June 6 — The Securities and Exchange Commission doesn't automatically equate a cyber hacking episode with a regulatory violation, but nonetheless expects companies to act reasonably to avoid such attacks, David Glockner, head of the SEC Chicago Regional Office, said.
“The SEC has been quite clear that reasonableness and perfect are two different things. We expect firms to be diligent, we expect them to be thinking about this area, we expect that companies' procedures both from a policy perspective and a technology perspective are proportional to their risk,” he said June 6 at a Practising Law Institute conference in New York.
The SEC's work intersects with cybersecurity concerns in three chief ways: registrants' public disclosures involving cybersecurity risks; including cybersecurity standards into regulations and attempting to ensure market integrity by combating manipulation schemes, he said.
The SEC has used its rule-making authority to promote compliance with cybersecurity standards when it implemented Regulation S-ID, regarding the disclosure of nonpublic personal information, and Regulation SCI, a rule designed to strengthen the technology infrastructure of the U.S. securities markets, Glockner said.
The agency has also has heard, “loud and clear,” the securities industry's concerns about overlapping and possibly conflicting regulatory actions involving cybersecurity, including duplicative examinations, Glockner said. “We are talking about ways that our regulatory structures can be coordinated in making sure that we share information about overlapping registrants, when appropriate,” he said.
The SEC hasn't yet brought an enforcement action alleging a corporate cyber disclosure violation. However, it has brought cases involving cyber market manipulation and a failure to establish policies and procedures in advance of a security breach that compromised client information.
In August the SEC announced fraud charges against 32 defendants who allegedly hacked into newswire services to steal hundreds of corporate earnings announcements before the newswires released them publicly and traded on that information (157 SLD, 8/14/15).
In September the SEC alleged that R.T. Jones Capital Equities Management Inc. failed to adopt written policies to protect customer records when hiring a third-party vendor, conduct period risk assessments, implement a firewall to protect data and encrypt customer information (184 SLD, 9/23/15).
The agency is trying to be “measured” in its enforcement cases involving cybersecurity, in part because of the constant changes involving cyber risks and the associated threat landscape, Glockner said. While the SEC has elected not to bring enforcement actions in some cyber cases, Enforcement Director Andrew Ceresney has made it clear that the agency intends to bring enforcement cases regarding cyber in the future, Glockner said.
One trend the SEC has observed is an increase in the number of attacks that “combine technical vulnerabilities and people vulnerabilities,” including business e-mail compromise cases in which employees will receive seemingly genuine e-mails requesting data or money transfers that are in fact perpetrated by fraudsters.
“It is a significant area and one that we are seeing firms struggling with, and it's one where technology alone is not the solution,” Glockner said. MORE