The Securities and Exchange Commission rolled out a broad, more assertive cybersecurity agenda in 2018. It investigated security practices at several companies that suffered cyberattacks, it pursued high-profile enforcement actions against companies that did not disclose or respond to data breaches adequately, and it issued detailed guidance about public company cybersecurity disclosure and internal control obligations. The SEC carried out this expanded cybersecurity initiative by using its existing regulatory toolbox in novel ways, rather than developing a new overarching regulatory scheme. The SEC’s action this past year demonstrated that it considers cybersecurity management vital to the healthy operation of U.S. public companies and that it will not hesitate to use its authority to enforce cybersecurity obligations.
The SEC’s Past Cybersecurity Activities
Historically, the SEC’s cybersecurity enforcement activities followed a predictable pattern: the agency targeted registered financial institutions that did not adequately safeguard customer information as required by Rule 30(a) of Regulation S-P, otherwise known as the “Safeguards Rule”. The largest of these actions, against Morgan Stanley Smith Barney (MSSB) in 2016, is a typical of the Commission’s pre-2018 focus. An employee of the firm improperly accessed a company web portal of customer information, downloaded and transferred data from 730,000 accounts to his personal server. The employee’s server was hacked and the confidential data was posted to the internet and offered for sale. In a settled administrative proceeding, the SEC found that MSSB violated the Safeguards Act by not updating its cybersecurity policies, not developing authorization programs to ensure restricted advisor access to customer account information, not monitoring advisor portal activity and not auditing or testing authorization programs to ensure effectiveness. The SEC faulted MSSB for a litany of alleged failures that violated the Safeguards Rule and fined the firm one million dollars.
Other SEC divisions gave limited cybersecurity guidance on an ad hoc basis. In 2011, the Division of Corporation Finance, which regulates the disclosures of publicly-traded companies, issued non-binding guidance regarding the duty of companies to disclose cyber-related incidents that represent a material risk or event. In April 2015, the Division of Investment Management, which regulates the mutual fund and investment advisory industry, issuing guidance regarding the obligation of funds and advisors to take steps to address the growing cybersecurity risk.
Despite the SEC’s initial restraint, there were early indications that the agency was gearing up to pursue a broader and more proactive approach. During a 2014 roundtable, Commissioner Luis Aguilar said that the SEC was “particularly concerned about the risks that cyber-attacks pose to public companies, and to the capital markets and its critical participants [and while] there is no doubt that the SEC must play role in this area.” In a 2016 press release, Chair Mary Jo White stated “Cyber-attacks are a constant threat to our market. With the cyber field steadily evolving and expanding, it is imperative we continue to enhance our coordinated approach to cybersecurity policy across the SEC and engage at the highest levels with market participants and governmental bodies.” In 2017, a year of seemingly unending high-profile cyberattacks against U.S. companies, the Division of Enforcement announced the creation of a new specialized “Cyber Unit,” erasing any lingering ambiguity about the SEC’s cybersecurity ambitions.
The SEC’s Aggressive Cybersecurity Agenda in 2018
The SEC made good on its promise to pursue a more aggressive and coordinated cybersecurity role in 2018. The year began with the SEC publishing a statement and interpretive guidance outlining the obligation of public companies to timely disclose material cybersecurity risks and incidents to investors, elevating what had previously been only staff guidance to form interpretive guidance of the Commission. It addressed the need for companies to revamp their incident response plans to ensure that information regarding cybersecurity risks and incidents is recorded and reported in a timely manner. Finally, the guidance stated that insider trading prohibitions applied to cybersecurity incidents and that companies should have policies and procedures to prevent company insiders with material non-public information (MNPI) from trading on knowledge of cybersecurity incidents or risks. Senior SEC officials made clear that the interpretive release was a warning to public companies that the SEC considers cybersecurity as fair game for increased oversight.
The SEC wasted no time in pursuing its cybersecurity agenda. In March 2018, Enforcement’s Cyber Unit brought an action against a former Equifax executive for insider trading when he made trades after learning MNPI concerning the massive 2017 data breach suffered by the company. In June 2018, a second Equifax manager was also charged with insider trading in relation to the breach.
One month later, on April 24, 2018, the Cyber Unit levied one of the SEC’s largest cybersecurity-related fines against Altaba, formerly known as Yahoo! In the wake of the now infamous data breach of Yahoo!’s user database, Altaba settled with the SEC for $35 million to resolve allegations that Yahoo! violated federal securities laws by failing to disclose the 2014 breach. The Commission further faulted Yahoo! for not sharing information about the breach and for failing to investigate the circumstances of the breach. Finally, the SEC criticized Yahoo! for lacking any disclosure policies or procedures that would facilitate the elevation of breaches detected by the information security team to appropriate parties who could determine whether disclosure was warranted.
The SEC’s cybersecurity efforts are not limited to its oversight of publicly traded companies. The investment industry was scrutinized by the SEC for cyber-related incidents. On September 2018, the SEC announced that it was fining Voya Financial Advisors, Inc. one million dollars in the aftermath of a data breach involving the personal identifying information of Voya’s customers. Unauthorized users impersonated Voya’s contractors, calling Voya’s technical support to reset passwords that allowed access to customer accounts, ultimately stealing customer information. The SEC found that Voya had violated the Safeguards Rule. The Voya action was the first time that the SEC relied on the “Identify Theft Red Flags Rule," representing the SEC’s new focus on ensuring that institutions quickly detect and mitigate breaches.
To cap off 2018, the SEC issued a Section 21(a) Report on October, outlining the results of an investigation into nine publicly listed companies that were victims of cyber-related frauds, revealing that they lost a combined $100 million dollars after employees were tricked into wiring money to cybercriminals posing as executives or vendors. The SEC reminded companies of their obligations under the Securities Exchange Act of 1934 to maintain internal accounting controls, ensuring transactions are executed only when authorized by management and that failure to do so would result in punitive action. The report lists various ways that companies can enhance their accounting controls so that they are in compliance with internal control requirements and prevent future infiltrations.
Existing Rules Used to Pursue SEC’s Cybersecurity Agenda
The SEC makes clear that various federal securities laws obligate companies to review and adopt enhanced protocols and procedures as cybersecurity risks increase, and that failure to do so will result in punitive action. It’s possible that new cybersecurity rules are on the horizon, however, the SEC has not waited to create new rules in order to pursue its cybersecurity priorities. The SEC’s current arsenal aggressively polices company’s response to cyber threats and attacks:
- The Safeguards Rule - Regulation S-P requires financial institutions to limit the circumstances under which a financial institution may disclose a customer’s nonpublic personal information to unaffiliated non-parties. Rule 30(a) requires regulated entities to adopt written policies and procedures designed to protect against anticipated threats to the security of customer information and protect against unauthorized access to or use of customer information.
- The Identity Theft Red Flags Rule - Regulation S-ID requires certain financial institutions and creditors to implement a written program to detect, prevent and mitigate identity theft in connection with the opening or maintenance of a “covered” account. Under the regulation, companies must evaluate these policies and procedures periodically to account for the evolving risks of identity and ensure that the program is appropriate for the “size and complexity” of the institution and “nature and scope of its activities.”
- Disclosure and Insider Trading Rules - Public companies must disclose material cybersecurity risks and incidents. In its February 2018 guidance and subsequent enforcement action against the former Yahoo!, the SEC staked its position that the costs and negative consequences of cyber-attacks, like financial performance, increased liability and reputational damage, having significant impacts on companies and investors as the economy.
The SEC has also made clear that Rules prohibiting insider trading apply in the cybersecurity context. Corporations should institute appropriate restrictions that prevent corporate insiders with knowledge about the company’s cybersecurity risks and incidents from making trades after the discovery of a breach and before public disclosure.
Finally, public companies are responsible for ensuring that their existing system of internal accounting controls is reasonably designed to prevent and detect cyber-related frauds. The SEC’s Section 21(a) report estimated that “business email compromises” similar to those investigated by the agency have caused almost $6 billion in losses in five years. As part of the duty to safeguard assets, businesses must recalibrate internal accounting controls to account for current and evolving cybersecurity risks.
The SEC’s activities this year show that, in an age where cyber-related threats continue to increase in frequency and sophistication, the SEC will use its authority to protect U.S. businesses and investors. The SEC has expanded its reach by using existing, generally applicable securities to target cybersecurity. Companies should expect the SEC to utilize these tools with greater frequency and consistency into 2019 and beyond.