In recent months, the U.S. Securities and Exchange Commission (“SEC”) has emphasized cybersecurity as both an enforcement priority and corporate responsibility, demonstrating its continued focus on the need for issuers to have sufficient measures in place, including up-to-date compliance and incident response programs in order to maintain the integrity of the capital market system.
The SEC recently issued a Report of Investigation pursuant to Section 21(a) of the Securities Exchange Act (the “Report”) that advised public companies to develop and implement internal accounting controls that include an approach to cyber threats.[1] The Report stemmed from an investigation of nine unidentified public companies that had fallen victim to cyber fraud in the form of “business email compromises.” The nine issuers were defrauded into losing almost $100 million via wiring funds phished from compromised or spoofed emails claiming to be legitimate sources such as company executives. The Report sharply criticized the victim companies for failing to identify red flags and train personnel, and serves as a stern warning that the SEC will not hesitate to turn a victim company into the target of an enforcement action.[2]
Indeed, the SEC has started bringing enforcement actions in the cybersecurity space in egregious cases. In September it issued a Consent Order against a registered investment adviser for a cyber-intrusion that resulted in the compromise of customer personal information.
The SEC determined that the company knew about the weaknesses in its cybersecurity procedures as a result of a prior attack.[3] Earlier this year the SEC also settled charges that stemmed from inadequate breach reporting.[4]
The SEC appears to be focused on the importance of well-designed policies and procedures and training. Two elements of compliance that the Report emphasizes are the importance of procedures to authorize wire transfers (including the requirement for multiple levels of approval and verifying changes in counterparties) and the need for continued training of employees to familiarize them with common cyberattack strategies. These focal points serve as useful action items for companies to evaluate their own risk profiles. Although the SEC refrained from suing the companies mentioned in the Report, the attention paid to internal controls and cybersecurity in particular is a shot across the bow that the SEC will not be as generous in the future.
All of this activity comes on the heels of the creation of the SEC’s Cyber Unit[5] as well as the SEC’s own data breach of its EDGAR system, which made the SEC acutely aware of the challenges issuers face with respect to cybersecurity.[6] Coupled with the SEC’s guidance from earlier this year on cybersecurity disclosures as crucial to enterprise risk-management,[7] the recent Report and enforcement activity serve as reminders for public companies to evaluate their policies and procedures and adequately train personnel to minimize falling victim to a cyberattack.
Footnotes:
- “Report of Investigation Pursuant to 21(a) of the Securities Exchange Act of 1934 Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and Related Internal Accounting Controls Requirements,” SEC Release No. 34-84429 (Oct. 16, 2018).
- Controls to reasonably safeguard company funds are required under Section 13(b)(2)(b) of the Exchange Act. See Id.
- “SEC Charges Firm with Deficient Cybersecurity Procedures.” SEC Press Release No. 2018-213 (Sept. 26, 2018).
- See our April 24, 2018 Post, “Being first isn’t always best: SEC settles for $35 million fine for failure to disclose data breach to investors.” https://www.technologylawdispatch.com/2018/04/data-cyber-security/being-first-isnt-always-best-sec-settles-for-35-million-fine-for-failure-to-disclose-data-breach-to-investors/
- “SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors,” SEC Press Release No. 2017-176 (Sept. 25, 2017).
- “SEC Chairman Clayton Issues Statement on Cybersecurity.” SEC Press Release No. 2017-170 (Sept. 20, 2017).
- See our February 27, 2018 Post, “Guiding Light: SEC adopts update cybersecurity guidance” https://www.technologylawdispatch.com/2018/02/privacy-data-protection/guiding-light-sec-adopts-updated-cybersecurity-guidance/