The U.S. Securities and Exchange Commission is at the center of the current day “cyber storm” of data and system protection, both as a victim and as a regulator. According to an SEC director, “[c]yber-related threats and misconduct are among the greatest risks facing investors and the securities industry.”
The SEC recognizes that it is itself vulnerable. It recently acknowledged that its EDGAR records system was subject to a data breach, and information obtained through that breach may have been exploited for purposes of illicit trading.
But the SEC has also sharpened its focus on the cybersecurity of itself and the entities it regulates. The SEC Chairman Jay Clayton plainly stated in September 2017 that “[c]ybersecurity is critical to investors, market participants, our markets, and the Commission itself. By promoting effective cybersecurity practices in connection with both the Commission’s internal operations and its external regulatory oversight efforts, it is our objective to contribute substantively to a financial market system that recognizes and addresses cybersecurity risks and, in circumstances in which these risks materialize, exhibits strong mitigation and resiliency.”
In pursuit of a safer financial market system, the SEC has recently taken some substantive steps. It has launched a “Cyber Unit” in its Enforcement Division and created a Retail Strategy Task Force that “will develop proactive, targeted initiatives to identify misconduct impacting retail investors.”
The SEC has also continued to gather empirical information from its regulated entities as shown in a recent set of Observations from Cybersecurity Examinations released by its Office of Compliance Inspections and Examinations. These Observations make clear that the SEC expects to see not only information security policies but also regular follow-through.
Also, the SEC’s director of corporation finance recently advised, according to news accounts, that public companies will be seeing new guidance for the reporting of cybersecurity incidents. He did not indicate a timetable. The SEC previously published guidelines in October 2011 that confirm that companies should treat cybersecurity issues as a risk factor in assessing whether, when and what to disclose.
Companies already face any number of legal, regulatory and business reasons to be vigilant in their cybersecurity. Escalation of the SEC’s involvement will add to those reasons.