Companies continue trying to address evolving cybersecurity threats, but recent settlements like that between the Securities and Exchange Commission and investment advisory firms make clear that these efforts will be closely scrutinized and errors aggressively penalized.
On Aug. 30, the SEC announced settled enforcement actions with eight investment advisory firms and broker-dealers related to alleged failures in their cybersecurity procedures in violation of Rule 30(a) of Regulation S-P, the “Safeguards Rule” to protect confidential customer information.
While the firms neither admitted nor denied the allegations, hundreds of thousands of dollars in penalties will be paid, evidencing that entities’ cybersecurity practices, procedures, and disclosures are now and will continue to be an SEC enforcement priority.
Interestingly, all of the investment advisory firms and broker-dealers involved in the actions appeared to have cybersecurity policies in place that would likely have survived regulatory scrutiny. All of these entities suffered from data breaches related to clients’ personal identifiable information (PII) exposure, which are, of course, becoming increasingly frequent with public and private companies.
The issue here was related to the enforcement of those policies—whether policies and procedures were actually followed leading up to, and after, cybersecurity incidents. Kristina Littman, chief of the SEC Enforcement Division’s Cyber Unit, said, “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”
For example, the SEC’s order against Cetera Entities questions whether clients’ PII actually was protected in a manner that was consistent with their written policies. Similarly, the SEC’s order against KMS financial advisers focused on the delay in the implementation of their firm-wide cybersecurity measures.
A Close Look at Cyber-Related Disclosures
Other recent SEC enforcement actions demonstrate that the SEC will look closely at cybersecurity-related disclosures, including statements on principal risks and uncertainties and media statements. Such statements often claim that an entity has “strong cybersecurity procedures” or “data may have been compromised.” There is a question as to whether such statements are misleading if the entity is already aware of an actual data breach.
The SEC has previously taken issue with public statements that generally reference “unauthorized access” or “exposure of data” when the entity is aware that a third-party breach resulted in the download of significant client data from a compromised server. Similarly, other recent SEC enforcement actions reflect scrutiny of public statements and even internal disclosures related to cybersecurity vulnerabilities.
These actions also reflect the SEC’s view that data breaches and data breach risks are likely “material” for purposes of disclosure. In February 2018, the SEC issued guidance to that effect, defining “materiality” based on consideration of various factors, including the probability of a cybersecurity breach, the magnitude of a past breach, and the importance of compromised data.
Hence, a public company may have to disclose cybersecurity issues in its public filings pursuant to its requirement to disclose significant risks to its business. If, in doing so, it omits known, actual threats or data vulnerabilities, the entity may be in violation of various securities laws.
In June, the SEC announced that it intends to “propose rule amendments to enhance issuer disclosures regarding cybersecurity risk governance” by this October. Regardless of whether these amendments are implemented, the SEC’s actions show that it does not need a rule change for aggressive cybersecurity enforcement.Existing laws already address misleading statements or omissions of material facts in public statements and disclosures, and the requirement to protect confidential customer information, among others.
Further, the Aug. 30 SEC enforcement settlements against private broker-dealers and investment advisers demonstrate that cyber governance requirements are not limited to public companies; the SEC will look at all regulated entities.
The recent SEC actions come on the heels of other regulators’ increased cybersecurity focus.
The New York Department of Financial Services announced settled enforcement actions this year involving millions of dollars in penalties for cybersecurity breaches and related noncompliance by entities who failed to have proper cybersecurity controls or failed to report the true extent of the damage from cyber breaches. FINRA has similarly investigated and recently fined entities for cybersecurity errors.
These recent enforcement actions are a warning to the market: Cybersecurity issues need to be treated as seriously as all other disclosure obligations for public and regulated private companies.
To survive scrutiny, cyber policies and procedures need to be not only vigorous, beyond the basics of penetration testing and endless questionnaires, but also accompanied by robust controls and preventive care measures, such as security ratings and internal reviews that consider the ever-changing regulatory sphere.
Entities should also continue to assess their internal cybersecurity vulnerabilities and provide regular training in this area. Disclosures and public statements need to specifically address cybersecurity issues after any significant breach. Should a cybersecurity breach occur, entities should be prepared to defend their policies and internal controls and properly disclose issues where necessary.
This column does not necessarily reflect the opinion of The Bureau of National Affairs,Inc. or its owners.
Kenneth M. Breen is a partner in the Litigation Department of Paul Hastings and serves as head the New York White Collar Defense practice. He is a former federal prosecutor in the U.S. Attorney’s Office for the Eastern District of New York and the Justice Department’s Tax Division.
Phara A. Guberman is a partner in the Litigation Department of Paul Hastings, defending clients in high-stakes and sensitive regulatory enforcement and white collar criminal investigations and trials.
Sachin Bansal is the general counsel and global head of government affairs for SecurityScorecard, an international cybersecurity ratings company.