Agency looks to ensure firms took reasonable steps to prevent breaches
Securities and Exchange Commission officials addressed enforcement priorities at the agency, including cybersecurity, insider trading and financial reporting, in a panel discussion at the Rocky Mountain Securities Conference in May. The conference is co-sponsored by the SEC and the Business Law Section of the Colorado Bar Association.
Stephanie Avakian, deputy director for the Division of Enforcement, said that the division views cybersecurity violations in “three different buckets.”
The first is when “registrants fail to take appropriate steps to safeguard information.” Violations of Regulations S-P and S-ID would fall into this category.
Second is when material nonpublic information is stolen to gain market advantage.
The last category of cyber violations is when cyber disclosure is false or misleading, “whether or not there's actually been an incident.”
There have been cases in the first two buckets, she said, but as of early May, Avakian said, “we haven't brought a case in that third disclosure bucket.”
In enforcements regarding firms’ failures to protect client information and other sensitive data, the agency is looking at whether firms took reasonable steps to prevent breaches, Avakian said. She referred to a case in September with R.T. Jones, which failed to have policies in place before it was hacked. The SEC charged the firm with failing to comply with Reg S-P, even though no clients reported being financially impacted by the breach. MORE