The Securities and Exchange Commission (SEC) has set up two new cybersecurity initiatives, but experts disagree on whether they will lead to more cyber cases.
Clearly, the SEC wants to show that even with the well-publicized breach of its EDGAR system, cybersecurity remains a priority as it sets up the new cyberunit and cybersecurity working group.
“The new cyberunit – though focused largely on retail investor issues – demonstrates the SEC’s increasing teeth in these areas and reminds regulated entities that they ignore their cybersecurity responsibilities at their own peril,” Jacob Hale Russell, a professor at Rutgers Law School, told ThinkAdvisor. “The SEC’s increased efforts should make clear to regulated entities that they must have adequate plans in place not only to make breaches less likely, but also to mitigate consequences of breaches that nonetheless occur.”
Still, there are questions on how many cases will be brought by the new cyberunit. A former SEC attorney who asked to remain anonymous explained to ThinkAdvisor:
- It is not clear how many SEC staff will be assigned to the cyberunit.
- Would the cases that are brought have been brought anyway from another part of the SEC?
- Will the staff who are assigned to the cyberunit be assigned full-time there, or, will they have shared responsibilities with other units?
Also, this is not the first time the SEC has set up a cyberunit.
But now, the commission may show more of a commitment. “Unlike the SEC’s first specialized cyberunit, which was shuttered as part of an agency-wide reorganization in 2010, the new cyberunit seems likely to be well-resourced, well-staffed, and take point on high-technology threats to the capital markets and the investing public,” says Joseph Moreno, an attorney at Cadwalader, Wickersham & Taft, and who previously was a federal prosecutor.
“And expect the new cyberunit to be front-and-center in terms of resources and priorities,” he added.
“The cyberunit will bring increased focus to this area and likely more enforcement actions,” agrees Denver G. Edwards, an attorney at Bressler, Amery & Ross, and who formerly worked as an attorney at the SEC’s Enforcement Division. “The cyberunit, if the previous five specialized units are a guide, will hire staff with expertise in cybersecurity, leverage data analytics to identify anomalous trading that may have resulted from unauthorized intrusions, and bring cases.”
Edwards said initial cases may arise from violations, such as: failure to have/follow robust cybersecurity policies and procedures, and failure to establish appropriate controls; failure to perform sufficient periodic assessments of cyber procedures and measures; and failure to protect networks containing non-public customer information with appropriate technology and procedures.
In explaining the reason for setting up the cyberunit, SEC Enforcement Division Co-Director Stephanie Avakian earlier this year said it “arises in large part from the increasing frequency with which we are seeing cyber-related misconduct affecting the securities markets, and also the increasing complexity of these cases.”
Also, another area of enforcement interest Avakian says, are cases “involving failures by registered entities to take appropriate steps to safeguard information or ensure system integrity.” The SEC rules “require registered entities to have reasonable safeguards in place to address cybersecurity threats. These rules are risk-based and flexible, and require firms to understand the risks they face and take reasonable steps to address those risks.”
Moreover, when financial advisors are looking for guidance, the SEC examination programs are where financial advisory firms will get “real guidance” about cybersecurity programs, advises Robert Plaze, an attorney at Proskauer Rose, who formerly was deputy director of the SEC’s Division of Investment Management.
A 2017 SEC exam report on 75 financial firms, noted there was an “overall improvement in firms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices.”
Yet, “a number of firms” “did not appear to fully remediate some of the high-risk observations that they discovered from … tests and scans,” the report adds. “[W]hile the vast majority of broker-dealers maintained plans for data breach incidents and most had plans for notifying customers of material events, less than two thirds of the advisers and funds appeared to maintain such plans.”
“Most sophisticated broker-dealers and investment advisers already have rigorous systems and procedures to reduce the chance of unauthorized intrusions,” adds Andrew Vollmer, a law professor at the University of Virginia and who formerly was deputy general counsel at the SEC. “They should have policies and procedures to test any change to computer systems and to monitor for mistaken data entries.”