[1]The SEC and Cybersecurity Regulation:

[1]The SEC and Cybersecurity Regulation:

American companies are getting [2]hacked, and the Securities and
Exchange Commission wants corporate executives to do something about
it. According to a White House Council of Economic Advisers
[3]report released earlier this year, malicious cyber activity cost
the U.S. economy between $57 billion and $109 billion in 2016. The
report acknowledged a [4]widely [5]recognized root of the problem:
"[C]yberattacks and cyber theft impose externalities that may lead
to rational underinvestment in cybersecurity by the private sector
relative to the socially optimal level of investment."

But [6]despite outrage and hearings in Congress after major
breaches, like the [7]Equifax hack disclosed last year, Congress has
not passed new legislation. There is no current [8]central federal
mandate that offers protections for personal data. Instead as a
legal [9]treatise puts it, the U.S. "has a patchwork system of
federal and state laws and regulations that can sometimes overlap,
dovetail and contradict one another."It's in that context that the
Securities and Exchange Commission (SEC) has, under its authority of
enforcing the federal securities laws, steadily increased its
regulation of cybersecurity-related matters. A top SEC official
[10]said last year that: "The greatest threat to our markets right
now is the cyber threat." And SEC Chairman Jay Clayton [11]told the
Senate Banking Committee that in regard to cyber attacks, companies
"should be disclosing more" and that there should be "better
disclosure about their risk portfolios and sooner disclosures about
intrusions." In another statement, Clayton [12]announced:

The Commission is focused on identifying and managing cybersecurity
risks and ensuring that market participants--including issuers,
intermediaries, investors and government authorities--are actively
and effectively engaged in this effort and are appropriately
informing investors and other market participants of these risks.

The SEC's jurisdiction covers a [13]considerable range of
cyber-related issues. This post tracks the commission's strategy for
incentivizing investment in cybersecurity defenses by mandating
disclosure and imposing liability on the victims of data breaches.
Recent SEC activity suggests that this is a direction the agency is
headed in, particularly with little sign of cybercrime [14]slowing
anytime soon.

The SEC's Cybersecurity Foray

In 2011, at the [15]urging of Sen. Jay Rockefeller, then the
chairman of the Senate Commerce Committee, the SEC's Division of
Corporation Finance issued [16]guidance on companies' disclosure
obligations relating to cybersecurity risks and cyber incidents. The
document established that:

The [Securities Act of 1933 and Securities Exchange Act of 1934], in
part, are designed to elicit disclosure of timely, comprehensive,
and accurate information about risks and events that a reasonable
investor would consider important to an investment decision.
Although no existing disclosure requirement explicitly refers to
cybersecurity risks and cyber incidents, a number of disclosure
requirements may impose an obligation on registrants to disclose
such risks and incidents. In addition, material information
regarding cybersecurity risks and cyber incidents is required to be
disclosed when necessary in order to make other required disclosures
…

The SEC then went on to identify [17]several specific areas that
require disclosure of cyber-related information, including
investment "risk factors," the business' description of itself,
disclosure controls and procedures, among others. The SEC later
affirmed the importance of these guidelines in a 2014 roundtable
event convened shortly after the release of the [18]NIST
Cybersecurity Framework. At that event, SEC chairwoman Mary Jo White
[19]stated: "The SEC's formal jurisdiction over cybersecurity is
directly focused on the integrity of our market systems, customer
data protection, and disclosure of material information." Following
the roundtable, the SEC's cybersecurity oversight principally
consisted of issuing further [20]guidance documents, [21]risk
alerts, and, in some cases, directing companies to disclose
information on specific cyberattacks in [22]comment letters.

Liability for Victims of Breaches

In October 2015, the agency [23]brought its first an action against
a corporation that suffered a data breach. Under [24]Regulation S-P,
which requires financial firms to adopt written policies and
procedures that are "reasonably designed" to protect customer
records and information, the SEC found that a St. Louis investment
firm had failed to establish cybersecurity policies and procedures
in advance of a data breach that compromised the information of
approximately 100,000 people. The firm ultimately settled with the
SEC for $75,000. In announcing the settlement, a SEC official
[25]noted: "[I]t is important to enforce the safeguards rule even in
cases like this when there is no apparent financial harm to
clients."

In 2016, the SEC again [26]brought an action under Regulation S-P.
After a former Morgan Stanley employee downloaded data related to
730,000 accounts to his own personal server, which was then likely
hacked by a third-party, the bank agreed to a $1 million penalty.
(The employee, Galen Marsh, also pleaded guilty to [27]illegally
accessing confidential client information.) In particular, the SEC
order noted that Morgan Stanley's policy and procedures failed to
include "reasonably designed and operating authorization modules …
that restricted employee access to only the confidential customer
data as to which such employees had a legitimate business need;
auditing and/or testing … and monitoring and analysis of employee
access."

The Creation of the Cyber Unit and the Commission's 2018 Guidance

In September 2017, the SEC chairman Jay Clayton issued what a
Washington Post [28]report described as "an unusual eight-page
statement on cybersecurity." In that [29]statement, Clayton revealed
that hackers had breached a SEC network that stored documents filed
by publicly traded companies, potentially giving the intruders
access to nonpublic information. Also in that same statement,
Clayton laid out a broader strategy for policing public companies'
cybersecurity strategies. He said:

[T]he Commission incorporates cybersecurity considerations in its
disclosure and supervisory programs, including in the context of the
Commission's review of public company disclosures, its oversight of
critical market technology infrastructure, and its oversight of
other regulated entities, including broker-dealers, investment
advisers and investment companies.

Then a few days later, the SEC [30]announced the creation of a Cyber
Unit within its Enforcement Division; the new unit would be tasked
with "targeting cyber-related misconduct." Outlining the Cyber
Unit's priorities in a [31]speech, a SEC official explicitly pointed
to "requir[ing] registered entities to have reasonable safeguards in
place to address cybersecurity threats" and "cases where there may
be a cyber-related disclosure failure by a public company," among
others.

Next, in February 2018, the commission voted to unanimously to
approve a "[32]statement and interpretive guidance to assist public
companies in preparing disclosures about cybersecurity risks and
incidents." The SEC described the new document as "reinforcing and
expanding upon the staff's 2011 guidance." One area where the
commission affirmatively noted that it had gone further than the
staff guidance was in articulating "the importance of cybersecurity
policies and procedures."

The first part of the document tracks the specific disclosure
obligations first announced in the 2011 guidance. In a company's
periodic reporting, the document said, disclosure of cyber risks and
incidents are generally necessary for a company's: business and
operations, risk factors, legal proceedings, management discussion
and analysis of financial condition and results of operations,
financial statements, disclosure controls and procedures, and
corporate governance. Exemplifying its effort to compel companies to
more rigorously consider cyber risks, the commission [33]added a
disclosure requirement for "the nature of the board's role in
overseeing the management of [cybersecurity] risk."

After that, in a section titled, "Policies and Procedures," the SEC
recommended that: "Companies should assess whether they have
sufficient disclosure controls and procedures in place to ensure
that relevant information about cybersecurity risks and incidents is
processed and reported to the appropriate personnel, including up
the corporate ladder." The SEC then went on to cite specific
regulations requiring companies to have certain policies in place to
identify and evaluate risk. Commenting on the implications of the
document, a Mayer Brown [34]post noted, "[t]he guidance encompasses
more than disclosure."

Notably, the commissions' two Democratic-recommended members were
critical of the guidance for not going far enough. Commissioner Kara
Stein [35]questioned the efficacy of "re-issuing staff guidance
solely to lend it a Commission imprimatur." She called for measures
beyond disclosure, including seeking notice and comment for a slate
of new rules that would require companies to take proactive security
measures. (Stein, whose term [36]ends on Dec. 31, also advocated for
more robust cybersecurity regulation by the SEC in a recent
[37]speech at Georgia State University College of Law). Commissioner
Robert Jackson Jr.'s [38]statement cited analysis from the recent
White House Council of Economic Advisers report that suggested that
2011 guidance had not resulted in meaningful disclosure. (A New York
Times [39]article in March of this year reported that in 2017, only
24 companies reported breaches to the SEC, while researchers found
that there were more than 4,000 cyber-attacks during that period.)

Recent Actions Imposing Liability on Victims

Since the creation of the Cyber Unit, the SEC has brought two
enforcement actions against victims of breaches. The agency also
recently issued a substantial report suggesting future enforcement
against victims of breaches that are not in compliance with certain
safeguards.

In April 2018, the SEC [40]announced its [41]first-ever enforcement
against a company for a failing to disclose a breach. In 2014,
Russian hackers stole the personal information for more than 500
million accounts from the company formerly known as Yahoo. But Yahoo
did not disclose the breach until two years later, when it was in
the process of closing the sale of its operating business to
Verizon. Meanwhile, Yahoo made no mention of the breach in its SEC
filings. The commission found that Yahoo's statements violated both
statutes and regulations requiring the accurate disclosure of
"material" information. Yahoo ultimately agreed to a $35 million
fine.

In September, the SEC brought another first-of-its-kind
[42]enforcement action. This time, the agency found a financial firm
in violation of a rule that it had never enforced before that
requires investment firms to maintain an up-to-date program for
preventing identity theft. The order outlined a phishing scheme in
which attackers impersonated the firm's contractors over a six-day
period in 2016 and convinced employees on the firm's support line to
reset certain passwords. The hackers then used the new passwords to
gain access to the personal information of 5,600 customers. Even
though the firm did have some protection in place, the SEC found
them inadequate, in part because in two instances, the malevolent
actors called from phone numbers the firm had previously associated
with fraudulent activity. The SEC ultimately found the firm's
conduct [43]so egregious that it deemed the violation "willful." The
firm agreed to pay a $1 million settlement.

And, most recently, on Oct. 16, the SEC made [44]headlines with an
[45]investigative report "cautioning that public companies should
consider cyber threats when implementing internal accounting
controls." The report analyzed nine public companies that fell
victim to cyber fraud, wiring a total of $100 million to hackers
impersonating either executives (often the CEO) or third-party
vendors. One firm made 14 payments amounting to over $45 million in
losses before the scheme was uncovered by an alert from a foreign
bank. While the commission declined to bring actions against the
investigated firms, the report suggested that internal accounting
controls required by federal securities laws "may need to be
reassessed in light of emerging risks, including risks arising from
cyber-related frauds." As a [46]memo from Davis Polk observed,"[t]he
report thus effectively serves as notice that in the future, a
company experiencing a cyber event could later find itself in the
SEC's crosshairs."

***

Jack Goldsmith and Stuart Russell note in a recent [47]Hoover essay
that there has long been skepticism of the regulation of digital
networks in the United States. Indeed, many attribute this lack of
regulation to the U.S. technology sector's extortionary record of
innovation. But as a greater volume of sensitive information is
stored online and, in turn, stolen,, the pendulum may be shifting in
the other direction. Especially in the absence of new legislation
from Congress, the SEC seems determined to put cybersecurity on the
agenda of the nation's corporate boardrooms.

(Via [48]Lawfare - Hard National Security Choices)
Also on:

[49]Twitter
__________________________________________________________________

My original entry is here: [50]The SEC and Cybersecurity Regulation. It
posted Mon, 26 Nov 2018 20:44:53 +0000.
Filed under: business,

References

1. https://www.lawfareblog.com/sec-and-cybersecurity-regulation
2. https://www.wired.com/story/2018-worst-hacks-so-far/
3. https://www.whitehouse.gov/articles/cea-report-cost-malicious-cyber-activity-u-s-economy/
4. https://www.schneier.com/essays/archives/2003/11/liability_changes_ev.html
5. https://www.economist.com/leaders/2016/12/20/incentives-need-to-change-for-firms-to-take-cyber-security-more-seriously
6. https://www.politico.com/story/2018/01/01/equifax-data-breach-congress-action-319631
7. https://www.nytimes.com/2017/09/07/business/equifax-cyberattack.html
8. https://legal.thomsonreuters.com/en/insights/articles/data-breach-liability
9. https://content.next.westlaw.com/Document/I02064fbd1cb611e38578f7ccc38dcbee/View/FullText.html?contextData=(sc.Default)&transitionType=Default&firstPage=true&bhcp=1
10. https://www.reuters.com/article/us-usa-sec-enforcement-exclusive/exclusive-new-sec-enforcement-chiefs-see-cyber-crime-as-biggest-market-threat-idUSKBN18Z2TX
11. https://www.whiteandwilliams.com/resources-alerts-Policing-Financial-Cyber-Crime-SEC-Announces-New-Cyber-Unit.html
12. https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20
13. https://www.sec.gov/spotlight/cybersecurity-enforcement-actions
14. https://www.mcafee.com/enterprise/en-us/assets/executive-summaries/es-economic-impact-cybercrime.pdf
15. https://www.commerce.senate.gov/public/_cache/files/4ceb6c11-b613-4e21-92c7-a8e1dd5a707e/41A8309A6FC78E9630AEEA660D81D379.5.11.11-letter-to-sec.pdf
16. https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm
17. https://www.wilmerhale.com/en/insights/publications/sec-issues-new-guidance-on-disclosing-cybersecurity-risks-and-incidents-october-27-2011
18. https://www.lawfareblog.com/nist-cybersecurity-framework-issued
19. https://www.sec.gov/spotlight/cybersecurity-roundtable/cybersecurity-roundtable-transcript.txt
20. https://www.sec.gov/investment/im-guidance-2015-02.pdf
21. https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf
22. https://corpgov.law.harvard.edu/2017/10/05/the-equifax-hack-sec-data-breach-and-issuer-disclosure-obligations/#12
23. https://www.sec.gov/news/pressrelease/2015-202.html
24. https://www.sec.gov/spotlight/regulation-s-p.htm
25. https://www.sec.gov/news/pressrelease/2015-202.html
26. https://www.sec.gov/news/pressrelease/2016-112.html
27. https://www.justice.gov/usao-sdny/pr/former-morgan-stanley-financial-adviser-sentenced-manhattan-federal-court-illegally-0
28. https://www.washingtonpost.com/news/business/wp/2017/09/20/sec-reveals-it-was-hacked-information-may-have-been-used-for-illegal-stock-trades/?utm_term=.d8d7ab742489
29. https://www.sec.gov/news/public-statement/statement-clayton-2017-09-20
30. https://www.sec.gov/news/press-release/2017-176
31. https://www.sec.gov/news/speech/speech-avakian-2017-10-26
32. https://www.sec.gov/rules/interp/2018/33-10459.pdf
33. http://clsbluesky.law.columbia.edu/2018/06/05/latham-watkins-discusses-new-sec-guidance-on-cybersecurity/
34. https://www.mayerbrown.com/sec-issues-updated-guidance-on-cybersecurity-disclosures-02-28-2018/
35. https://www.sec.gov/news/public-statement/statement-stein-2018-02-21
36. https://www.marketsmedia.com/wall-street-readies-for-democratic-house/
37. https://www.sec.gov/news/speech/speech-stein-092718
38. https://www.sec.gov/news/public-statement/statement-jackson-2018-02-21
39. https://www.nytimes.com/2018/03/05/business/dealbook/sec-cybersecurity-guidance.html
40. https://www.sec.gov/litigation/admin/2018/33-10485.pdf
41. https://www.ropesgray.com/en/newsroom/alerts/2018/05/35-Million-Yahoo-Fine-Reflects-SECs-Heightened-Cybersecurity-Focus
42. https://www.sec.gov/litigation/admin/2018/34-84288.pdf
43. https://www.nytimes.com/2018/10/08/business/dealbook/voya-sec-cyber.html
44. https://www.wsj.com/articles/sec-calls-for-better-accounting-controls-as-cyber-scams-increase-1539726047
45. https://www.sec.gov/news/press-release/2018-236
46. https://www.davispolk.com/publications/adding-insult-injury-sec-warns-cyber-incidents-may-lead-enforcement-action
47. https://www.lawfareblog.com/strengths-become-vulnerabilities-how-digital-world-disadvantages-united-states-its-international-0
48. https://www.lawfareblog.com/recent
49. https://twitter.com/prjorgensen/status/1067158123973091330
50. https://www.prjorgensen.com/?p=2358