Securities and Exchange Commission officials addressed enforcement priorities at the agency, including cybersecurity, insider trading and financial reporting, in a panel discussion at the Rocky Mountain Securities Conference in May. The conference is co-sponsored by the SEC and the Business Law Section of the Colorado Bar Association.
Stephanie Avakian, deputy director for the Division of Enforcement, said that the division views cybersecurity violations in “three different buckets.”
The first is when “registrants fail to take appropriate steps to safeguard information.” Violations of Regulations S-P and S-ID would fall into this category.
Second is when material nonpublic information is stolen to gain market advantage.
The last category of cyber violations is when cyber disclosure is false or misleading, “whether or not there’s actually been an incident.”
There have been cases in the first two buckets, she said, but as of early May, Avakian said, “we haven’t brought a case in that third disclosure bucket.”
In enforcements regarding firms’ failures to protect client information and other sensitive data, the agency is looking at whether firms took reasonable steps to prevent breaches, Avakian said. She referred to a case in September with R.T. Jones, which failed to have policies in place before it was hacked. The SEC charged the firm with failing to comply with Reg S-P, even though no clients reported being financially impacted by the breach.
In August 2015, the SEC charged about 40 defendants for trying to steal and trade on material nonpublic information. “It was a spectacular case,” she said, “in large part because we identified it through the use of our own proactive investigation and our own systems designed to detect this kind of conduct.” The insider trading ring itself was “unprecedented” in scope and scale.
When firms become aware of a breach and are hesitant to come forward, Avakian said, their first priority should be to assess the situation and minimize the damage. Part of that includes bringing in the appropriate law enforcement “fairly immediately.”
She said the agency recognizes that the “critical facts” following a breach do change quickly as the firm identifies possible and actual harm done to clients, and when the problem can be contained.
“This sort of moving target can make whether, when and what to disclose to the public quite difficult,” Avakian said. However, as the case last year with R.T. Jones showed, the fact that it’s a difficult issue doesn’t protect a firm from failing to take appropriate steps to protect information.
She noted that in the case of public companies, the agency isn’t “looking to second-guess good-faith disclosure decisions.”
Although the SEC hasn’t brought a case where cyber disclosure was false or misleading, Avakian said that doesn’t mean it wouldn’t, but it would “have to be a significant disclosure failure.”