September 2017 saw no respite from the relentless pace of cyber developments, not only from the perspective of rapidly evolving attacks, but also from the perspective of dynamic federal and state regulatory moves. In particular, on September 25, 2017, the Securities and Exchange Commission (SEC) announced a new enforcement initiative to address growing cyber-based threats and protect retail investors.1 The initiative established a Cyber Unit to target misconduct, a move that could place further pressure on broker-dealers and investment advisers already feeling the heat from an uptick in cyber-related exams and the relentless onslaught of cyber intrusion attempts. Second, a day earlier, the North American Securities Administrators Association (NASAA) announced that state securities examiners conducted over 1,200 coordinated examinations of state-registered investment advisers between January and June 2017, finding 698 cybersecurity-related deficiencies.2
Given the advancing threats and the increasing regulatory scrutiny, broker-dealers and investment advisers should consider acting with increased urgency to further prepare themselves, focusing in particular on having written cyber policies that are regularly updated to account for the latest threats. The severity and frequency of attacks are only growing, while the tolerance among regulators for failing to take sufficient preventive steps is only diminishing. Against both attackers and regulators, the best offense truly is a good defense, and regulators are strongly indicating that it is not enough to simply have a defense; but rather, that defense must also evolve to keep pace with the rapidly evolving offense.
What the Cyber Unit Will Do
With the creation of the Cyber Unit, the SEC is beefing up its technical expertise and demonstrating that it too will evolve and adapt as cybersecurity threats become more advanced. The agency is making it increasingly clear that it expects those it regulates to up their games as well.
The unit will function as part of the SEC’s Enforcement Division to target misconduct along six cyber-related priority areas:
- Market manipulation schemes involving false information spread through electronic and social media;
- Hacking to obtain material nonpublic information;
- Violations involving distributed ledger technology and initial coin offerings;
- Misconduct perpetrated using the dark web;
- Intrusions into retail brokerage accounts; and
- Cyber-related threats to trading platforms and other critical market infrastructure.
By examining each of these areas in depth, this Alert tries to discern the SEC’s key concerns and suggests issues that firms may want to consider addressing, before facing the SEC in an examination or in an enforcement action.
Market Manipulation Schemes
With the spread and growing influence of “fake news” to manipulate political outcomes (and with further proof of intentional nation-state involvement in spreading such false stories),3 it is no surprise that the SEC is concerned about the use of targeted misinformation via social media to manipulate market outcomes.
The SEC will likely be on the lookout for companies hoping to turn an illicit profit by creating or spreading known misinformation via the internet. The SEC could bring fraud cases against those who disseminate false information to manipulate the market, and aiding and abetting cases against those who negligently spread the false information. In fact, the SEC has already started. In 2015, the SEC filed securities fraud charges against a Scottish trader whose false tweets caused sharp drops in the stock prices of two companies and triggered a trading halt in one of them.4
In light of the growing prevalence of intentionally fake stories, it may be prudent for firms to have proactive policies in place that not only explicitly prohibit the dissemination of knowingly false information, but that also require some form of verification before sharing certain market-related news with clients and prospective clients.
Hacking to Obtain Material Nonpublic Information
The SEC’s new enforcement unit will be on the lookout for hackers that infiltrate broker-dealers and investment advisors to trade on nonpublic information or try to manipulate the market, something from which even the SEC is not immune.5 While firms are victims of a cyberattack, the SEC may nonetheless bring “strict liability” enforcement actions against them if they had deficient proactive policies or procedures in place. While not a market manipulation case per se, in September 2015 the SEC brought an enforcement action against an investment adviser that had been breached, compromising the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients (although there was no evidence that any of the information was used).6 The SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure security of 100,000 individuals’ personally identifiable information. The “Safeguards Rule” in Rule 30(a) of Regulation S-P requires certain policies and procedures for financial institutions to put into place to ensure confidentiality of their client’s information.7 Similarly, in April 2016, the SEC brought an action against a dually registered broker-dealer/investment adviser that had an employee impermissibly access and transfer data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties.8 The SEC alleged that the firm failed to adopt written policies and procedures reasonably designed to ensure the security of customer records and information.
Accordingly, to try to avoid future enforcement actions, broker-dealers and investment advisors may want to focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques. Cyber is a dynamic, if not volatile, environment—the best laid plans of last year may not mean much this year.
Violations Involving Distributed Ledger Technology and Initial Coin Offerings
The SEC is signaling that it will not allow distributed ledger technology (DLT) or cryptocurrency to be used in a way that evades regulations, results in market manipulation, or is used to perpetrate frauds on investors. Unlike China, which has outright banned cryptocurrency—a move that has further a black market of cryptocurrency trading9—the SEC is indicating more of a desire to focus on regulating it.
On September 29, for example, the SEC brought its first enforcement action involving two Initial Coin Offerings (ICOs) for “defrauding investors” by selling these “unregistered securities” purportedly backed by investments in real estate and diamonds.10
At this juncture, however, it remains unclear whether the SEC will mandate that all or some ICOs be registered as securities.
Misconduct Perpetrated Using the Dark Web
As part of its effort to keep up with the rapidly evolving techniques to engage in insider training and market manipulation, the SEC is now putting potential bad actors on notice that it will be shining the light on the so-called dark web, where bad actors have traditionally gone to anonymously buy and sell improperly obtained information and tools to conduct nefarious cyber activity. Therefore, if firms are not periodically—either themselves or through third parties—monitoring the dark web for stolen firm information that could impact their business or clients, it is possible that the SEC may focus on that failure.
Intrusions Into Retail Brokerage Accounts
The SEC is also calling out the practice of hacking retail brokerage accounts to manipulate markets. By making certain trades, the hacker can try to inflate the prices of holdings that he or she possesses or decrease prices to facilitate successful short selling. In 2016, the SEC charged a man from the UK with breaking into numerous accounts and placing unauthorized trades, ultimately leading to profits within minutes of trading the same stocks within his own account.11 While the broker-dealer was not charged in that case, it is possible that in future cases, the SEC could charge the firm for allowing the hack to take place.
In another case, a dually registered broker-dealer/investment adviser had experienced a series of computer system security breaches in which an unauthorized person or persons had accessed and traded, or attempted to trade, customer accounts.12 The SEC alleged that the firm had failed to implement increased security measures and adopt policies and procedures reasonably designed to safeguard customer information as required by Regulation S-P. Thus, broker-dealers and investment advisers may want to consider assessing what the scope of their data is and adopt procedures to attempt to prevent intrusions, and to respond to an intrusion if one takes place. MORE