Cybersecurity and the SEC

The SEC’s Cyber Unit Pursues Civil Claims Against Regulated Companies and Others Suspected of Compromising Investors’ Personal information

Contact John directly

Companies of all types have obligations under federal securities laws. This includes both public and private companies, and it includes stock issuers, brokerage firms, and cryptocurrency developers—among many others. While these obligations largely relate to the issuance of securities and trading activity, they cover many other areas as well. One particular area of emphasis for the U.S. Securities and Exchange Commission (SEC) in recent years has been cybersecurity.

In 2017, the SEC Enforcement Division established an all-new Cyber Unit. The Cyber Unit has civil enforcement authority, and it uses this authority to investigate regulated companies, brokerage firms and others suspected of cybersecurity-related violations. As listed by the SEC, the Cyber Unit’s priorities include:

• Cybersecurity controls at regulated entities
• Issuer disclosures of cybersecurity incidents and risks
• Trading on the basis of hacked nonpublic information
• Violations involving digital assets, initial coin offerings and cryptocurrencies
• Cyber-related manipulations such as brokerage account takeovers and market manipulation using social media platforms

Click image
to see larger version.

With these priorities in mind, companies and firms that are subject to the SEC’s oversight need to ensure that they are doing everything necessary to meet the commission’s expectations. Crucially, not only can failure to do so lead to civil enforcement action by the SEC; but, when warranted, the SEC’s Cyber Unit can refer cases to the Federal Trade Commission (FTC), the Federal Bureau of Investigation (FBI), and the U.S. Department of Justice (DOJ) for investigation and enforcement as well.

The SEC Provides Guidance for Regulated Companies Through “Risk Alerts”

The SEC provides guidance to companies and firms regarding cybersecurity compliance via the issuance of “Risk Alerts”. It has issued several Risk Alerts in recent years. The SEC’s recent Risk Alerts are instructive on a number of key issues, and those that are subject to SEC oversight will be well-served to take the SEC’s guidance into account, reevaluate their cybersecurity programs, and make any updates or modifications that are necessary.

1. Safeguarding Client Accounts and Use of Third-Party Security Features

On May 23, 2019, the SEC issued a Risk Alert entitled, Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features. On September 15, 2020, it issued a Risk Alert entitled, Safeguarding Client Accounts Against Credential Compromise. Together, these two documents provide a significant amount of guidance (and establish significant expectations) for broker-dealers and investment advisors.

For example, with regard to brokerage and advisory firms’ use of cloud-based and other third-party remote storage applications, the May 23, 2019 Risk Alert identifies three primary concerns: (i) “misconfigured network storage solutions” (improper configuration of security settings potentially facilitating unauthorized access, as well as lack of policies and procedures addressing network security configurations); (ii) “inadequate oversight of vendor-provided network storage solutions” (failure to implement policies, procedures, and contractual provisions that ensure proper configuration of vendor-provided storage); and, (iii) “insufficient data classification policies and procedures” (adoption of policies and procedures that are inadequate to identify different types of data and ensure the application of appropriate cybersecurity protections for each type).

In addition to identifying areas of concern, the May 23, 2019 Risk Alert also provides some examples of effective cybersecurity practices. However, the SEC’s guidance here is general in nature (i.e. recommending that companies adopt “[g]uidelines for security controls and baseline security configuration standards to ensure that each network solution is configured properly”)—thus leaving brokerage and advisory firms to make their own determinations with regard to what is necessary in light of the types of data they store and the unique cybersecurity risks they face within their operations.

The SEC’s September 15, 2020 Risk Alert shifts its focus away from network security policies, procedures, and protocols—focusing instead on the risk of cybersecurity breaches resulting from the compromise of customers’ access credentials. It focuses specifically on “credential stuffing,” which involves attackers gathering customers’ personal information from the dark web and then writing programs that use this information to identify their usernames and passwords. In the Risk Alert, the SEC writes that, “[c]redential stuffing is emerging as a more effective way for attackers to gain unauthorized access to customer accounts and/or firm systems than traditional brute force password attacks.”

Here, the SEC provides a number of recommendations; and, while these recommendations are slightly more detailed than those in the May 23, 2019 Risk Alert, they still fall far short of serving as a roadmap for an effective cybersecurity program. At a high level, the SEC’s recommendations for preventing credential-focused attacks include:

• Adopting and periodically reviewing targeted cybersecurity policies and procedures
• Utilizing multi-factor authentication and CAPTCHA
• Implementing firewalls and other controls designed to detect and prevent credential stuffing attacks
• Monitoring the dark web for lists of leaked customer information

2. Ransomware Targeting Issuers and Brokers

Ransomware is a growing concern as well. With the Colonial Pipeline attack bringing awareness of ransomware into the mainstream, the SEC has taken notice as well, and it has established a number of expectations and recommendations for issuers, broker-dealers, and investment advisory firms.

For example, in a July 10, 2020 Risk Alert addressing ransomware, the SEC notes an “apparent increase in sophistication of ransomware attacks on SEC registrants,” and indicates that it has seek registrants implementing cybersecurity measures such as the following with a specific focus on preventing ransomware attacks:

• Awareness and Training Programs
• Vulnerability Scanning and Patch Management
• Access Management
• Perimeter Security

3. Cybersecurity and Resiliency

The SEC has also released a report from its Office of Compliance Inspections and Examinations entitled, Cybersecurity and Resiliency Observations. In this report, the Office of Compliance Inspections and Examinations details a number of cybersecurity risks identified within the securities market, and it provides recommendations for issuers, broker-dealers, and investment advisors in the areas of:

• Governance and Risk Management
• Access Rights and Controls
• Data Loss Prevention
• Mobile Security
• Incident Response and Resiliency
• Vendor Management
• Training and Awareness

As you can see, several of the areas on this list overlap with the recommendations discussed above. In order to be effective, a cybersecurity program must not only be comprehensive, but it must also fully integrate measures designed to protect against all pertinent risks in such a way that the program can be managed, reviewed, and updated effectively.

Put our highly experienced team on your side

Dr. Nick Oberheiden

Founder

Attorney-at-Law

John W. Sellers

Former Senior Trial Attorney
U.S. Department of Justice

Local Counsel

Joanne Fine DeLena

Former Assistant U.S. Attorney

Local Counsel

Joe Brown

Former U.S. Attorney & Former District Attorney

Local Trial & Defense Counsel

Amanda Marshall

Former U.S. Attorney

Local Counsel

Aaron L. Wiley

Former Federal Prosecutor

Local Counsel

Roger Bach

Former Special Agent (OIG)

Michael Koslow

Former Supervisory Special Agent (FBI)

Chris Quick

Former Special Agent (FBI & IRS-CI)

Kevin M. Sheridan

Former Special Agent (FBI)

Ray Yuen

Former Supervisory Special Agent (FBI)

Timothy Allen

Former Senior Special Agent

Is Your Company at Risk for Civil Liability In the Event of an SEC Cyber Unit Investigation?

Given the myriad cybersecurity risks that exist—and given the SEC’s focus on ensuring that issuers, firms, and others are taking adequate measures to protect their (and their customers’) data—is your company at risk for civil liability in the event of an SEC Cyber Unit investigation?

The above discussion just scratches the surface of the issues companies and firms need to consider when developing their cybersecurity programs. Companies and firms must comprehensively evaluate their unique vulnerabilities, and they must implement policies, procedures, and protocols in light of the risks they face. While the SEC’s guidance can serve as a foundation for addressing certain issues (i.e. credential stuffing and ransomware), it does not nearly identify all areas of concern.

With this in mind, companies and firms that are subject to SEC oversight need to work with their cybersecurity counsel to ensure that they are doing enough to protect themselves and the data in their custody and control. In today’s world, companies and firms cannot afford to make assumptions or rely on guesswork when it comes to cybersecurity.

How To Select an SEC Defense Lawyer

FAQs: Facing an SEC Cyber Unit Investigation

Speak with a Cybersecurity Lawyer at Oberheiden P.C.

Do you need to speak with a cybersecurity lawyer about SEC compliance or a Cyber Unit investigation? If so, we encourage you to contact us promptly. Call 888-680-1745 or get in touch online to speak with a cybersecurity lawyer at Oberheiden P.C. in confidence as soon as possible.