In enforcements regarding firms’ failures to protect client information and other sensitive data, the agency is looking at whether firms took reasonable steps to prevent breaches, Avakian said. She referred to case in September of the R.T. Jones, which failed to have policies in place before it was hacked. The SEC charged the firm with failing to comply with Reg S-P, even though no clients reported being financially impacted by the breach.
In August 2015, the SEC charged about 40 defendants for trying to steal and trading on material nonpublic information. “It was a spectacular case,” she said, “in large part because we identified it through the use of our own proactive investigation and our own systems designed to detect this kind of conduct.” The insider trading ring itself was “unprecedented” in scope and scale.
When firms become aware of a breach and are hesitant to come forward, Avakian said, their first priority should be to access the situation and minimize the damage. Part of that includes bringing in the appropriate law enforcement “fairly immediately.”
She said the agency recognizes that the “critical facts” following a breach do change quickly as the firm identifies possible harm and actual harm done to clients, and when the problem can be contained.
“This sort of moving target can make whether, when and what to disclose to the public quite difficult,” Avakian said. However, as the case last year with R.T. Jones showed, the fact that it’s a difficult issue doesn’t protect a firm from failing to take appropriate steps to protect information.
She noted that in the case of public companies, the agency isn’t “looking to second-guess good-faith disclosure decisions.”
Although the SEC hasn’t brought a case where cyber disclosure was false or misleading, Avakian said that doesn’t mean it wouldn’t, but it would “have to be a significant disclosure failure” to bring a case. MORE