True North Networks Blog
Will 2019 Be the Year of Blockbuster Cybersecurity Enforcement by the SEC?
After years of admonishing financial institutions and public companies to take cybersecurity more seriously, the U.S. Securities and Exchange Commission (SEC) appears ready to back up its words with investigations and penalties. Starting with Jay Clayton’s confirmation as SEC Chair in 2017, the agency has enhanced its efforts to protect investors and markets from increasingly dangerous and costly cyber threats. Indeed, the SEC’s conduct over the past two years—including creating a dedicated Cyber Unit in its Enforcement Division and by bringing several first-of-their-kind cybersecurity enforcement actions—foretell that the agency is prepared to take an even more aggressive approach in addressing cybersecurity issues among the entities it supervises. As a result, firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance.
The SEC’s Focus On Cybersecurity Since his confirmation as SEC Chair in 2017, Clayton has made cybersecurity one of the SEC’s main priorities. In 2017, Clayton formed the cybersecurity working group, an initiative to coordinate information sharing, risk monitoring, and incident response throughout the SEC. In discussing the working group, Clayton defined the SEC’s cyber focus as “identifying and managing cybersecurity risks and ensuring that market participants—including issuers, intermediaries, investors and government authorities—are actively engaged in this effort and are appropriately informing investors and other market participants of these risks.” See SEC Public Statement, Statement on Cybersecurity (Sept. 20, 2017). In September 2017, the SEC also announced the creation of a Cyber Unit. The Cyber Unit was formed to consolidate the expertise of the SEC’s Division of Enforcement and enhance its ability to identify and investigate a wide-range of cyberrelated threats, including (1) market manipulation schemes involving false information communicated electronically; (2) hacking to obtain material nonpublic information; (3) fraud involving blockchain technology and “initial coin offerings”; (4) hacking into retail brokerage accounts; and (5) cyber threats to trading platforms and market infrastructure. In commenting on the Cyber Unit’s launch, Stephanie Avakian, co-director of the SEC’s Enforcement Division, identified cyber-related threats as “among the greatest risks facing investors and the securities industry.” SEC Press Release 2017-176, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017). Since its creation, the Cyber Unit has wasted little time in bringing cases. According to the Enforcement Division’s 2018 Annual Report, during 2018, the SEC brought 20 stand-alone cases related to cybersecurity and has 225 cyber-related investigations that it deems “ongoing.”
See SEC SERVING THE BENCH AND BAR SINCE 1888 Volume 261—NO. 38 Wednesday, February 27, 2019 Outside Counsel Joseph Facciponti and Katherine McGrail are partners at Murphy & McGonigle, P.C., a financial services law firm. Mr. Facciponti is a former cybercrime prosecutor at the U.S. Attorney’s Office for the Southern District of New York. Ms. McGrail counsels financial institutions on compliance with industry regulations and serves as the firm’s chief diversity and inclusion officer. www. NYLJ.com By Joseph Facciponti And Katherine McGrail Will 2019 Be the Year of Blockbuster Cybersecurity Enforcement by the SEC? Annual Report, Division of Enforcement (Nov. 2, 2018). In several cases, the enforcement actions were firstof-their-kind, as discussed below. The SEC’s focus on cybersecurity also appears to be driven by its own experience with cybersecurity issues. The same month that the SEC announced the creation of its Cyber Unit, the SEC announced that it, too, has experienced data breaches. In an extended Statement on Cybersecurity that likely is also intended to serve as a model for public companies in discussing their own material cybersecurity risks and incidents, Clayton announced a number of cybersecurity risks and data incidents effecting the SEC, the most significant of which involved hackers gaining access to the SEC’s EDGAR filing database in 2016 to steal unreleased corporate filings that potentially contained material nonpublic information. See SEC Public Statement, Statement on Cybersecurity (Sept. 20, 2017).
Cyber Disclosure Guidance. One of the centerpieces of the SEC’s enhanced cybersecurity strategy is in encouraging public companies and issuers to be transparent with the investing public about their material cyber risks and incidents. In September 2017, Clayton said that he is “not comfortable that the American investing public understands the substantial risks that we face systemically for cyber issues, and I’d like to see better disclosure around that.” C. Germaine, Clayton Says No Shift in Enforcement Priorities at SEC, Law360 (Sept. 6, 2017). Perhaps exemplifying the SEC’s concerns, that same month, credit reporting agency Equifax disclosed that an unknown attacker had stolen personally identifiable information of approximately 145 million consumers. K. Coen, Populist Pitchforks Come Out: Insider Trading and Equifax, Law360 (Nov. 6, 2017). Equifax faced immediate public criticism over the timeliness and adequacy of its disclosure, which came approximately six weeks after it discovered the breach. Further, questions were raised about potential insider trading by four Equifax executives, including the Chief Financial Officer, all of whom collectively sold $1.8 million of Equifax shares between the time the breach was discovered and when it was disclosed to the public. Id. An internal review ultimately cleared those executives of any wrongdoing.
In February 2018, and consistent with the SEC’s focus on disclosure— and perhaps in response to the Equifax breach—the SEC published revised guidance regarding public company disclosures about material cyber risks and incidents (2018 Guidance). See SEC Release Nos. 33-10459 & 34-82746, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 26, 2018). The 2018 Guidance consolidated and built upon the SEC’s prior guidance on disclosure obligations relating to cybersecurity, particularly the Division of Corporation Finance’s guidance from 2011. Among other things, the 2018 Guidance addresses topics such as: (1) the criteria for determining whether a cyber risk or incident is “material”; (2) how promptly companies must disclose material cyber incidents; (3) the level of specificity required when disclosing material cyber risks; and (4) the need to adopt policies and procedures to prevent insider trading on as-yet undisclosed cyber incidents. Disclosure-Related Enforcement Actions. At the time the 2018 Guidance was released, it was still unclear whether the SEC would bring an enforcement action against an issuer that failed to disclose material cyber risks or incidents to the investing public. Previously, Stephanie Avakian said that she could “absolutely” envision a situation in which the SEC would bring an enforcement action for inadequate cyber disclosures. J. Hoover, SEC Suits Over Cyber Reporting Could Be on the Horizon, Law360 (April 20, 2017).
That uncertainty was resolved in April 2018, when the SEC announced its first-ever enforcement action against a public company for failing to disclose a breach. The enforcement action involved Yahoo, which the SEC alleged had misled shareholders by not disclosing in its public filings for nearly two years a data breach that affected hundreds of millions of its internet email subscribers. See SEC Press Release 2018-71, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (April 24, 2018). The Yahoo breach only came to light as a result of merger discussions with Verizon, which sought to purchase the company. According to the SEC, Yahoo’s senior management and legal staff allegedly “did not properly assess the scope, business Wednesday, February 27, 2019 Firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance. impact, or legal implications of the breach, including how and where the breach should have been disclosed in [its] public filings or whether the breach rendered, or would render, any statements made by [it] in its public filings misleading.” The SEC further noted that the company’s disclosures in its public filings were misleading to the extent they omitted known trends or uncertainties presented by the data breach. In addition, the SEC alleged the risk factor disclosures in the company’s public filings were misleading in that they claimed the company only faced the risk of potential future data breaches without disclosing that a data breach had in fact already occurred. The SEC noted that while immediate disclosure (such as in a Form 8-K) is not always necessary in the event of a data breach, the breach should have been disclosed in the company’s regular periodic reports. The company ultimately agreed to pay a $35 million fine. In the case of Yahoo, the failure to disclose the breach had a clear effect on the company’s shareholders, who saw Verizon reduce its purchase price for Yahoo by $350 million after the breach was disclosed. In announcing the Yahoo enforcement action, Steven Peikin, co-director of Enforcement, observed that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.” Id. It remains to be seen whether the SEC will take any actions with respect to Equifax for its six-week delay in disclosure of its 2017 breach.