Cybersecurity and the SEC
The SEC’s Cyber Unit Pursues Civil Claims Against Regulated Companies and Others Suspected of Compromising Investors’ Personal information
Companies of all types have obligations under federal securities laws. This includes both public and private companies, and it includes stock issuers, brokerage firms, and cryptocurrency developers—among many others. While these obligations largely relate to the issuance of securities and trading activity, they cover many other areas as well. One particular area of emphasis for the U.S. Securities and Exchange Commission (SEC) in recent years has been cybersecurity.
In 2017, the SEC Enforcement Division established an all-new Cyber Unit. The Cyber Unit has civil enforcement authority, and it uses this authority to investigate regulated companies, brokerage firms and others suspected of cybersecurity-related violations. As listed by the SEC, the Cyber Unit’s priorities include:
- Cybersecurity controls at regulated entities
- Issuer disclosures of cybersecurity incidents and risks
- Trading on the basis of hacked nonpublic information
- Violations involving digital assets, initial coin offerings and cryptocurrencies
- Cyber-related manipulations such as brokerage account takeovers and market manipulation using social media platforms
With these priorities in mind, companies and firms that are subject to the SEC’s oversight need to ensure that they are doing everything necessary to meet the commission’s expectations. Crucially, not only can failure to do so lead to civil enforcement action by the SEC; but, when warranted, the SEC’s Cyber Unit can refer cases to the Federal Trade Commission (FTC), the Federal Bureau of Investigation (FBI), and the U.S. Department of Justice (DOJ) for investigation and enforcement as well.
The SEC Provides Guidance for Regulated Companies Through “Risk Alerts”
The SEC provides guidance to companies and firms regarding cybersecurity compliance via the issuance of “Risk Alerts”. It has issued several Risk Alerts in recent years. The SEC’s recent Risk Alerts are instructive on a number of key issues, and those that are subject to SEC oversight will be well-served to take the SEC’s guidance into account, reevaluate their cybersecurity programs, and make any updates or modifications that are necessary.
1. Safeguarding Client Accounts and Use of Third-Party Security Features
On May 23, 2019, the SEC issued a Risk Alert entitled, Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features. On September 15, 2020, it issued a Risk Alert entitled, Safeguarding Client Accounts Against Credential Compromise. Together, these two documents provide a significant amount of guidance (and establish significant expectations) for broker-dealers and investment advisors.
For example, with regard to brokerage and advisory firms’ use of cloud-based and other third-party remote storage applications, the May 23, 2019 Risk Alert identifies three primary concerns: (i) “misconfigured network storage solutions” (improper configuration of security settings potentially facilitating unauthorized access, as well as lack of policies and procedures addressing network security configurations); (ii) “inadequate oversight of vendor-provided network storage solutions” (failure to implement policies, procedures, and contractual provisions that ensure proper configuration of vendor-provided storage); and, (iii) “insufficient data classification policies and procedures” (adoption of policies and procedures that are inadequate to identify different types of data and ensure the application of appropriate cybersecurity protections for each type).
In addition to identifying areas of concern, the May 23, 2019 Risk Alert also provides some examples of effective cybersecurity practices. However, the SEC’s guidance here is general in nature (i.e. recommending that companies adopt “[g]uidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly”)—thus leaving brokerage and advisory firms to make their own determinations with regard to what is necessary in light of the types of data they store and the unique cybersecurity risks they face within their operations.
The SEC’s September 15, 2020 Risk Alert shifts its focus away from network security policies, procedures, and protocols—focusing instead on the risk of cybersecurity breaches resulting from the compromise of customers’ access credentials. It focuses specifically on “credential stuffing,” which involves attackers gathering customers’ personal information from the dark web and then writing programs that use this information to identify their usernames and passwords. In the Risk Alert, the SEC writes that, “[c]redential stuffing is emerging as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks.”
Here, the SEC provides a number of recommendations; and, while these recommendations are slightly more detailed than those in the May 23, 2019 Risk Alert, they still fall far short of serving as a roadmap for an effective cybersecurity program. At a high level, the SEC’s recommendations for preventing credential-focused attacks include:
- Adopting and periodically reviewing targeted cybersecurity policies and procedures
- Utilizing multi-factor authentication and CAPTCHA
- Implementing firewalls and other controls designed to detect and prevent credential stuffing attacks
- Monitoring the dark web for lists of leaked customer information
2. Ransomware Targeting Issuers and Brokers
Ransomware is a growing concern as well. With the Colonial Pipeline attack bringing awareness of ransomware into the mainstream, the SEC has taken notice as well, and it has established a number of expectations and recommendations for issuers, broker-dealers, and investment advisory firms.
For example, in a July 10, 2020 Risk Alert addressing ransomware, the SEC notes an “apparent increase in sophistication of ransomware attacks on SEC registrants,” and indicates that it has seek registrants implementing cybersecurity measures such as the following with a specific focus on preventing ransomware attacks:
- Awareness and Training Programs
- Vulnerability Scanning and Patch Management
- Access Management
- Perimeter Security
3. Cybersecurity and Resiliency
The SEC has also released a report from its Office of Compliance Inspections and Examinations entitled, Cybersecurity and Resiliency Observations. In this report, the Office of Compliance Inspections and Examinations details a number of cybersecurity risks identified within the securities market, and it provides recommendations for issuers, broker-dealers, and investment advisors in the areas of:
- Governance and Risk Management
- Access Rights and Controls
- Data Loss Prevention
- Mobile Security
- Incident Response and Resiliency
- Vendor Management
- Training and Awareness
As you can see, several of the areas on this list overlap with the recommendations discussed above. In order to be effective, a cybersecurity program must not only be comprehensive, but it must also fully integrate measures designed to protect against all pertinent risks in such a way that the program can be managed, reviewed, and updated effectively.
Is Your Company at Risk for Civil Liability In the Event of an SEC Cyber Unit Investigation?
Given the myriad cybersecurity risks that exist—and given the SEC’s focus on ensuring that issuers, firms, and others are taking adequate measures to protect their (and their customers’) data—is your company at risk for civil liability in the event of an SEC Cyber Unit investigation?
The above discussion just scratches the surface of the issues companies and firms need to consider when developing their cybersecurity programs. Companies and firms must comprehensively evaluate their unique vulnerabilities, and they must implement policies, procedures, and protocols in light of the risks they face. While the SEC’s guidance can serve as a foundation for addressing certain issues (i.e. credential stuffing and ransomware), it does not nearly identify all areas of concern.
With this in mind, companies and firms that are subject to SEC oversight need to work with their cybersecurity counsel to ensure that they are doing enough to protect themselves and the data in their custody and control. In today’s world, companies and firms cannot afford to make assumptions or rely on guesswork when it comes to cybersecurity.
FAQs: Facing an SEC Cyber Unit Investigation
How Does the SEC’s Cyber Unit Identify Companies and Firms to Investigate for Cybersecurity Compliance Violations?
Similar to other types of SEC investigations, Cyber Unit investigations can result from a number of different factors. Customer complaints, whistleblower and competitor allegations, review of public filings, and publicized information about cybersecurity breaches can all potentially lead to scrutiny of companies’ and firms’ cybersecurity programs.
What are the Risks of Facing an SEC Cyber Unit Investigation?
A compliance investigation conducted by the SEC’s Cyber Unit can lead to fines and other civil monetary penalties, and it can also lead to enforcement action impacting companies’ and firms’ SEC registrations as well. As mentioned above, the Cyber Unit will also refer investigations to the FTC, FBI and DOJ for further investigative and enforcement action in appropriate cases.
What Should Companies and Firms Do When Facing SEC Cyber Unit Investigations?
When facing an SEC Cyber Unit investigation, it is imperative to engage the company’s or firm’s cybersecurity counsel promptly. The company’s or firm’s cybersecurity program must be thoroughly assessed for vulnerabilities or other compliance-related shortcomings—and this assessment must be conducted under the umbrella of the attorney-client privilege. The company or firm should rely on its cybersecurity counsel to interface with the Cyber Unit, and leadership should work directly with counsel to develop an informed strategy moving forward.
Speak with a Cybersecurity Lawyer at Oberheiden P.C.
Do you need to speak with a cybersecurity lawyer about SEC compliance or a Cyber Unit investigation? If so, we encourage you to contact us promptly. Call 888-680-1745 or get in touch online to speak with a cybersecurity lawyer at Oberheiden P.C. in confidence as soon as possible.