Published by The Lawfare Institute
in Cooperation With
American companies are getting hacked, and the Securities and Exchange Commission wants corporate executives to do something about it. According to a White House Council of Economic Advisers report released earlier this year, malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. The report acknowledged a widely recognized root of the problem: “[C]yberattacks and cyber theft impose externalities that may lead to rational underinvestment in cybersecurity by the private sector relative to the socially optimal level of investment.”
But despite outrage and hearings in Congress after major breaches, like the Equifax hack disclosed last year, Congress has not passed new legislation. There is no current central federal mandate that offers protections for personal data. Instead as a legal treatise puts it, the U.S. “has a patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another.”It’s in that context that the Securities and Exchange Commission (SEC) has, under its authority of enforcing the federal securities laws, steadily increased its regulation of cybersecurity-related matters. A top SEC official said last year that: “The greatest threat to our markets right now is the cyber threat.” And SEC Chairman Jay Clayton told the Senate Banking Committee that in regard to cyber attacks, companies “should be disclosing more” and that there should be “better disclosure about their risk portfolios and sooner disclosures about intrusions.” In another statement, Clayton announced:
The Commission is focused on identifying and managing cybersecurity risks and ensuring that market participants––including issuers, intermediaries, investors and government authorities––are actively and effectively engaged in this effort and are appropriately informing investors and other market participants of these risks.
The SEC’s jurisdiction covers a considerable range of cyber-related issues. This post tracks the commission’s strategy for incentivizing investment in cybersecurity defenses by mandating disclosure and imposing liability on the victims of data breaches. Recent SEC activity suggests that this is a direction the agency is headed in, particularly with little sign of cybercrime slowing anytime soon.
The SEC’s Cybersecurity Foray
In 2011, at the urging of Sen. Jay Rockefeller, then the chairman of the Senate Commerce Committee, the SEC’s Division of Corporation Finance issued guidance on companies’ disclosure obligations relating to cybersecurity risks and cyber incidents. The document established that:
The [Securities Act of 1933 and Securities Exchange Act of 1934], in part, are designed to elicit disclosure of timely, comprehensive, and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Although no existing disclosure requirement explicitly refers to cybersecurity risks and cyber incidents, a number of disclosure requirements may impose an obligation on registrants to disclose such risks and incidents. In addition, material information regarding cybersecurity risks and cyber incidents is required to be disclosed when necessary in order to make other required disclosures ...
The SEC then went on to identify several specific areas that require disclosure of cyber-related information, including investment “risk factors,” the business’ description of itself, disclosure controls and procedures, among others. The SEC later affirmed the importance of these guidelines in a 2014 roundtable event convened shortly after the release of the NIST Cybersecurity Framework. At that event, SEC chairwoman Mary Jo White stated: “The SEC’s formal jurisdiction over cybersecurity is directly focused on the integrity of our market systems, customer data protection, and disclosure of material information.” Following the roundtable, the SEC’s cybersecurity oversight principally consisted of issuing further guidance documents, risk alerts, and, in some cases, directing companies to disclose information on specific cyberattacks in comment letters.
Liability for Victims of Breaches
In October 2015, the agency brought its first an action against a corporation that suffered a data breach. Under Regulation S-P, which requires financial firms to adopt written policies and procedures that are “reasonably designed” to protect customer records and information, the SEC found that a St. Louis investment firm had failed to establish cybersecurity policies and procedures in advance of a data breach that compromised the information of approximately 100,000 people. The firm ultimately settled with the SEC for $75,000. In announcing the settlement, a SEC official noted: “[I]t is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients.”
In 2016, the SEC again brought an action under Regulation S-P. After a former Morgan Stanley employee downloaded data related to 730,000 accounts to his own personal server, which was then likely hacked by a third-party, the bank agreed to a $1 million penalty. (The employee, Galen Marsh, also pleaded guilty to illegally accessing confidential client information.) In particular, the SEC order noted that Morgan Stanley’s policy and procedures failed to include “reasonably designed and operating authorization modules ... that restricted employee access to only the confidential customer data as to which such employees had a legitimate business need; auditing and/or testing ... and monitoring and analysis of employee access.”
The Creation of the Cyber Unit and the Commission’s 2018 Guidance
In September 2017, the SEC chairman Jay Clayton issued what a Washington Post report described as “an unusual eight-page statement on cybersecurity.” In that statement, Clayton revealed that hackers had breached a SEC network that stored documents filed by publicly traded companies, potentially giving the intruders access to nonpublic information. Also in that same statement, Clayton laid out a broader strategy for policing public companies’ cybersecurity strategies. He said:
[T]he Commission incorporates cybersecurity considerations in its disclosure and supervisory programs, including in the context of the Commission's review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisers and investment companies.
Then a few days later, the SEC announced the creation of a Cyber Unit within its Enforcement Division; the new unit would be tasked with “targeting cyber-related misconduct.” Outlining the Cyber Unit’s priorities in a speech, a SEC official explicitly pointed to “requir[ing] registered entities to have reasonable safeguards in place to address cybersecurity threats” and “cases where there may be a cyber-related disclosure failure by a public company,” among others.
Next, in February 2018, the commission voted to unanimously to approve a “statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents.” The SEC described the new document as “reinforcing and expanding upon the staff’s 2011 guidance.” One area where the commission affirmatively noted that it had gone further than the staff guidance was in articulating “the importance of cybersecurity policies and procedures.”
The first part of the document tracks the specific disclosure obligations first announced in the 2011 guidance. In a company’s periodic reporting, the document said, disclosure of cyber risks and incidents are generally necessary for a company’s: business and operations, risk factors, legal proceedings, management discussion and analysis of financial condition and results of operations, financial statements, disclosure controls and procedures, and corporate governance. Exemplifying its effort to compel companies to more rigorously consider cyber risks, the commission added a disclosure requirement for “the nature of the board’s role in overseeing the management of [cybersecurity] risk.”
After that, in a section titled, “Policies and Procedures,” the SEC recommended that: “Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder.” The SEC then went on to cite specific regulations requiring companies to have certain policies in place to identify and evaluate risk. Commenting on the implications of the document, a Mayer Brown post noted, “[t]he guidance encompasses more than disclosure.”
Notably, the commissions’ two Democratic-recommended members were critical of the guidance for not going far enough. Commissioner Kara Stein questioned the efficacy of “re-issuing staff guidance solely to lend it a Commission imprimatur.” She called for measures beyond disclosure, including seeking notice and comment for a slate of new rules that would require companies to take proactive security measures. (Stein, whose term ends on Dec. 31, also advocated for more robust cybersecurity regulation by the SEC in a recent speech at Georgia State University College of Law). Commissioner Robert Jackson Jr.’s statement cited analysis from the recent White House Council of Economic Advisers report that suggested that 2011 guidance had not resulted in meaningful disclosure. (A New York Times article in March of this year reported that in 2017, only 24 companies reported breaches to the SEC, while researchers found that there were more than 4,000 cyber-attacks during that period.)
Recent Actions Imposing Liability on Victims
Since the creation of the Cyber Unit, the SEC has brought two enforcement actions against victims of breaches. The agency also recently issued a substantial report suggesting future enforcement against victims of breaches that are not in compliance with certain safeguards.
In April 2018, the SEC announced its first-ever enforcement against a company for a failing to disclose a breach. In 2014, Russian hackers stole the personal information for more than 500 million accounts from the company formerly known as Yahoo. But Yahoo did not disclose the breach until two years later, when it was in the process of closing the sale of its operating business to Verizon. Meanwhile, Yahoo made no mention of the breach in its SEC filings. The commission found that Yahoo’s statements violated both statutes and regulations requiring the accurate disclosure of “material” information. Yahoo ultimately agreed to a $35 million fine.
In September, the SEC brought another first-of-its-kind enforcement action. This time, the agency found a financial firm in violation of a rule that it had never enforced before that requires investment firms to maintain an up-to-date program for preventing identity theft. The order outlined a phishing scheme in which attackers impersonated the firm’s contractors over a six-day period in 2016 and convinced employees on the firm’s support line to reset certain passwords. The hackers then used the new passwords to gain access to the personal information of 5,600 customers. Even though the firm did have some protection in place, the SEC found them inadequate, in part because in two instances, the malevolent actors called from phone numbers the firm had previously associated with fraudulent activity. The SEC ultimately found the firm’s conduct so egregious that it deemed the violation “willful.” The firm agreed to pay a $1 million settlement.
And, most recently, on Oct. 16, the SEC made headlines with an investigative report “cautioning that public companies should consider cyber threats when implementing internal accounting controls.” The report analyzed nine public companies that fell victim to cyber fraud, wiring a total of $100 million to hackers impersonating either executives (often the CEO) or third-party vendors. One firm made 14 payments amounting to over $45 million in losses before the scheme was uncovered by an alert from a foreign bank. While the commission declined to bring actions against the investigated firms, the report suggested that internal accounting controls required by federal securities laws “may need to be reassessed in light of emerging risks, including risks arising from cyber-related frauds.” As a memo from Davis Polk observed,“[t]he report thus effectively serves as notice that in the future, a company experiencing a cyber event could later find itself in the SEC’s crosshairs.”
Jack Goldsmith and Stuart Russell note in a recent Hoover essay that there has long been skepticism of the regulation of digital networks in the United States. Indeed, many attribute this lack of regulation to the U.S. technology sector’s extortionary record of innovation. But as a greater volume of sensitive information is stored online and, in turn, stolen, the pendulum may be shifting in the other direction. Especially in the absence of new legislation from Congress, the SEC seems determined to put cybersecurity on the agenda of the nation’s corporate boardrooms.