Securities Law Daily provides daily coverage of developments in the regulation of federal, state, and international securities and futures trading, with objective coverage of the...
June 6 — The Securities and Exchange Commission doesn't automatically equate a cyber hacking episode with a regulatory violation, but nonetheless expects companies to act reasonably to avoid such attacks, David Glockner, head of the SEC Chicago Regional Office, said.
“The SEC has been quite clear that reasonableness and perfect are two different things. We expect firms to be diligent, we expect them to be thinking about this area, we expect that companies' procedures both from a policy perspective and a technology perspective are proportional to their risk,” he said June 6 at a Practising Law Institute conference in New York.
The SEC's work intersects with cybersecurity concerns in three chief ways: registrants' public disclosures involving cybersecurity risks; including cybersecurity standards into regulations and attempting to ensure market integrity by combating manipulation schemes, he said.
The SEC has used its rule-making authority to promote compliance with cybersecurity standards when it implemented Regulation S-ID, regarding the disclosure of nonpublic personal information, and Regulation SCI, a rule designed to strengthen the technology infrastructure of the U.S. securities markets, Glockner said.
The agency has also has heard, “loud and clear,” the securities industry's concerns about overlapping and possibly conflicting regulatory actions involving cybersecurity, including duplicative examinations, Glockner said. “We are talking about ways that our regulatory structures can be coordinated in making sure that we share information about overlapping registrants, when appropriate,” he said.
The SEC hasn't yet brought an enforcement action alleging a corporate cyber disclosure violation. However, it has brought cases involving cyber market manipulation and a failure to establish policies and procedures in advance of a security breach that compromised client information.
In August the SEC announced fraud charges against 32 defendants who allegedly hacked into newswire services to steal hundreds of corporate earnings announcements before the newswires released them publicly and traded on that information (157 SLD, 8/14/15).
In September the SEC alleged that R.T. Jones Capital Equities Management Inc. failed to adopt written policies to protect customer records when hiring a third-party vendor, conduct period risk assessments, implement a firewall to protect data and encrypt customer information (184 SLD, 9/23/15).
The agency is trying to be “measured” in its enforcement cases involving cybersecurity, in part because of the constant changes involving cyber risks and the associated threat landscape, Glockner said. While the SEC has elected not to bring enforcement actions in some cyber cases, Enforcement Director Andrew Ceresney has made it clear that the agency intends to bring enforcement cases regarding cyber in the future, Glockner said.
One trend the SEC has observed is an increase in the number of attacks that “combine technical vulnerabilities and people vulnerabilities,” including business e-mail compromise cases in which employees will receive seemingly genuine e-mails requesting data or money transfers that are in fact perpetrated by fraudsters.
“It is a significant area and one that we are seeing firms struggling with, and it's one where technology alone is not the solution,” Glockner said.
Guidance on cybersecurity disclosure requirements initially issued in 2011 by the agency's Division of Trading and Markets attempts to balance establish broad disclosure principles without being overly prescriptive or unreasonably confining, Glockner said (200 SLD, 10/17/11).
“To the extent you are frustrated with the guidance, one thing I would say is that the materiality issues in this space really are the same ultimately as the kinds of materiality issues that companies wrestle with in other areas on a day-to-day basis,” he said.
To contact the reporter on this story: Stephen Joyce in New York at email@example.com
To contact the editor responsible for this story: Phyllis Diamond at firstname.lastname@example.org
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)