Just as Steven Peikin, the new co-director of the Securities and Exchange Commission’s Enforcement Division, is warning that cyber risk is “the greatest threat to our markets right now,” the agency’s other co-director, Stephanie Avakian, is citing an “uptick” in cybercrime investigations and has ominously observed that the “cyber threat” will “continue to emerge.”
Despite hopes or fears that a Trump administration SEC would bring a lighter regulatory touch, enforcement actions for failures to protect against cyber threats appear to be an issue everyone at the SEC can get behind.
Indeed, during confirmation hearings for SEC Chairman Jay Clayton earlier this year, no one batted an eye when he said, “As I look across the landscape of discussion and understanding of cyber threats and their possible impact on companies, I question whether the disclosure is where it should be.”
Ironically, current headlines are full of stories about cyberattacks using tools leaked from another federal agency, the National Security Agecy. Ransomware such as Petya and WannaCry has hit companies of all types and sizes around the world.
Following the WannaCry outbreak, the SEC’s Office of Compliance Inspections and Examinations published a Ransomware Alert highlighting observations from recent examinations and pointing to guidance for cybersecurity best practices while recognizing that “it is not possible for firms to anticipate and prevent every cyberattack.”
Even so, the Enforcement Division is not shy about suing BDs and IAs for failure to comply with regulations requiring them to have policies and procedures in place.