Close Close

Regulation and Compliance > Federal Regulation > SEC

Cybersecurity Is SEC's Top Enforcement Focus, Officials Say

Your article was successfully shared with the contacts you provided.

Securities and Exchange Commission officials addressed enforcement priorities at the agency, including cybersecurity, insider trading and financial reporting, in a panel discussion at the Rocky Mountain Securities Conference in May. The conference is co-sponsored by the SEC and the Business Law Section of the Colorado Bar Association.

Stephanie Avakian, deputy director for the Division of Enforcement, said that the division views cybersecurity violations in “three different buckets.”

The first is when “registrants fail to take appropriate steps to safeguard information.” Violations of Regulations S-P and S-ID would fall into this category.

Second is when material nonpublic information is stolen to gain market advantage.

The last category of cyber violations is when cyber disclosure is false or misleading, “whether or not there’s actually been an incident.”

There have been cases in the first two buckets, she said, but as of early May, Avakian said, “we haven’t brought a case in that third disclosure bucket.”

In enforcements regarding firms’ failures to protect client information and other sensitive data, the agency is looking at whether firms took reasonable steps to prevent breaches, Avakian said. She referred to a case in September with R.T. Jones, which failed to have policies in place before it was hacked. The SEC charged the firm with failing to comply with Reg S-P, even though no clients reported being financially impacted by the breach.

In August 2015, the SEC charged about 40 defendants for trying to steal and trade on material nonpublic information. “It was a spectacular case,” she said, “in large part because we identified it through the use of our own proactive investigation and our own systems designed to detect this kind of conduct.” The insider trading ring itself was “unprecedented” in scope and scale.

When firms become aware of a breach and are hesitant to come forward, Avakian said, their first priority should be to assess the situation and minimize the damage. Part of that includes bringing in the appropriate law enforcement “fairly immediately.”

She said the agency recognizes that the “critical facts” following a breach do change quickly as the firm identifies possible and actual harm done to clients, and when the problem can be contained.

“This sort of moving target can make whether, when and what to disclose to the public quite difficult,” Avakian said. However, as the case last year with R.T. Jones showed, the fact that it’s a difficult issue doesn’t protect a firm from failing to take appropriate steps to protect information.

She noted that in the case of public companies, the agency isn’t “looking to second-guess good-faith disclosure decisions.”

Although the SEC hasn’t brought a case where cyber disclosure was false or misleading, Avakian said that doesn’t mean it wouldn’t, but it would “have to be a significant disclosure failure.”

On insider trading, Joseph Brenner, chief counsel for the Division of Enforcement, said that since the United States v. Newman insider trading case in December 2014, which specified that a tippee must have knowledge that an inside trader received a personal benefit in exchange for confidential information and narrowed the definition of personal benefit, the SEC has brought more than 40 insider trading cases.

Newman has caused us to increase our focus on the personal benefit issue insider trading faces,” he said, but he added, “it really hasn’t had the kind of significant impact on what we’re doing that a number of people have predicted.”

He said that courts have decided that personal benefits don’t have to be financial to have standing. “An intention to benefit by the tipper is also sufficient” to be considered insider trading, Brenner said.

For example, investment advice, even if the recipient doesn’t act on it, could be considered a personal benefit, Brenner said.

Avakian said the SEC has renewed its focus on financial reporting, stating that from fiscal year 2013 to FY 2015, the agency has more than doubled its financial reporting actions, from 53 to 114. Avakian said most of those actions involved “charges against individuals, often numerous individuals, often senior executives.”

In the last two years, she said the SEC has brought charges against more than 175 individuals for financial reporting issues.

The agency isn’t focusing only on fraud, but internal controls and auditing standards, too, Avakian said.

Jay Scoggins, assistant regional director for the Division of Enforcement in the SEC’s Denver office and moderator of the panel, noted that in the past, financial reporting enforcements have been “reactive” rather than proactive. Avakian said better technology and data have helped the agency be more proactive. For example, the Division of Economic Risk Analysis developed a corporate risk assessment tool that aggregates corporate financial information to give SEC staff an overview of registrants’ financial reporting so it can detect anomalies.

Scroggins said that when enforcement actions are brought against chief compliance officers, it dissuades people from taking those positions. Brenner said the agency focuses on three actions by CCOs when deciding whether to bring a case.

The biggest one is CCOs engaging in misconduct unrelated to their compliance role, Brenner said.

Other actions include those that are designed to mislead SEC examiners, and “wholesale failure” on the part of the CCO to do something he or she is required to do. That last category has received more attention, Brenner noted, even though it’s “much, much smaller.” In the last 10 years, he said, there have been “only a handful” of cases brought against people in CCO-only types of roles for failing to fulfill their duties.

— Read “Hacker Swipes Info for 272 Million Email Accounts” on ThinkAdvisor.