On September 25, 2017, the Securities and Exchange Commission announced that it had created a Cyber Unit to focus on cyber-related misconduct, such as:
- Cyber-related threats to trading platforms and other critical market infrastructure;
- Hacking to obtain material non-public information;
- Violations involving distributed ledger technology and initial coin offerings;
- Misconduct perpetrated using the dark web;
- Market manipulation schemes involving false information disseminated through electronic and social media; and
- Intrusions into retail brokerage accounts
Robert A. Cohen, a former co-head of the Market Abuse Unit, will lead the Cyber Unit.
The rollout of the Cyber Unit comes at an inopportune time for the SEC. On September 20, 2017, Jay Clayton, the SEC’s Chairman, disclosed that hackers breached the SEC’s EDGAR system in 2016 and may have used information gleaned from that breach to make illicit trades. Nevertheless, the Cyber Unit is part of an evolution of the SEC’s efforts to ensure market intermediaries and public companies work diligently to safeguard confidential customer information and protect the integrity of the securities markets.
The evolution dates back to 2011 when the SEC’s Division of Investment Management issued guidance to investment advisers and their senior management that their fiduciary responsibilities extend to cybersecurity matters. In the same year, the Division of Corporate Finance issued CF Disclosure Guidance, Topic No. 2, which alerted public companies to disclose their efforts to safeguard nonpublic information against cyber risks. The SEC hosted a roundtable in March 2014 to discuss the issues and challenges cybersecurity raises for market participants and public companies, and how these entities were addressing those concerns. In 2015, the Commission issued Regulation SCI to advise market participants that their systems must maintain operational capabilities and promote fair and orderly markets, including business continuity and disaster recovery plans.
As the Commission pushed these regulatory developments, it continued to use existing tools, such as Regulation S-P and Regulation S-ID, to ensure market participants took steps to protect non-public customer information. More recently, the Staff has squarely confronted a new threat - cryptocurrency offerings. The Commission’s actions make clear that it is watching each area of the capital markets and meeting new threats as they arise.
The Cyber Unit joins existing units within the Enforcement Division, including Asset Management, FCPA, Market Abuse, Municipal Securities and Public Pension Funds, and Structured Products. It will likely follow its predecessors and hire staff with expertise in cybersecurity, leverage data analytics to identify anomalous trading that may have resulted from unauthorized intrusions, and bring cases. Unless there is affirmative misconduct, the initial cases may likely arise from technical violations, such as: (1) failure to have robust cybersecurity policies and procedures, failure to follow existing cybersecurity policies and procedures, and failure to establish appropriate controls; (2) failure to perform sufficient periodic assessments of cyber procedures and measures, and failure to respond to deficiencies learned through assessments prior a breach; and (3) failure to protect networks containing non-public customer information with appropriate technology (e.g., firewalls, encryption, anti-virus software) and reasonable procedures (e.g., access controls).
A critical question, however, is will the SEC bring enforcement actions against public companies, such as Equifax, Yahoo!, or industry gatekeepers, such as Deloitte, for failing to prevent data breaches. Moreover, how will the SEC coordinate its enforcement program with state regulators such as New York’s Department of Financial Services? Stephanie Avakian, Co-Head of the Division of Enforcement, has repeatedly suggested that the Commission will bring enforcement actions against companies that experience data breaches under the right circumstances. Time will tell if the circumstances have arrived and whether the Cyber Unit will lead the charge. Meanwhile, public companies and market participants should not wait to see what the Cyber Unit will do. Instead, they should work proactively with technology consultants and legal counsel to develop policies, procedures and systems to safeguard non-public information. Doing so may limit the likelihood of receiving a call from the Enforcement Division.