The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: SEC Enforcement

  • From Vol. 4 No.40 (Nov. 28, 2018)

    SEC Officials and the Defense Bar Talk Cybersecurity Enforcement Trends and Takeaways From Recent Cases

    Cybersecurity-related enforcement has been one highlight of SEC activity in a year in which many are perceiving a general slowdown. At the recent Securities Enforcement Forum in Washington, D.C., hosted by Securities Docket, current and former SEC enforcement officials and members of the defense bar came together to share their insights on the direction of SEC enforcement. They discussed, among other things, what the new cyber unit is looking for, lessons from recent cases such as Yahoo and Voya, best practices for reporting breaches and takeaways from the recent Rule 21A Report about business email compromise. See “How Financial Services Firms Should Structure Their Cybersecurity Programs” (May 9, 2018).

    Read Full Article …
  • From Vol. 4 No.36 (Oct. 31, 2018)

    SEC Signals That Insufficient Internal Accounting Controls May Lead to Investigation and Enforcement

    Nine unnamed public companies found themselves the target of an SEC investigation after they fell victim to “business email compromises,” a type of cyber fraud that cost them nearly $100 million combined. While the SEC did not initiate enforcement actions against any of these companies, the resulting Report signals the Commission’s intent to pursue companies for internal accounting controls violations, adding another tool (in addition to the Safeguards Rule, the Red Flags Rule, disclosure rules and others) to its enforcement arsenal. In this article, we review the Report’s findings with insight from Davis Polk partner Avi Gesser on SEC enforcement and how to avoid BEC scams. See also “SEC Confirms Cyber Disclosure Expectations in New Guidance” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 4 No.35 (Oct. 24, 2018)

    Unregistered Crypto Asset Fund Hit With Multiple Securities Laws Violations by SEC

    Investors in initial coin offerings and other digital assets may run afoul of federal securities laws when those assets are deemed to be securities. In a recent enforcement proceeding, the SEC claimed that respondents Crypto Asset Management, LP and Timothy Enneking, who ran a domestic fund that invested in digital assets, engaged in an unregistered, non‑exempt securities offering, failed to register the fund they were offering as an investment company and falsely claimed that the fund was registered with the SEC. Although the alleged misconduct was egregious, the action is a timely reminder that advisers must exercise caution when entering the digital asset space. This article details the alleged misconduct and the terms of the settlement order. See “SEC Takes Aggressive Action Against Allegedly Fraudulent ICO” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.33 (Oct. 10, 2018)

    Lessons From the SEC’s First Red Flags Rule Settlement

    Broker-dealer Voya’s $1-million settlement with the SEC for alleged violations of the Safeguards Rule and the Identity Theft Red Flags Rule shows that the SEC is willing to act when it believes firms could have done more to prevent attacks. “The SEC expects companies to not only have in place commercially reasonable standards, policies and procedures for cybersecurity, but to implement them along with compliance and audit procedures to assure that they are working as intended,” Jason Elmer, managing partner at Drawbridge Partners, told The Cybersecurity Law Report. We analyze the case, which involved a network intrusion by people impersonating third-party contractors, and its lessons, including the mistakes Voya made, how companies can avoid them and what the case says about SEC cybersecurity enforcement. See “How Financial Services Firms Should Structure Their Cybersecurity Programs” (May 9, 2018).

    Read Full Article …
  • From Vol. 4 No.11 (May 9, 2018)

    How Financial Services Firms Should Structure Their Cybersecurity Programs

    Governments and regulators – including the SEC and the U.K. Financial Conduct Authority – are intensifying their scrutiny of financial services firms’ cybersecurity programs. At a minimum, firms must ensure that they comply with industry best practices, including adopting one or more cybersecurity frameworks and creating a culture of cybersecurity compliance. This article discusses the roles of the CISO and CCO in cybersecurity programs, regulator priorities, steps firms can take to mitigate cyber risk, and the outsourcing of cybersecurity functions. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.10 (May 2, 2018)

    SEC $35-Million Yahoo Settlement Carries Breach Disclosure Lessons

    On the heels of publishing disclosure guidance, the SEC has issued an order in its first-ever action against a public company for failing to disclose a material data breach. Altaba Inc. (formerly Yahoo) has agreed to a $35-million fine to settle SEC accusations that it failed to promptly notify investors about a massive 2014 data breach in which hackers stole personal data relating to hundreds of millions of user accounts. “Yahoo’s nearly two-year delay in making the breach known to investors, the vast number of users affected, and the company’s issuance of numerous public filings that failed to mention the breach made [it] a prime candidate for the SEC to make an example of,” Cadwalader partner Joseph Moreno told The Cybersecurity Law Report. See also “SEC Confirms Cyber Disclosure Expectations in New Guidance” (Feb. 28, 2018).

    Read Full Article …
  • From Vol. 3 No.25 (Dec. 20, 2017)

    SEC Takes Aggressive Action Against Allegedly Fraudulent ICO

    As the prices of Bitcoin and other cryptocurrencies march relentlessly upward, regulators have been taking notice. The SEC recently filed a civil enforcement complaint against Quebec resident Dominic Lacroix, his company PlexCorps and his partner Sabrina Paradis-Royer in connection with an initial coin offering (ICO) of “PlexCoins.” Matthew Rossi, a Mayer Brown partner and former Assistant Chief Litigation Counsel in the SEC Division of Enforcement, told The Cybersecurity Law Report that the case illustrates the priorities of the recently formed SEC Cyber Unit. See also our three-part series on blockchain and the financial services industry: Basics of the Blockchain Technology (Jun. 4, 2017), Using Blockchain to Improve Operations and Compliance (Jun. 28, 2017) and Potential Impediments to Its Eventual Adoption (Jul. 12, 2017).

    Read Full Article …
  • From Vol. 3 No.21 (Oct. 25, 2017)

    Survey Finds Cybersecurity Preparedness of Alternative Asset Managers to be Inadequate Relative to Traditional Asset Managers and Broker-Dealers

    Alternative asset managers may have some catching up to do with their compliance and cybersecurity programs. In its 2017 C-Suite Survey, Cipperman Compliance Services asked financial services executives about the role of their firms’ chief compliance officers; attitudes toward compliance; and the sophistication of their firms’ compliance programs and cybersecurity preparedness. Based upon the responses of executives from alternative asset managers, the survey suggests that their compliance programs are less likely to withstand SEC scrutiny and their firms are less prepared on cybersecurity matters, relative to traditional asset manager and broker-dealer participants. This article analyzes CCS’ findings with insights from CCS president Rob Prucnal. See also “Surveys Show Cyber Risk Remains High for Financial Services Despite Preventative Steps” (Jun. 28, 2017); and “SEC Report Cites Cybersecurity Progress Along With Gaps in Training and Compliance” (Aug. 23, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    SEC Hack Will Not Prevent It From Sharpening Cybersecurity Enforcement

    The SEC recently disclosed in both a press release and Senate testimony that a 2016 hack of its test filing system may have provided a basis for illicit trading. However, top SEC officials assure that falling victim itself will not hold the SEC back from its efforts at enforcing proper cybersecurity practices and disclosures for regulated entities. Going forward, the SEC’s internal and external oversight efforts will go hand in hand, including efforts through the newly formed Cyber Unit, experts told The Cybersecurity Law Report. “If anything, I think this intrusion at the SEC has only highlighted for the SEC how often this is going to occur . . . and that companies really need to be ready and prepared for this and take active steps to make sure their own data isn’t compromised,” said David L. Axelrod, Ballard Spahr partner and former supervisory trial counsel at the SEC’s Philadelphia regional office. See “SEC Officials Flesh Out Cybersecurity Enforcement and Examination Priorities (Part One of Two)” (May 3, 2017); Part Two (May 17, 2017).

    Read Full Article …
  • From Vol. 3 No.15 (Jul. 26, 2017)

    How the CCO Can Use SEC Guidance to Tackle Cyber Threats 

    Increasing cyber threats and a shifting regulatory landscape have expanded the role of CCOs, who need to ensure proper cyber defenses are in place and regulatory compliance is up-to-date. The CCO must manage a capable team and monitor developments while continuously updating the company’s compliance program and efforts. In this guest article, Alaric Founder and CEO of Alaric Compliance Services Guy Talarico explores changing threat sources, regulatory priorities, best practices with an emphasis on SEC guidance, as well as the information sources a CCO must track to fulfill this critical and dynamic role. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.10 (May 17, 2017)

    SEC Officials Flesh Out Cybersecurity Enforcement and Examination Priorities (Part Two of Two)

    Companies often seek more detailed cybersecurity guidance from the SEC than the agency has provided so far. The SEC has responded that there is not a single solution for the vast array of companies it regulates, making prescriptive guidance difficult. At the recent IAPP Global Privacy Summit, Stephanie Avakian, Acting Director of the SEC Division of Enforcement, and Shamoil Shipchandler, SEC Regional Director for the Fort Worth Regional Office, along with Jay Johnson, a partner at Jones Day, discussed the SEC’s cybersecurity priorities and perspectives, and provided some of the insight companies are looking for. This second part of our coverage discusses the SEC’s cybersecurity examination process and guidance on corporate disclosures, including how it determines what is reasonable. Part one highlighted the agency’s cybersecurity-related enforcement actions and coordination with law enforcement and state regulators. See “Investigative Realities: Working Effectively With Forensic Firms (Part One of Two)” (May 3, 2017).

    Read Full Article …
  • From Vol. 3 No.9 (May 3, 2017)

    SEC Officials Flesh Out Cybersecurity Enforcement and Examination Priorities (Part One of Two)

    While the SEC has provided some guidance and taken on a limited number of actions, the state of its cybersecurity enforcement program is still unclear to many companies. At the recent IAPP Global Privacy Summit, two SEC officials, Stephanie Avakian, Acting Director of the SEC Division of Enforcement, and Shamoil Shipchandler, SEC Regional Director for the Fort Worth Regional Office, spoke candidly on the agency’s plans and approach. This first part of our article series covering their discussion includes their views on which enforcement actions serve as the best guidance, how they identify new cases, enforcement trends and coordination with law enforcement and state regulators. Part two will include their insights on the SEC’s cybersecurity examination process and guidance on corporate disclosures. See “SEC Emphasizes Protecting Information From More Than Just Cyber Threats in Deutsche Bank Case” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    SEC Emphasizes Protecting Information From More Than Just Cyber Threats in Deutsche Bank Case

    While regulators and companies have recently focused on cybersecurity efforts to keep data secure, the SEC’s recent administrative proceeding against Deutsche Bank Securities Inc. (DBSI) emphasizes that policies and practices to secure data must continue to safeguard nonpublic information from all types of dissemination methods, from emails and chats, to telephone calls and in-person meetings. The SEC announced last week that DBSI agreed to pay a $9.5 million penalty for (1) failing to properly safeguard material nonpublic information generated by its research analysts, (2) publishing an improper research report and (3) failing to properly preserve and provide electronic chat records sought by the SEC. The SEC emphasized that employees must receive clear definitions and training so that they understand what information should not be shared. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    Navigating FCA and SEC Cybersecurity Expectations (Part Two of Two)

    When designing cyber-compliance programs, financial firms operating in multiple jurisdictions must adopt a coordinated approach to cybersecurity that meets the divergent regulatory requirements of all jurisdictions in which they are doing business. This two-part series examines the operations of the U.K. Financial Conduct Authority (FCA) and the SEC, both of which have increased their focus on cybersecurity, albeit with differing approaches. Part One discussed the FCA and SEC as regulators of financial services in their respective jurisdictions and outlined the guidance issued, and the methods adopted, by the two regulators. This article explores how asset managers and others in the financial sector can navigate the current regulatory environments, including existing guidance, in the U.S. and U.K., and simultaneously satisfy the requirements of each regulator. See also Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part One of Two)” (Jun. 17, 2015); Part Two (Jul. 1, 2015) and “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two) (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Cybersecurity and Whistleblowing Converge in a New Wave of SEC Activity

    The SEC has long-prioritized incentivizing corporate whistleblowers to report violations of the securities laws, and protecting them when they do.  Increasingly, the federal agency also has vigorously enforced certain key aspects of cybersecurity, as its importance has permeated every facet of the way registered entities operate.  In a recent webinar, Orrick attorneys Mark Mermelstein, Jill Rosenberg and Renee Phillips examined how these two formerly disassociated areas of regulatory enforcement are converging in a new wave of SEC guidance and enforcement.  This article discusses the practitioners’ insights on the SEC’s recent initiatives and enforcement actions both in cybersecurity and whistleblowing contexts; the applicable regulations; and how companies can address and mitigate the risks of cybersecurity whistleblower actions.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments” (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Model Cybersecurity Contract Terms and Guidance for Investment Managers to Manage Their Third-Party Vendors

    Investment managers use a wide range of third-party vendor-provided products and services to manage their daily operations, and many of those third parties have access to sensitive data.  Ensuring that data is protected from theft, either deliberate or inadvertent, is paramount.  In a guest article, Schulte Roth & Zabel partner Robert Kiesel provides practical vendor management guidance and comprehensive contract provisions, and discusses critical policies and contract terms that investment managers can use to protect their, and their investors’, data.  See “Designing and Implementing a Three-Step Cybersecurity Framework for Assessing and Vetting Third Parties (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015); Part Two of Two, Vol. 1, No. 2 (Apr. 22, 2015). 

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part One of Two)

    Cybersecurity is one important element of a fund manager’s overall regulatory compliance responsibilities.  Although not explicitly required by SEC regulations, it is clear that managers are expected to test for cybersecurity vulnerabilities and preparedness.  Such testing was recently considered in depth at a program sponsored by K&L Gates and the Investment Adviser Association (IAA).  The program was moderated by Mark C. Amorosi, a partner at K&L Gates.  The other speakers were Laura L. Grossman, assistant general counsel at IAA; Jason Harrell, corporate senior information risk officer at BNY Mellon; Jeromie Jackson, director of security & analytics at Nth Generation; and K&L Gates partners Jeffrey B. Maletta and Andras P. Teleki.  This article, the first in a two-part series, details the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing.  The second article will discuss testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters.  See “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?

    Recent reports detail a breathtaking and unrelenting rise in cyber breaches, with five malware events occurring every second, and 60% of successful attackers able to compromise an organization within minutes.  But the law has not kept pace with technological innovation.  There is no single uniform law protecting individual privacy, nor one that governs all of a company’s obligations or liabilities regarding data security and privacy.  As Jenny Durkan and Alicia Cobb, a partner and associate, respectively, at Quinn Emanuel Urquhart & Sullivan, detail in a guest post, any business that suffers a significant cyber breach almost certainly will face not only multiple civil suits, but multiple investigations by federal and state authorities.  The authors provide a roadmap to the key authorities and the patchwork of relevant rules and regulations.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two)

    Financial services firms are a key target of hackers and responding to the breaches they may cause does not come cheap – the average response cost in the financial services sector is more than double the overall average of $5.84 million, according to data from the Ponemon Institute LLC.  As incidents increase, regulators are paying closer attention and firms are spending more on cyber preparedness.  A recent program sponsored by K&L Gates and the Investment Adviser Association surveyed the current cybersecurity threat environment and SEC cybersecurity initiatives for the financial services sector; summarized the applicable laws and regulations that bear on cybersecurity; considered the multitude of cybersecurity risks faced by investment managers; and offered a number of strategies for mitigating those risks. 

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    The SEC’s Updated Cybersecurity Guidance Urges Program Assessments 

    With its new Investment Management Guidance Update on cybersecurity, the SEC is “now looking at more comprehensive assessment of controls and threats, not just from external sources but also internal sources,” Marc Lotti, a partner at ACA Aponix, told The Cybersecurity Law Report.  “Right now, investors and SEC don’t see [disregarding technology risk] as ignorant, they see it as negligent.”  The Guidance discusses actions that investment advisers and companies should consider to mitigate those risks and enhance their cybersecurity programs.

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry

    The financial sector has been an obvious target of hackers for a long time.  Increased scrutiny of firms’ security from regulators, including the SEC, and customers has raised the stakes even further as firms try to stay ahead of risks.  ACA Compliance Group recently presented a program to help those regulated industries navigate the current cybersecurity landscape.  The panelists, Raj Bakhru and Marc Lotti, both partners at ACA Aponix (the cybersecurity and risk arm of ACA Compliance Group), offered insights into what advisers and fund managers may expect from regulators going forward; discussed common misperceptions about cybersecurity; and explored goals of cybersecurity and technology risk programs. 

    Read Full Article …