On April 25, the Securities and Exchange Commission announced a settlement with Yahoo that constituted its first enforcement action against a public company for failing to disclose a data breach.

This settlement demonstrates that companies in post-data breach environments must engage in a thorough, fulsome analysis of whether to disclose the cybersecurity incident in their public filings. In conducting this analysis, companies face a difficult choice: disclose and face public and investor backlash, or decline to disclose and potentially face later regulatory scrutiny and/or class action stockholders’ litigation.

To read McGuireWoods’ analysis of what the Yahoo settlement can teach about proper disclosure analysis and the factors that a company must consider when conducting this critical task, download a copy of our white paper, titled “Between a Rock and A Hard Place: SEC Disclosure Analysis in Light of the Yahoo Settlement.”

As previously reported, the U.S. Securities and Exchange Commission (SEC) unanimously voted to approve additional guidance for reporting cybersecurity risks last month. However, it is unclear what, if any, impact the new guidance will have on the rate of SEC enforcement actions in the coming months.

According to a recent study by the NYU Pollack Center for Law & Business and Cornerstone Research, SEC enforcement actions significantly declined last year when compared with 2016. In fiscal year 2016, the SEC brought 92 enforcement actions against public companies and their subsidiaries. In fiscal year 2017, SEC enforcement declined by thirty three percent with the SEC filing 62 enforcement actions against public companies and their subsidiaries. Of the 62 enforcement actions, the SEC filed only 17 actions in the second half of fiscal year 2017. This was the largest semiannual decrease for a fiscal year since the Securities Enforcement Empirical Database (SEED) began collecting data in 2010. Similarly, the total monetary settlements declined from $1 billion over the first half of fiscal year 2017 to $196 million in the second half of the year.

The timing of the decline suggests that the Trump Administration may be reining in regulatory enforcement. However, despite the empirical slow down, Stephanie Avakian and Steven Peikin, the co-directors of the SEC’s enforcement divisions, deny that there has been any directive from the Trump Administration to slow the enforcement arm of the SEC. In fact, during the annual American Bar Association’s white collar conference, the co-directors cautioned that more enforcement actions—especially related to cybersecurity—may be on the horizon. Indeed, the SEC’s new cybersecurity guidelines coupled with the creation of the SEC Cyber Unit at the end of fiscal 2017 will give the SEC new tools to combat cyber related misconduct in 2018.

Last week, as previously reported, the U.S. Securities and Exchange Commission (SEC) unanimously voted to approve additional guidance for reporting cybersecurity risks. The release of this guidance underscores the SEC’s intent to prioritize cybersecurity compliance in 2018. The SEC may bring action against boilerplate cybersecurity disclosures that are not specifically tailored to address unique industry challenges. Companies should review and amend current policies and procedures to ensure legal compliance with the updated guidance and mitigate the risk of regulatory enforcement action. This includes companies that are subject to material cybersecurity risks but have not yet suffered a cyber-attack.

Prior SEC Cybersecurity Initiatives

Historically, the SEC has focused its cybersecurity efforts on protecting consumer information by conducting thorough risk assessments and evaluating vulnerabilities. For example, since 2014, the Office of Compliance Inspections and Examinations (OCIE) has made cybersecurity a top priority by reviewing the effectiveness of various cybersecurity programs. In 2015, the SEC announced enforcement actions against companies for lax cybersecurity policies that failed to safeguard consumer information. And in 2017 during the WannaCry Ransomware Attack, the SEC issued an alert to broker-dealers, investment advisers, and investment companies warning them and reminding them to address cybersecurity risks. Similarly, the Financial Industry Regulatory Authority (FINRA) continues to focus on cybersecurity as a top priority and recently, through its exam findings report, detailed effective cybersecurity program practices.

Cybersecurity Policies and Procedures

The release of updated guidance makes it clear that going forward the SEC will more closely examine cybersecurity risk disclosure policies and procedures and bring action against those companies that fail to comply with the guidance. In addition to expanding upon topics from the 2011 guidance, such as associated costs and the likelihood of litigation, the 2018 guidance addresses two new areas: (1) cybersecurity policies and procedures and (2) cybersecurity insider trading prohibitions. The guidance emphasizes the importance of establishing policies and procedures that manage the disclosure of “material cybersecurity risks and incidents in a timely fashion.”

The guidance states that when determining disclosure obligations, companies should avoid “generic cybersecurity-related disclosures” and consider:

  1. the potential materiality of any identified risk;
  2. the importance of any compromised information; and
  3. the impact of the incident on the company’s operations.

In order to determine the “materiality” of a cybersecurity risk, companies should analyze:

  1. the nature, extent, and potential magnitude of the risk; and
  2. the potential harm that could occur including reputational harm, financial challenges, customer and vendor relationships, as well as possible litigation or regulatory actions.

Insider Trading

Although the SEC did not mention any specific data incidents, recent breaches likely played a part in issuing new guidance. The SEC used the new guidance as a reminder to adopt policies and procedures that prevent corporate insiders from trading on material nonpublic information regarding a cyber incident before public disclosure of the incident. This is not the first time the SEC has scrutinized insider trading. In 2015 the SEC announced a $30 million settlement with Ukrainian-based Jaspen Capital Partners Limited and CEO Andriy Supranonok over allegations that they made financial gains by trading on non-public corporate news releases that were hacked from newswire services. The SEC continues focusing on insider trading in the 2018 guidance stating that when there is “selective disclosure of material nonpublic information related to cybersecurity” companies must ensure the material information is disclosed to all investors at the same time and therefore compliant with Regulation FD. The guidance goes on to state that companies should also avoid the mere appearance of improper trading that may occur “during the period following an incident and prior to the dissemination of disclosure.”

SEC Cybersecurity Certification

In addition to insider trading, the 2018 guidance states that disclosure controls and procedures should ensure that relevant cybersecurity risk and incident information is reported to management so that they may make required certifications and disclosure decisions. The inclusion of this concept is unsurprising given the 2014 speech by SEC Commissioner Luis A. Aguilar, in which he said that “ . . . ensuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.” The 2018 guidance expands on that point and specifically references different disclosure certifications that executive management should consider when assessing the adequacy of procedures for identifying cybersecurity risks. For example, certifications made pursuant to the Exchange Act Rules 13a-14 and 15d-14 as well as Item 307 of Regulation S-K and Item 15(a) of Exchange Act Form 20-F are made on a quarterly and annually basis by upper management and require certification regarding the design and effectiveness of disclosure controls and procedures. When certifying cybersecurity effectiveness pursuant to the aforementioned, the guidance states that certifications and disclosures should consider:

  1. if there are sufficient controls and procedures for identifying cybersecurity risks and incidents;
  2. if there are sufficient controls and procedures for assessing and analyzing the impact of the incidents; and
  3. if cybersecurity risks or incidents threaten “a company’s ability to record, process, summarize, and report” required information, then management should determine if “there are deficiencies in disclosure controls and procedures that would render them ineffective.”

As the number of cyber-attacks has increased, so has the SEC’s interest in comprehensively regulating cyber risks. If your company has suffered a small attack that does not meet the criteria for materiality, the incident still may need to be reported to the SEC because the company may be a target for high profile hackers or state agents. Further, if your company suffers a cyber-attack of any size, the guidance states that you may need to “refresh” previous disclosures during the process of investigating a cybersecurity incident or past events. It goes on to provide that “past incidents involving suppliers, customers, competitors, and others may be relevant when crafting risk factor disclosure.” But even if your company has not suffered a cyber-attack, the SEC expects that your company has adopted and implemented written cybersecurity policies and procedures that protect consumer information, limit insider trading and properly manage cybersecurity risk disclosure.

As noted in our previous post, in contrast to the Democratic commissioners, Chairman Jay Clayton, stated that he believes the guidance will “promote clearer and more robust disclosure” and that he “urge[s] public companies to examine their controls and procedures.” For example, when disclosing significant risk factors pursuant to Regulation S-K and Form 20-F, the guidance suggests that companies should consider the following:

  1. the occurrence of prior cybersecurity incidents, including severity and frequency;
  2. the adequacy of preventative actions taken to reduce cybersecurity risks and the associated costs;
  3. the costs associated with maintaining cybersecurity protections; and
  4. existing or pending laws and regulations that may affect the requirements.

While the guidance does not specifically propose new cybersecurity regulations, it does provide a new focus for the agency as well as additional detail regarding previously articulated issues. Company counsel and executive management should closely examine their disclosures, as well as their overall cybersecurity risk disclosure policies and procedures, to determine if they are compliant with this new SEC guidance.

On November 16, 2017, U.S. Securities and Exchange Commission (SEC) Chairman Jay Clayton announced in a symposium on cybersecurity and financial crimes that the SEC would start taking enforcement action against coin offering issuers who fail to register with the SEC.

As cryptocurrencies, like Bitcoin, have become increasingly popular, startup companies have turned to a method known as an initial coin offering (“ICO”) to raise capital. Law 360 explains, “ICOs are used by the creators of blockchain-based structures to raise funds, usually for projects. . . . Instead of stock, investors receive tokens that can either be traded in the secondary market or used within the blockchain project.” This method closely resembles an initial public offering, but the key difference is that ICOs have largely been able to avoid federal regulations. These offerings have flown under the radar, at least up until now, because the technology is still in its early stages.

This unregulated method of raising capital creates the potential for significant fraud and abuse. As such, the SEC intends to regulate the practice, so much so that the Securities and Exchange Commission decided to form a Cyber Unit earlier this year. According to the SEC, the Cyber Unit will focus on targeting cyber-related misconduct, such as:

  • Market manipulation schemes involving false information spread through electronic and social media;
  • Hacking to obtain material nonpublic information;
  • Violations involving distributed ledger technology and initial coin offerings;
  • Misconduct perpetrated using the dark web;
  • Intrusions into retail brokerage accounts; and
  • Cyber-related threats to trading platforms and other critical market infrastructure

The creation of a Cyber Unit within the SEC is a clear indicator that the SEC will regulate cryptocurrency more heavily. As Chairman Clayton noted, “I think that now we have given the market a sufficient warning where we can move from level-setting the field to enforcing it.”

ICOs are not just in the crosshairs of American regulators, rather European regulators have also raised significant concerns about the practice. In fact, earlier this November, the European Securities and Markets Authority (ESMA) issued a statement warning firms involved in ICOs that they need to “comply with relevant legislation” and that “[a]ny failure to comply with the applicable rules will constitute a breach.”

Given the increasingly burdensome regulatory environment surrounding initial coin offerings and cryptocurrency, startups and other companies utilizing ICOs would be well advised to seek legal counsel so as to comply with all federal laws and or SEC regulations.

On Friday, May 12, the WannaCry ransomware attack struck hundreds of thousands of users across the globe, causing major disruptions in private and public networks. The attack, which encrypts a user’s files and holds them for ransom, may infect a computer without any action taken by the user.  With similar attacks expected, and as we have previously discussed, businesses would be well served to proactively take steps to protect themselves from WannaCry and other malicious cyberattacks.

On the heels of yet another high profile cyberattack, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued an alert to broker-dealers, investment advisers, and investment companies warning them of WannaCry and reminding them of the importance of addressing cybersecurity issues to protect investors and clients.  Regulated entities are required by Regulation S-P, 17 C.F.R. § 248.30(a), to adopt written policies and procedures (administrative as well as technical) to safeguard the personally identifiable information of their investors, clients, and customers.  The regulation requires that these procedures be reasonably designed to protect against anticipated cyber threats and unauthorized access to or use of customer records or information.

In 2015, OCIE launched its cybersecurity examination initiative, and the SEC’s Division of Investment Management and FINRA simultaneously offered guidance to regulated entities on cybersecurity.  The OCIE alert serves as a reminder to regulated entities of their obligation to safeguard client data.  In conducting a recent examination of 75 SEC registered broker-dealers, investment advisers, and investment companies, OCIE found that 26% of investment advisers and investment companies surveyed did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, and 57% of investment advisers and investment companies did not conduct penetration tests and vulnerability scans on critical systems.  Broker-dealers fared better, with only a 5% deficiency rate in both categories.

Both the SEC and FINRA have made enforcement of cybersecurity issues a focus, and recent SEC enforcement actions demonstrate its willingness to pursue firms that have suffered from cyberattacks and that lacked policies and procedures that the SEC deemed to be “reasonably designed” to safeguard customer information.  For example, R.T. Jones Capital Equities Management recently settled a cease-and-desist proceeding after an unauthorized, unknown intruder gained access to the personally identifiable information of over 100,000 individuals.  This breach cost R.T. Jones a $75,000 civil monetary penalty.

The WannaCry attacks and OCIE’s alert should serve as a reminder that regulators are watching how broker-dealers and other regulated entities safeguard customer data.  For a regulated entity, crafting effective cybersecurity policies and procedures is essential not only to preventing harmful and embarrassing attacks, but also to prevent a potentially costly regulatory action.  As a regulatory compliance matter, these policies and procedures are more than an IT policy and require scrutiny from well-advised in-house counsel.

The inspector general (IG) of the U.S. Securities and Exchange Commission (SEC) reported last week that the SEC has not sufficiently implemented information technology security upgrades in order to protect highly sensitive information from data breaches. The IG reported that SEC officials failed to deactivate idle user accounts, did not ensure that owners kept their systems performing consistently, and failed to monitor risks. The Office of Information Technology did not implement a risk committee or ensure that employees follow best practices.  Inspector General Carl Hoecker made more specific recommendations which were not released because of sensitive information. A spokesman for the SEC said the agency agreed with the recommendations but declined to comment further.  The SEC did implement some changes since last year following the Federal Information Security Modernization Act of 2014.  The SEC improved its personal identity verification, established multifactor authentication and generally improved identity and access management.

The IG report mirrors similar Government Accountability Office findings released late last month. The GAO report outlined key areas of weakness in the SEC’s information security controls, including a lack of segregation between the agency’s computing environments and a failure to review and update plans for how systems could be recovered in the case of a disaster. The GAO particularly focused on the SEC’s failure to control access to its network, finding that the agency did not always restrict traffic passing through firewalls and did not ensure that only authorized people could access its filing systems. Weaknesses also were found in the physical securities of SEC facilities.  Stephanie Avakian, deputy director for the agency’s enforcement division, said in February that the agency was monitoring on how companies react in the wake of data breaches.

Cybersecurity is the biggest risk facing the financial system, the SEC has said repeatedly. While the SEC has been criticized for its porous cybersecurity, the SEC has led numerous cybersecurity enforcement efforts on Wall Street. The SEC has fined various investment advisers tens of thousands of dollars for failing to implement proper cybersecurity policies before systems were hacked.  Such enforcement efforts are expected to continue.

On May 9, 2016, the International Swaps and Derivatives Association, the European Banking Federation, and the Global Financial Markets Association (comprised of three other industry associations, including the Securities Industry and Financial Markets Association) published a set of common principles to promote effective global policymaking on cybersecurity, data and technology (the Principles). These industry groups are seeking constructive cooperation with regulators on the principles by submitting them to the Financial Stability Board and the International Organization of Securities Commissions (IOSCO).

The Principles follow a report published in April 2016 by IOSCO that provided an overview of some of the different regulatory approaches related to cybersecurity that IOSCO members have implemented and the different practices that market participants have adopted to address cybersecurity issues.

The Principles appear to be an effort by the financial industry to promote greater international coordination among regulators in the ongoing dialogue regarding cybersecurity in the financial sector. For instance, the IOSCO report functioned primarily as a survey of various regulatory approaches in different jurisdictions, with little emphasis on any preferred approach. In contrast, the Principles highlight the crucial issue that effective policy-making requires recognizing that cybersecurity, data protection and technological advancement in the financial sector is an international issue that requires global solutions.

In addition, the Principles encourage global standards and cooperation in order to mitigate the problem of asking international firms with global platforms to comply with conflicting rules in different markets or jurisdictions, which could lead to increased costs of compliance and fragmented technology systems or risk management processes. The Principles also promote rules that go beyond simply assessing whether a particular institution is compliant with a particular standard and instead ensuring that sufficient resources are in place to manage risk and proactively interact with regulators to assess cyber threats and data protection.

Grappling with cybersecurity, data protection and appropriate technology policies remain ongoing projects for banks, asset managers, funds and insurance companies, as well as the regulators of those institutions. The costs related to these projects only increase for financial institutions that report to multiple regulators or operate across national boundaries. Encouraging standard-setting bodies to consider core, transparent policies and to receive meaningful input from market participants may help prevent duplicative or inconsistent standards across regulators.

Technology DisputesOn January 11, 2016, the Securities and Exchange Commission announced the 2016 examination priorities list. For the third year in a row, cybersecurity is a top concern, especially with regard to internal security program assessment and evaluation.  This year the Office of Compliance Inspections and Examinations (OCIE) will focus on cybersecurity protocols implemented by financial firms to protect consumer information from cyberattack.  Investment advisors and broker dealers are forewarned that security is no longer an academic discussion and that OCIE examiners will ask hard questions regarding the effectiveness of protective procedures.  In addition, the agency will expect verified proof that safeguards designed to secure personal and sensitive information adequately defend against cyber threats and vulnerabilities.

The 2016 priority list continues to expand the agency’s 2015 cybersecurity initiative which focused on the protection of consumer information collected, held and utilized by investment firms. This emphasis on data security is a direct result of the increased use of diverse technology by advisors and dealers in business transactions that require the exchange of highly sensitive financial information. In addition, high profile data breaches have shaken consumer confidence resulting in a demand for stricter standards for the protection of confidential data. As a result, funds and advisors are now required to test security systems and evaluate the effectiveness of internal practices.

As a practical matter, the 2016 priorities list highlights the importance of identifying risks, building a robust security framework, monitoring program effectiveness and establishing protocols to respond to cyberattacks. Periodic risk assessments, with documented benchmarks for success, are now an integral part of verifying compliance with SEC obligations. In addition, knowledge of the content, use and storage of sensitive consumer information is fundamental to good information governance and risk management.  Last, ongoing investigations to determine internal and external cybersecurity threats and vulnerabilities are required to avoid noncompliance and ensure new information regarding cyberattacks is incorporated into existing security programs. Undoubtedly, the 2016 priority list requires written policies, procedures and training to ensure security measures are implemented, systematically followed and effective.

Investment advisors and brokers should expect OCIE examiners to request detailed security program assessments and evaluations throughout 2016. In 2017, we predict the SEC will continue to focus on cybersecurity and mandate financial firms exchange information regarding cyberattacks to maintain industry awareness of threats to consumer information.

In late 2015, Congress passed the Fixing America’s Surface Transportation Act − a vehicle for an amendment to the Gramm-Leach-Bliley Act (GLBA) meant to eliminate the need for certain companies to provide annual privacy disclosures to consumers.

The amendment, which took effect immediately, eliminates the annual notice requirement for financial institutions that:

  1. do not share consumer nonpublic personal information with nonaffiliated third parties (with some limited exceptions), and
  2. have not changed their policies and practices, with regard to disclosing nonpublic personal information, from the policies and practices disclosed in the most recent annual notice.

This amendment addresses long-held complaints that the GLBA’s previous disclosure requirements were unnecessarily onerous and expensive for some businesses.  In fact, the December 2015 amendment was just the most recent in a number of actions proposed to mitigate the burden and expense that resulted from the GLBA’s annual notice requirements.

In October 2014, the Consumer Financial Protection Bureau (CFPB) amended Regulation P to allow for electronic delivery or posting of annual privacy notices by financial institutions regulated by the CFPB.  The amendment allowed for alternative online delivery of the privacy notice, but only if the financial institution met a lengthy list of requirements.

However, the 2014 CFPB revision likely had limited impact for two reasons.  First, online delivery was permitted only for parties that met a laundry list of requirements, which may have been infeasible or impossible for certain financial institutions.  Second, the revision applied only to entities subject to GLBA regulations issued by the CFPB − not those regulated by the Federal Trade Commission (FTC), the Securities and Exchange Commission, or the Commodities Futures Trading Commission.

In June 2015, the FTC proposed to amend its own GLBA rules, which apply specifically to motor vehicle dealers.  Like the earlier CFPB amendment, the FTC proposal would have permitted certain motor vehicle dealers to notify customers that the annual privacy policy was available electronically, on the dealer’s website.

Unlike the CFPB and FTC actions, the most recent congressional amendment applies equally to all entities regulated by the GLBA, regardless of the regulator.  Regulation S-P and Regulation P will likely be amended by the SEC and the CFPB, respectively, to correspond to the congressional amendment.

It reads like a movie script: First, the financial services industry experiences a bout of firm-specific attacks in the form of distributed denial of service (DDoS), domain name system (DNS) poisoning, or breach of personally identifiable information (PII).   One day later, trade order processing at major exchanges and alternative trading systems (ATS) is disrupted.  On the following day, the “big one” hits: The settlement process at a clearinghouse is disrupted, causing pervasive settlement failures.  This was the scenario that market participants experienced during the Securities Industry and Financial Markets Association’s (SIFMA) Quantum Dawn 3 Cybersecurity Exercise.   SIFMA’s after-action report highlights the results of the exercise.  SIFMA identified several areas where industry participants can improve responses and coordination:

At the individual firm level

  • Enhance executive leadership involvement during times of crisis.
  • Firms should create integrated cyber incident response teams consisting of representatives from internal information security, technology, business functions, and required third parties to support a robust response and recovery strategy.
  • Enhance internal playbooks to prepare for an expanded array of attacks, including development of additional scenario-based playbooks that account for these various types of attacks or threat vectors.

At the financial services sector level

  • Enhance the role of market utilities to aid the early detection of, and response to, a crisis.
  • Develop additional (or augment existing) sector playbooks to cover sector-wide events affecting market utilities.
  • Strengthen communication with regulators and government agencies, and raise awareness concerning government resources and capabilities available to assist the sector.
  • Promote information sharing to allow market participants to share cyberattack data, such as threat actors, common vulnerabilities and mitigation strategies.
  • Establish criteria and thresholds jointly among the private sector, government agencies and regulators that will be used to trigger contact and action among them.

One takeaway for financial services industry participants appears to be that systemic cyberattack scenarios should also be considered in developing prudent cybersecurity responses. Consider the sufficiency of your incident response plan (IRP) in light of the potential that vendors, other financial services firms and key market utilities may simultaneously be coping with related cyberattacks.