In a panel on Friday at the Rocky Mountain Securities Conference, SEC leaders addressed enforcement priorities at the agency, including cybersecurity, insider trading and financial reporting.
Stephanie Avakian, deputy director for the Division of Enforcement, said that the division views cybersecurity violations in “three different buckets.”
The first is when “registrants fail to take appropriate steps to safeguard information.” Violations of Regulations S-P and S-ID would fall into this category.
Second is when material nonpublic information is stolen to gain market advantage.
The last category of cyber violations is when cyber disclosure is false or misleading, “whether or not there’s actually been an incident.”
There have been cases in the first two buckets, she said, but as of early May, Avakian said “we haven’t brought a case in that third disclosure bucket.”
In enforcements regarding firms’ failures to protect client information and other sensitive data, the agency is looking at whether firms took reasonable steps to prevent breaches, Avakian said. She referred to case in September of the R.T. Jones, which failed to have policies in place before it was hacked. The SEC charged the firm with failing to comply with Reg S-P, even though no clients reported being financially impacted by the breach.
In August 2015, the SEC charged about 40 defendants for trying to steal and trading on material nonpublic information. “It was a spectacular case,” she said, “in large part because we identified it through the use of our own proactive investigation and our own systems designed to detect this kind of conduct.” The insider trading ring itself was “unprecedented” in scope and scale.
When firms become aware of a breach and are hesitant to come forward, Avakian said, their first priority should be to access the situation and minimize the damage. Part of that includes bringing in the appropriate law enforcement “fairly immediately.”
She said the agency recognizes that the “critical facts” following a breach do change quickly as the firm identifies possible harm and actual harm done to clients, and when the problem can be contained.
“This sort of moving target can make whether, when and what to disclose to the public quite difficult,” Avakian said. However, as the case last year with R.T. Jones showed, the fact that it’s a difficult issue doesn’t protect a firm from failing to take appropriate steps to protect information.
She noted that in the case of public companies, the agency isn’t “looking to second-guess good-faith disclosure decisions.”
Although the SEC hasn’t brought a case where cyber disclosure was false or misleading, Avakian said that doesn’t mean it wouldn’t, but it would “have to be a significant disclosure failure” to bring a case.
On insider trading, Joseph Brenner, chief counsel for the Division of Enforcement, said that since the United States v. Newman insider trading case in December 2014, which specified that a tippee must have knowledge that an inside trader received a personal benefit in exchange for confidential information and narrowed the definition of personal benefit, the SEC has brought more than 40 insider trading cases.
“Newman has caused us to increase our focus on the personal benefit issue insider trading faces,” he said, but he added, “it really hasn’t had the kind of significant impact on what we’re doing that a number of people have predicted.”
He said that courts have decided that personal benefits don’t have to be financial to have standing. “An intention to benefit by the tipper is also sufficient” to be considered insider trading, Brenner said.
For example, investment advice, even if the recipient doesn’t act on the advice, could be considered a personal benefit, Brenner said.