In a February 19th speech at the annual SEC Speaks conference, Stephanie Avakian, Deputy Director of the SEC’s Division of Enforcement, explained what the SEC expects of entities that experience a cyber intrusion and how the SEC decides whether to investigate such entities.
With respect to responding to cyber intrusion, the SEC’s stated expectations are high level and axiomatic. Entities are expected to (1) assess the situation, (2) address the problem and (3) minimize the damage. Ms. Avakian emphasized the importance of quickly involving authorities such as the FBI or Department of Homeland Security.
Ms. Avakian also expressed awareness of the practical impediments to self-reporting cyber intrusions to the SEC. Specifically, entities may be hesitant to do so for fear of triggering an investigation and enforcement action regarding their policies/procedures and implementation thereof. To assuage this concern, Ms. Avakian noted that the SEC’s goals in the cybersecurity area are to prevent hacking, protect customer data and ensure the smooth operation of America’s financial system. In other words, the SEC—at least from a priority standpoint—is on the same side as the entities that may fall prey to a cyber intrusion. In the case of registrants, when investigating cyber intrusions the SEC will focus on whether a registrant had policies and procedures reasonably designed to protect customer data and related remediation action plans. In the case of public companies, the SEC is not looking to second-guess good-faith decisions regarding data privacy, and would likely not bring an enforcement action against a cyber intrusion victim absent a “significant” disclosure issue. Ms. Avakian also pointed out that entities who self-disclose cyber intrusions will be rewarded with cooperation credit.
Ms. Avakian highlighted a recent case that exemplifies the SEC’s approach to cyber intrusions in the registrant context. In September 2015, the SEC charged R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”) with violating Rule 30(a) of Regulation S-P under the Securities Act of 1933. Rule 30(a) requires “[e]very broker, dealer, and investment company, and every investment adviser registered with the [SEC]” to “adopt written policies and procedures” regarding the safeguarding of customer information. 17 CFR 248.30(a). Specifically, the written policies and procedures must be “reasonably designed” to, among other things, protect against threats to the security of customer information and protect against unauthorized access to customer information. In the R.T. Jones case, a registered investment adviser had agreements with a retirement plan administrator and retirement plan sponsors to provide investment advice to individual plan participants through a managed account program. In order to confirm individuals’ eligibility for the managed account program, R.T. Jones required prospective clients to use their name, date of birth and Social Security Number to log on to its website. Although R.T. Jones did not control or maintain client account information, it did store unencrypted and unmodified client login information (name, date of birth and Social Security Number) on its third party-hosted web server. The web server fell victim to a cyberattack launched from China and which obtained access to all client login information. In assessing a civil money penalty, the SEC noted that R.T. Jones “failed to adopt any written policies and procedures reasonably designed to safeguard its clients’ [information]” as required by Rule 30(a) of Regulation S-P. The SEC specifically identified R.T. Jones’ failures to conduct periodic risk assessments, employ a firewall to protect the web server, encrypt client information and establish procedures for responding to cybersecurity incidents.
While Ms. Avakian stated that entities who fall prey to cyber intrusions are viewed as “victims,” and articulated cybersecurity priorities that are consistent and compatible with the interests of both registrants and public companies, the SEC may nonetheless bring enforcement actions where (1) registrants are subject to cyber intrusions and have failed to follow applicable regulations regarding the implementation and maintenance of policies and procedures reasonably designed to protect clients’ information or (2) public companies have “significant” disclosure issues.