The Securities and Exchange Commission (SEC) has set up two new cybersecurity initiatives, but experts disagree on whether they will lead to more cyber cases.
Clearly, the SEC wants to show that even with the well-publicized breach of its EDGAR system, cybersecurity remains a priority as it sets up the new cyberunit and cybersecurity working group.
“The new cyberunit – though focused largely on retail investor issues – demonstrates the SEC’s increasing teeth in these areas and reminds regulated entities that they ignore their cybersecurity responsibilities at their own peril,” Jacob Hale Russell, a professor at Rutgers Law School, told ThinkAdvisor. “The SEC’s increased efforts should make clear to regulated entities that they must have adequate plans in place not only to make breaches less likely, but also to mitigate consequences of breaches that nonetheless occur.”
Still, there are questions on how many cases will be brought by the new cyberunit. A former SEC attorney who asked to remain anonymous explained to ThinkAdvisor:
- It is not clear how many SEC staff will be assigned to the cyberunit.
- Would the cases that are brought have been brought anyway from another part of the SEC?
- Will the staff who are assigned to the cyberunit be assigned full-time there, or, will they have shared responsibilities with other units?
Also, this is not the first time the SEC has set up a cyberunit.
But now, the commission may show more of a commitment. “Unlike the SEC’s first specialized cyberunit, which was shuttered as part of an agency-wide reorganization in 2010, the new cyberunit seems likely to be well-resourced, well-staffed, and take point on high-technology threats to the capital markets and the investing public,” says Joseph Moreno, an attorney at Cadwalader, Wickersham & Taft, and who previously was a federal prosecutor.
“And expect the new cyberunit to be front-and-center in terms of resources and priorities,” he added.
“The cyberunit will bring increased focus to this area and likely more enforcement actions,” agrees Denver G. Edwards, an attorney at Bressler, Amery & Ross, and who formerly worked as an attorney at the SEC’s Enforcement Division. “The cyberunit, if the previous five specialized units are a guide, will hire staff with expertise in cybersecurity, leverage data analytics to identify anomalous trading that may have resulted from unauthorized intrusions, and bring cases.”
Edwards said initial cases may arise from violations, such as: failure to have/follow robust cybersecurity policies and procedures, and failure to establish appropriate controls; failure to perform sufficient periodic assessments of cyber procedures and measures; and failure to protect networks containing non-public customer information with appropriate technology and procedures.