Just as Steven Peikin, the new co-director of the Securities and Exchange Commission’s Enforcement Division, is warning that cyber risk is “the greatest threat to our markets right now,” the agency’s other co-director, Stephanie Avakian, is citing an “uptick” in cybercrime investigations and has ominously observed that the “cyber threat” will “continue to emerge.”
Despite hopes or fears that a Trump administration SEC would bring a lighter regulatory touch, enforcement actions for failures to protect against cyber threats appear to be an issue everyone at the SEC can get behind.
Indeed, during confirmation hearings for SEC Chairman Jay Clayton earlier this year, no one batted an eye when he said, “As I look across the landscape of discussion and understanding of cyber threats and their possible impact on companies, I question whether the disclosure is where it should be.”
Ironically, current headlines are full of stories about cyberattacks using tools leaked from another federal agency, the National Security Agecy. Ransomware such as Petya and WannaCry has hit companies of all types and sizes around the world.
Following the WannaCry outbreak, the SEC’s Office of Compliance Inspections and Examinations published a Ransomware Alert highlighting observations from recent examinations and pointing to guidance for cybersecurity best practices while recognizing that “it is not possible for firms to anticipate and prevent every cyberattack.”
Even so, the Enforcement Division is not shy about suing BDs and IAs for failure to comply with regulations requiring them to have policies and procedures in place.
To be sure, the handful of cases filed so far appear selected to send a message. In September 2015, the SEC brought a settled action against an investment advisor that suffered a “breach that compromised the personally identifiable information of approximately 100,000 individuals, including thousands of the firm’s clients.” The SEC alleged that the advisor had no written-records safeguards policies whatsoever during a four-year period in advance of the breach.
In another highly publicized case in 2016, the SEC alleged that a firm’s employee “impermissibly accessed and transferred the data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties” and offered for sale online.
According to the SEC, the firm did have policies and procedure, but they were “not reasonable” because two internal web portals “allowed its employees to access customers’ confidential account information.” In addition to whatever damages it suffered as a result of the breach, the firm paid $1 million to settle the SEC case.
The regulations requiring firms to have policies to “protect against unauthorized access” to customer records set a very high bar. If a firm is victimized by a hacker or rogue employee who makes off with customer records, the firm’s policies by definition “failed to protect against unauthorized access.” Protection against all breaches is a standard not even the NSA could comply with.
Thankfully, the SEC doesn’t have the resources to pursue every registered entity for every breach of customer data. Nevertheless, the recent comments from Clayton, the enforcement co-directors and OCIE suggest that it is more important than ever to review policies and practices, conduct penetration testing and vulnerability scans, conduct regular system maintenance with installation of software patches and updates, and remain ever vigilant against unauthorized access and use of customer records.