place before it was hacked. The SEC charged the firm with failing to comply with Reg S-P, even though no clients reported being financially impacted by the breach.

In August 2015, the SEC charged about 40 defendants for trying to steal and trading on material nonpublic information. “It was a spectacular case,” she said, “in large part because we identified it through the use of our own proactive investigation and our own systems designed to detect this kind of conduct.” The insider trading ring itself was “unprecedented” in scope and scale.

When firms become aware of a breach and are hesitant to come forward, Avakian said, their first priority should be to access the situation and minimize the damage. Part of that includes bringing in the appropriate law enforcement “fairly immediately.”

She said the agency recognizes that the “critical facts” following a breach do change quickly as the firm identifies possible harm and actual harm done to clients, and when the problem can be contained.

“This sort of moving target can make whether, when and what to disclose to the public quite difficult,” Avakian said. However, as the case last year with R.T. Jones showed, the fact that it’s a difficult issue doesn’t protect a firm from failing to take appropriate steps to protect information.

She noted that in the case of public companies, the agency isn’t “looking to second-guess good-faith disclosure decisions.”

Although the SEC hasn’t brought a case where cyber disclosure was false or misleading, Avakian said that doesn’t mean it wouldn’t, but it would “have to be a significant disclosure failure” to bring a case.

On insider trading, Joseph Brenner, chief counsel for the Division of Enforcement, said that since the United States v. Newman insider trading case in December 2014, which specified that a tippee must have knowledge that an inside trader received a personal benefit in exchange for confidential information and narrowed the definition of personal benefit, the SEC has brought more than 40 insider trading cases.

“Newman has caused us to increase our focus on the personal benefit issue insider trading faces,” he said, but he added, “it really hasn’t had the kind of significant impact on what we’re doing that a number of people have predicted.”

He said that courts have decided that personal benefits don’t have to be financial to have standing. “An intention to benefit by the tipper is also sufficient” to be considered insider trading, Brenner said.

For example, investment advice, even if the recipient doesn’t act on the advice, could be considered a personal benefit, Brenner said.

Avakian said the SEC has renewed its focus on financial reporting, stating that from fiscal year 2013 to FY 2015, the agency has more than doubled actions from 53 to 114. “Most of our actions in this space involve charges against individuals, often numerous individuals, often senior executive in addition to the company,” Avakian said.

In the last two years, she said the SEC has brought charges against more than 175 individuals for issues with financial reporting.

The agency isn’t focusing only on fraud, but internal controls and auditing standards, too, Avakian said.

Jay Scoggins, assistant regional director for the Division of Enforcement in the SEC’s Denver office and moderator of the panel, noted that in the past, financial reporting enforcements have been “reactive” rather than proactive. Avakian said that the Financial Reporting and Audit Group is one response to that issue. The FRAUD group identifies and investigates potential fraud issues and refers them to appropriate staffers.

She said technology and data have also helped the agency be more proactive. For example, the Division of Economic Risk Analysis developed a corporate risk assessment tool that aggregates corporate financial information to give SEC staff an overview of registrants’ financial reporting so it can detect anomalies.

The whistleblower program has resulted in a “significant number” of tips that are “often quite thoughtful” and has resulted in cases, Avakian said.

Last year, the SEC awarded $37 million to whistleblowers in cases that led to enforcement actions with sanctions that totaled more than $100 million. It also awarded its first payment to an outsider who conducted an independent investigation in a firm that led to a successful enforcement.

So far in 2016, the agency has paid three whistleblower awards totaling almost $2 million.

The SEC received roughly 4,000 tips last year from the whistleblower program. Avakian said the agency receives approximately 15,000 tips per year.

The most common complaints are in corporate fraud and market manipulation.

Scroggins said that when enforcement actions are brought against the chief compliance officer, talented people are dissuaded from taking those positions. Brenner said that the agency focus on three actions by CCOs when deciding whether to bring a case.

The biggest one is CCOs engaging in misconduct unrelated to their compliance role, Brenner said.

Other actions include those that are designed to mislead SEC examiners, and “wholesale failure” on the part of the CCO to do something he or she is required to do. That last category has received more attention, Brenner noted, even though it’s “much, much smaller.” In the last 10 years, he said, there have been “only a handful” of cases brought against people in CCO-only types of roles for failing to fulfill their duties.

Last year, there were two such cases, “but that’s still less than 1% of people who the commission charged last year in investment advisor-related cases.”

— Read Enforcement: SEC Bars, Fines Principals for Not Supervising CCO on ThinkAdvisor.