Category Archives: Securities and Exchange Commission

SEC Releases ICO Guidelines; Too Little, Too Late for Cryptocurrency Investors?

The U.S Securities and Exchange Commission has released a guide for would-be cryptocurrency creators and investors; but a over a year on from the heady peak of the ICO craze, is it too little, too late? SEC Offers ICO Guide The SEC’s newly released guide to initial coin offerings features five main points, many of […]

The post SEC Releases ICO Guidelines; Too Little, Too Late for Cryptocurrency Investors? appeared first on Hacked: Hacking Finance.

As Crypto Rally Cools, Binance Coin Remains Buoyant; CEO Changpeng Zhao Offers Encouraging Message to New Traders

Crypto markets underwent a gradual cooling over the weekend, as bitcoin and the major altcoins struggled to make higher highs following an explosive Friday rally. However, for Binance Coin (BNB), the rally was still very much intact thanks to a bevy of positive news surrounding the exchange. Market Update Most of the top 20 coins […]

The post As Crypto Rally Cools, Binance Coin Remains Buoyant; CEO Changpeng Zhao Offers Encouraging Message to New Traders appeared first on Hacked: Hacking Finance.

Weekly Recap: Crypto Markets Get a Shake-Up as Litecoin Ascends; Bitcoin ETF Has Another Backer at the SEC

Cryptocurrencies were on the path to recovery Friday, as Litecoin’s sudden ascendancy propelled markets higher. This had a domino effect on the top 10 coins, whose rankings shifted following Litecoin’s explosive move north. The market’s performance on Friday helped offset a lackluster start to the week that saw coin values plunge to new yearly lows. […]

The post Weekly Recap: Crypto Markets Get a Shake-Up as Litecoin Ascends; Bitcoin ETF Has Another Backer at the SEC appeared first on Hacked: Hacking Finance.

Crypto Markets See Modest Gains as SEC Commissioner Hints at Bitcoin ETF Approval

The cryptocurrency market stabilized on Thursday, with most of the top 20 coins registering modest gains through the early part of trading. Meanwhile, a commissioner at the U.S. Securities and Exchange Commission (SEC) sent a strong signal that a bitcoin exchange-traded fund (ETF) will eventually be approved. Markets Stabilize The cryptocurrency market capitalization clawed back […]

The post Crypto Markets See Modest Gains as SEC Commissioner Hints at Bitcoin ETF Approval appeared first on Hacked: Hacking Finance.

Two charged with hacking company filings out of SEC’s EDGAR system

They're charged with phishing and inflicting malware to get into the EDGAR filing system, stealing thousands of filings, and selling access.

SEC Fines Broker-Dealer $1 Million in First Enforcement Action Under Identity Theft Rule

On September 26, 2018, the SEC announced a settlement with Voya Financial Advisers, Inc. (“Voya”), a registered investment advisor and broker-dealer, for violating Regulation S-ID, also known as the “Identity Theft Red Flags Rule,” as well as Regulation S-P, the “Safeguards Rule.” Together, Regulations S-ID and S-P are designed to require covered entities to help protect customers from the risk of identity theft and to safeguard confidential customer information. The settlement represents the first SEC enforcement action brought under Regulation S-ID.

I.  The Identity Theft Red Flags Rule

Regulation S-ID covers SEC-registered broker-dealers, investment companies and investment advisors and mandates a written identity theft program, including policies and procedures designed to:

  • identify relevant types of identity theft red flags;
  • detect the occurrence of those red flags;
  • respond appropriately to the detected red flags; and
  • periodically update the identity theft program.

Covered entities are also required to ensure the proper administration of their preventative programs.

II.  The Safeguards Rule

Rule 30(a) of Regulation S-P requires financial institutions to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. It further requires that those policies and procedures be reasonably designed to (1) ensure the security and confidentiality of customer records and information; (2) protect against anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

III.  The Voya Violations

According to the SEC’s order, cyber intruders successfully impersonated Voya contractor-representatives, gaining access to a web portal that housed the personally identifiable information (“PII”) of approximately 5,600 Voya customers. Over a six-day period, intruders called Voya’s service call center and requested that three representatives’ passwords be reset; the intruders then used the temporary passwords to create new customer profiles and access customer information and documents. The order indicated that, in two of the three cases, the phone number used to call the Voya service center had previously been flagged as associated with fraudulent activity.

Three hours after the first fraudulent reset, the targeted representative allegedly notified technical support that they had not requested the reset. While Voya did take some steps in response, the order found that those steps did not include terminating the fraudulent login sessions or imposing safeguards sufficient to prevent intruders from obtaining passwords for two additional representative accounts over the next several days.

The SEC determined that Voya violated the Identity Theft Red Flags Rule because, while it had adopted an Identity Theft Prevention Program in 2009, it did not review and update this program in response to changes in the technological environment. The SEC also found that Voya failed to provide adequate training to its employees. Finally, the SEC found that Voya’s Identity Theft Program lacked reasonable policies and procedures to respond to red flags. In addition to these violations, the SEC determined that Voya violated the Safeguards Rule by failing to adopt written policies and procedures reasonably designed to safeguard customer records and information.

IV.  Aftermath and Implications

While neither admitting nor denying the SEC’s findings, Voya agreed to a $1 million fine to settle the enforcement action and will engage an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule, Identity Theft Red Flags Rule and related regulations. The SEC additionally ordered that Voya cease and desist from committing any violations of Regulations S-ID and S-P.

The Voya settlement demonstrates that the SEC is focused on protecting consumer information, and ensuring that broker-dealers, investment companies and investment advisors comply with Regulation S-ID. The Voya settlement also provides that having policies and procedures designed to protect customer information alone may not suffice; entities subject to Regulation S-ID should frequently evaluate the adequacy of their policies and procedures designed to identify and address “red flags,” and they should ensure that all relevant employees receive comprehensive training on identify theft. Such entities must also ensure that their compliance program is frequently updated to address changes in technology and corresponding changes to the risk environment.

Insider Trading Charges Brought Against CIO for Post-Breach Trading

On March 14, 2018, the Department of Justice and the Securities and Exchange Commission (“SEC”) announced insider trading charges against a former chief information officer (“CIO”) of a business unit of Equifax, Inc. According to prosecutors, the CIO exercised options and sold his shares after he learned of a cybersecurity breach and before that breach was publicly announced. Equifax has indicated that approximately 147.9 million consumers had personal information that was compromised.

Equifax’s board of directors had previously formed a special committee to investigate trades by certain senior executives that occurred after the breach. Although the timing of those trades drew significant scrutiny from the press, investors and others, the special committee concluded that the executives were not aware of the breach when they sold their shares. It does not appear that the special committee’s investigation covered the CIO’s trades.

According to the SEC’s complaint, the CIO—who was the leading candidate to be the company’s next global CIO—allegedly used confidential information entrusted to him in the course of his employment to conclude that Equifax had suffered a serious breach. The SEC’s investigation relied on a detailed analysis of the CIO’s emails and text messages, and also found that the CIO used a search engine to find information on the Internet concerning the September 2015 cybersecurity breach of Experian, another one of the major credit bureaus, and the impact that breach had on Experian’s stock price. The search terms used by the CIO included: (1) “Experian breach”, (2) “Experian stock price 9/15/2015”, and (3) “Experian breach 2015.”

The SEC alleges that shortly after running these internet searches, but before Equifax’s public disclosure of this data breach, the CIO exercised all of his vested Equifax stock options and then sold the underlying shares, receiving proceeds from the sale of over $950,000. According to the SEC, by selling before public disclosure of the Equifax data breach, the CIO also avoided more than $117,000 in losses that he would have suffered had he not sold until after the news of the breach became public.

This case comes on the heels of the SEC’s recently issued interpretive guidance on cybersecurity. In its guidance, the SEC warned that “information about a company’s cybersecurity risks and incidents may be material nonpublic information, and directors, officers, and other corporate insiders would violate the antifraud provisions if they trade the company’s securities in breach of their duty of trust or confidence while in possession of that material nonpublic information.”

These charges are also an important reminder to companies to (1) educate employees on insider trading laws, (2) implement appropriate internal controls and procedures to oversee trading by senior employees and employees who work in sensitive areas, (3) monitor the exercise of company-issued equity awards, and (4) promptly implement blackout periods covering appropriate personnel upon discovery of a cybersecurity incident.

Webinar Recording Available on SEC Cybersecurity Guidance

On March 7, 2018, Hunton & Williams LLP hosted a webinar with partners Lisa Sotto, Aaron Simpson and Scott Kimpel, and senior associate Brittany Bacon on the Securities and Exchange Commission’s (“SEC’s”) recently released cybersecurity guidance. For the first time since its last major staff pronouncement on cybersecurity in 2011, the SEC has released new interpretive guidance for public companies that will change the way issuers approach cybersecurity risk.

Sotto, Simpson, Kimpel and Bacon discussed this new guidance within the context of the current cyber threat landscape, including outlining changes in regulatory obligations under EU law with respect to the upcoming GDPR and historical SEC enforcement actions related to cybersecurity.

View a recording of the webinar.

SEC Publishes New Guidance on Public Company Cybersecurity Disclosures

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) published long-awaited cybersecurity interpretive guidance (the “Guidance”). The Guidance marks the first time that the five SEC commissioners, as opposed to agency staff, have provided guidance to U.S. public companies with regard to their cybersecurity disclosure and compliance obligations.

Because the Administrative Procedure Act still requires public notice and comment for any rulemaking, the SEC cannot legally use interpretive guidance to announce new law or policy; therefore, the Guidance is evolutionary, rather revolutionary. Still, it introduces several key topics for public companies, and builds on prior interpretive releases issued by agency staff in the past.

First, the Guidance reiterates public companies’ obligation to disclose material information to investors, particularly when that information concerns cybersecurity risks or incidents. Public companies may be required to make such disclosures in periodic reports in the context of (1) risk factors, (2) management’s discussion and analysis of financial results, (3) the description of the company’s business, (4) material legal proceedings, (5) financial statements, and (6) with respect to board risk oversight. Next, the Guidance addresses two topics not previously addressed by agency staff: the importance of cybersecurity policies and procedures in the context of disclosure controls, and the application of insider trading prohibitions in the cybersecurity context.

The Guidance emphasizes that public companies are not expected to publicly disclose specific, technical information about their cybersecurity systems, nor are they required to disclose potential system vulnerabilities in such detail as to empower threat actors to gain unauthorized access. Nevertheless, the SEC noted that while it may be necessary to cooperate with law enforcement and that ongoing investigation of a cybersecurity incident may affect the scope of disclosure regarding an incident, the mere existence of an ongoing internal or external investigation does not provide a basis for avoiding disclosures of a material cybersecurity incident. The guidance concludes with a reminder that public companies are prohibited in many circumstances from making selective disclosure about cybersecurity matters under SEC Regulation Fair Disclosure.

The Guidance is perhaps most notable for the issues it does not address. In a statement issued coincident with the release of the new guidance, Commissioner Kara Stein expressed disappointment that the Guidance did not go further to highlight four areas where she would have liked to see the SEC seek public comment:

  • rules that address improvements to the board’s risk management framework related to cyber risks and threats;
  • minimum standards to protect investors’ personally identifiable information, and whether such standards should be required for key market participants, such as broker-dealers, investment advisers and transfer agents;
  • rules that would require a public company to provide notice to investors (e.g., a Current Report on Form 8-K) in an appropriate time frame following a cyberattack, and to provide useful disclosure to investors without harming the company competitively; and
  • rules that are more programmatic and that would require a public company to develop and implement cybersecurity-related policies and procedures beyond basic disclosure.

Given the intense public and political interest in cybersecurity disclosure by public companies, we anticipate that this latest guidance will not be the SEC’s final word on this critical issue.

SEC Creates Cyber Unit to Target Cyber-Related Threats

This week, the Securities and Exchange Commission (“SEC”) announced the creation of a new Cyber Unit that will target cyber-related threats that may impact investors. The Cyber Unit, which will be part of the SEC’s Enforcement Division, will seek to combat various types of cyber-related threats including:

  • The manipulation of markets through the spread of false information;
  • Hacking of material nonpublic information;
  • Attacks on blockchain technology and initial coin offerings;
  • Misconduct on the dark web;
  • Intrusions into retail brokerage accounts; and
  • Other cyber threats to trading platforms and other critical market infrastructure.

The creation of the Cyber Unit is the latest in a series of steps taken by the SEC to focus on cybersecurity issues, including the issuance of a recent Risk Alert that examines the cybersecurity policies and procedures of financial institutions it regulates. In announcing the creation of the Cyber Unit, Stephanie Avakian, Co-Director of the SEC’s Enforcement Division, noted the growing importance of combating cyber-related threats and stated that “The Cyber Unit will enhance our ability to detect and investigate cyber threats through increasing expertise in an area of critical national importance.”

SEC Risk Alert Highlights Cybersecurity Improvements and Suggested Best Practices

On August 7, 2017, the Securities and Exchange Commission (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) issued a Risk Alert examining the cybersecurity policies and procedures of 75 broker-dealers, investment advisers and investment companies (collectively, the “firms”). The Risk Alert builds on OCIE’s 2014 Cybersecurity Initiative, a prior cybersecurity examination of the firms, and notes that while OCIE “observed increased cybersecurity preparedness” among the firms since 2014, it “also observed areas where compliance and oversight could be improved.”

Key improvements observed included:

  • use of periodic risk assessments, penetration tests and vulnerability scans of critical systems to identify cybersecurity threats and vulnerabilities, as well as potential business consequences of a cybersecurity incident;
  • procedures for regular system maintenance, including software patching, to address security updates;
  • implementation of written policies and procedures, including response plans and defined roles and responsibilities, for addressing cybersecurity incidents; and
  • vendor risk assessments conducted at the outset of an engagement with a vendor and often updated periodically throughout the business relationship.

Key issues observed included:

  • failure to reasonably tailor written policies and procedures (e.g., many policies and procedures were written vaguely or broadly, with limited examples of safeguards and limited procedures for policy implementation);
  • failure to adhere to or enforce written policies and procedures, or failure to ensure that such policies and procedures reflected firms’ actual practices;
  • failure to timely remediate high-risk findings of penetration tests and vulnerability scans; and
  • use of outdated operating systems that no were longer supported by security patches.

In addition, the Risk Alert included a list of best practices identified by OCIE as elements of robust cybersecurity programs. These included maintaining:

  • an inventory of data, information and vendors;
  • instructions for various aspects of cybersecurity protocols, including security monitoring, auditing and testing, as well as incident reporting;
  • schedules and processes for cybersecurity testing; and
  • “established and enforced” access controls to data and systems.

OCIE further noted that robust cybersecurity programs may include mandatory employee training and vetting and approval of policies and procedures by senior management. OCIE indicated in the Risk Alert that its list of cybersecurity program best practices is not intended to be exhaustive.

OCIE noted that it will continue to prioritize cybersecurity compliance and will examine firms’ procedures and controls, “including testing the implementation of those procedures and controls at firms.”

SEC Warns Initial Coin Offerings May Be Subject to U.S. Federal Securities Laws

In 2017, over $1.3 billion has been raised by start-ups through Initial Coin Offerings (“ICOs”), a relatively new form of financing technique in which a company (typically one operating in the digital currency space) seeking to raise seed money makes a “token” available for sale, and the token gives the purchaser some future right in the business or other benefit. Amidst much anticipation, on July 25, 2017, the Securities and Exchange Commission (“SEC”) released a Report of Investigation (“Report”) under Section 21(a) of the Securities Exchange Act of 1934 warning the market that “tokens” issued in ICOs may be “securities” such that the full breadth of the U.S. federal securities laws may apply to their offer and sale. The Report and a simultaneously released Investor Bulletin offer guidance and serve as a notice to the market that the SEC will be policing this new financing technique.

Read the full client alert.

Chinese Hackers Fined for Hack of New York Law Firms

On May 5, 2017, the U.S. District Court for the Southern District of New York entered a default judgment in favor of the SEC against three Chinese defendants accused of hacking into the nonpublic networks of two New York-headquartered law firms and stealing confidential information regarding several publicly traded companies engaged in mergers and acquisitions. The defendants allegedly profited illegally by trading the stolen nonpublic information. After the defendants failed to answer the SEC’s complaint, the court entered a default judgment against them, imposing a fine of approximately $8.9 million against the defendants (three times the profits they gained by the unlawful trading, the maximum penalty allowable under the relevant section of the Securities Exchange Act of 1934).

Email Privacy Act Reintroduced in Congress

On January 9, 2017, Representatives Kevin Yoder (R-KS) and Jared Polis (D-CO) reintroduced the Email Privacy Act, which would amend the Electronic Communications Privacy Act (“ECPA”) of 1986. In particular, the legislation would require government entities to obtain a warrant, based on probable cause, before accessing the content of any emails or electronic communications stored with third-party service providers, regardless of how long the communications have been held in electronic storage by such providers. Although ECPA currently requires law enforcement agencies to obtain a warrant to search the contents of electronic communications held by service providers that are less than 180 days old, communications that are more than 180 days old can be obtained with a subpoena.

The Email Privacy Act previously received unanimous approval in the House of Representatives in April 2016, but failed to gain traction in the Senate Judiciary Committee after Representative John Cornyn (R-TX) added a controversial amendment that would have expanded the FBI’s ability to use “national security letters” to obtain a suspect’s information from wire or electronic communications service providers. The proposed amendment gave the director of the FBI (or a designee), the ability to compel providers to disclose certain information about a suspect other than the contents of the suspect’s communications, including the individual’s name, physical address, contact information, payment card or bank account information, IP address, login history and length of service with the provider.

In May 2016, the U.S. Securities and Exchange Commission (“SEC”) expressed concern that the proposed Email Privacy Act would hinder its ability to obtain critical evidence of securities law violations. The SEC asserted that the bill would require all government agencies, including civil enforcement agencies like the SEC, to obtain criminal warrants when seeking electronic communications of service providers. According to the SEC, because it “does not have criminal law enforcement powers and therefore lacks the authority to apply for search warrants, the bill would inhibit the SEC in its mission of protecting investors and promoting confidence in the U.S. capital markets.” Currently, the SEC may seek electronic communications from service providers by issuing administrative subpoenas under its own statutory authority.

In a statement issued on January 10, 2017, Representative Polis noted that “[t]he Email Privacy Act will update, and bring our archaic laws into the 21st century, and protect Americans’ Fourth Amendment privacy rights, whether they’re communicating through pen-and-paper mail or email. Americans justly demand this level of privacy, and I remain confident that the bill will swiftly pass Congress.”

FINRA Issues $14.4 Million in Fines for Inadequate Record Storage Practices

On December 21, 2016, the Financial Industry Regulatory Authority (“FINRA”) announced that it had fined 12 financial institutions a total of $14.4 million for improper storage of electronic broker-dealer and customer records. Federal securities law and FINRA rules require that business-related electronic records be kept in “write once, read many” (“WORM”) format, which prevents alteration or destruction. FINRA found that the 12 sanctioned firms had failed to store such records in WORM format, in many cases for extended periods of time.

According to FINRA’s press release about the sanctions, it found that “each of these 12 firms had WORM deficiencies that affected millions, and in some cases, hundreds of millions, of records pivotal to the firms’ brokerage businesses, spanning multiple systems and categories of records.” Preventing the alteration or destruction of electronic brokerage records is, as the SEC has previously stated, “the primary means of monitoring compliance with applicable securities laws.” Further, as FINRA noted, these records contain sensitive financial data that is increasingly vulnerable to “aggressive attempts to hack into electronic data repositories.”

The individual fines ranged from $500,000 to $4 million. Brad Bennett, FINRA’s Executive Vice President and Chief of Enforcement, said of the fines, “These disciplinary actions are a result of FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records.”

SEC Charges Chinese Traders with Trading on Information Stolen from Law Firms

On December 27, 2016, the Securities and Exchange Commission (“SEC”) announced charges against three Chinese traders who allegedly made almost $3 million in illegal profits by fraudulently trading on nonpublic information that had been hacked from two New York-based law firms. This is the first action in which the SEC has brought charges in connection with an incident involving hacking into a law firm’s computer network.

The charges stem from allegations that the traders used malware to hack into the law firms’ networks and steal confidential information relating to clients’ potential M&A transactions from firm email accounts. The traders then allegedly used the stolen information to purchase shares in several public companies ahead of announcements about those companies entering into merger agreements.

Antonia Chion, Associate Director of the SEC’s Division of Enforcement, noted that the action “serves as a stark reminder to companies and firms that your networks can be vulnerable targets.”

The U.S. Attorney for the Southern District of New York is bringing criminal charges against the traders.

Pharmaceutical Company to Plead Guilty and Settle Drug Marketing Charges

Recently, Aegerion Pharmaceuticals announced that it will enter into several settlements and plead guilty to two misdemeanors in connection with alleged violations of HIPAA, drug marketing regulations and securities laws. The criminal charges stem from the company’s marketing of a cholesterol drug called Juxtapid. Aegerion allegedly failed to comply with risk evaluation and management strategies and marketed Juxtapid (which is labeled with a warning about liver toxicity) without proper directions for use. 

Aegerion will also pay $40 million to settle claims by the Department of Justice and Securities and Exchange Commission, and enter into a deferred prosecution agreement related to alleged violations of HIPAA. The specific violations of HIPAA have not been made public, but an Aegerion spokesperson stated that it “does not relate to a breach of our privacy or security with respect to patient health information.”

CII Issues Investor-Engagement Guide on Cyber Risk

Recently, the Council of Institutional Investors (“CII”) issued a guide to shareholder engagement on cyber risk. The guide is intended to enable shareholders to ask appropriate questions of boards to gauge whether companies are taking proper steps to mitigate cyber risk. The guide poses the following five questions:

  • How are the company’s cyber risks communicated to the board, by whom and with what frequency?
  • Has the board evaluated and approved the company’s cybersecurity strategy?
  • How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
  • How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
  • When did the board last discuss whether the company’s disclosure of cyber risk and cyber incident is consistent with SEC guidance?

CII’s guide demonstrates the ongoing importance of cybersecurity and of boards being knowledgeable in the corporate governance area.

SEC Announces Settlement Order and Publishes Investor Alert

On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced a settlement order (the “Order”) with an investment adviser for failing to establish cybersecurity policies and procedures, and published an investor alert (the “Alert”) entitled Identity Theft, Data Breaches, and Your Investment Accounts.

The Order with R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”) alleged that R.T. Jones violated Regulation S-P, the SEC’s version of the Gramm-Leach-Bliley Act’s Safeguards Rule, by storing sensitive personally identifiable information (“PII”) on its third party-hosted web server “without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.” Their server was attacked in 2013, which resulted in the exposure of PII of more than 100,000 individuals. Pursuant to the Order, R.T. Jones agreed to pay a $75,000 penalty, appoint an information security manager to oversee data security, and adopt and implement a written information security policy. The firm also agreed to (1) no longer store PII on its webserver, (2) encrypt any PII stored on its internal network, (3) install a new firewall and logging system to prevent and detect future attacks, and (4) retain a cybersecurity firm to provide ongoing reports and advice on the firm’s information security.

In announcing the Order, Marshall S. Sprung, Co-Chief of the SEC Division of Enforcement’s Asset Management Unit, noted that companies “need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

The Alert, which was published by the SEC’s Office of Investor Education and Advocacy, contains practical advice for investors on what steps to take if their investment accounts have been the subject of a data breach. These steps include:

  •  contacting the investment firm and other financial institutions immediately;
  •  changing online account passwords;
  •  consider closing compromised accounts;
  •  activating two-step verification, if available;
  •  monitoring investment accounts for suspicious activity;
  •  placing a fraud alert on their credit file;
  •  monitoring credit reports;
  •  consider creating an Identity Theft Report; and
  •  documenting all communications related to the incident in writing.

View the Press Release, Order and Alert.

SEC Issues Top Cybersecurity Priorities for Broker-Dealers and Investment Advisers

On September 15, 2015, the Office of Compliance, Inspections and Examinations (“OCIE”) at the U.S. Securities and Exchange Commission (“SEC”) issued a Risk Alert outlining its latest cybersecurity examination priorities for SEC-registered broker-dealers and investment advisers.

In addition to what we have previously reported, this Risk Alert is the latest in a series of announcements on cybersecurity from OCIE. Although OCIE’s jurisdiction within the SEC technically extends only to the examination of certain kinds of regulated securities entities and intermediaries, the Risk Alert also can be instructive to other businesses subject to SEC oversight. As OCIE’s knowledge and sophistication on the topic of cybersecurity continues to improve, we expect that an increasing number of OCIE inspections will lead to referrals to the SEC’s Division of Enforcement for more formal action.

According to OCIE, areas of focus for upcoming examinations of broker-dealers and investment advisers include the following:

Governance and Risk Assessment: OCIE examiners may assess whether registrants have cybersecurity governance and risk assessment processes in place, whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.

Access Rights and Controls: Examiners may review the manner in which firms control access to various systems and data via account management, authentication and authorization methods. For example, this review may include evaluating controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation and tiered access.

Data Loss Prevention: Examinations may include assessing how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners may also assess how firms monitor for potentially unauthorized data transfers and may review how they verify the authenticity of a customer request to transfer funds.

Vendor Management: Examiners may focus on firms’ practices and controls related to vendor management, such as due diligence, engagement, and monitoring and oversight of vendors. The examinations may include an assessment of how vendor relationships are incorporated into the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.

Training: Examiners may focus on whether training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review whether procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.

Incident Response: Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible future events. This includes determining which firm data, assets and services warrant the most protection to help prevent attacks from causing significant harm.

SEC Cybersecurity Investigations: A How-to Guide

Hunton & Williams LLP partners Lisa J. Sotto, Scott H. Kimpel and Matthew P. Bosher recently published an article in Westlaw Journal’s Securities Litigation & Regulation entitled SEC Cybersecurity Investigations: A How-to Guide. The article details the U.S. Securities and Exchange Commission’s (“SEC’s”) role in cybersecurity regulation and enforcement, and offers best practice tips for navigating the investigative process. In the article, the authors note that the threat of an SEC enforcement investigation must be considered an integral part of cybersecurity planning and compliance efforts. “Being prepared to engage the SEC in a proactive manner is often the best approach.” Download a copy of the full article now.

SEC Releases Observations from Recent Cybersecurity Examinations of Broker-Dealers and Advisers

On February 3, 2015, the Securities and Exchange Commission (“SEC”) released a Risk Alert, entitled Cybersecurity Examination Sweep Summary, summarizing observations from the recent round of cybersecurity examinations of registered broker-dealers and investment advisers under the Cybersecurity Examination Initiative. Conducted by the SEC Office of Compliance Inspections and Examinations (“OCIE”) from 2013 through April 2014, the examinations inspected the cybersecurity practices of 57 registered broker-dealers and 49 registered investment advisers through interviews and document reviews. The examinations evaluated the institutions’ practices in key areas such as risk management, cybersecurity governance, network security, information protection, vendor management and incident detection.

The OCIE’s key findings included:

  • A majority of the broker-dealers (88%) and the advisers (74%) reported that they have experienced a cyber-related incident.
  • A majority of examined firms broker-dealers (93%) and advisers (79%) reported that they conduct cybersecurity risk assessments on periodic basis.
  • Almost half of the broker-dealers (47%) reportedly participate in information sharing organizations such as the Financial Services Information Sharing and Analysis Center.
  • Almost all the examined broker-dealers (98%) and advisers (91%) make use of encryption in some form.
  • Most of the broker-dealers (72%) include cybersecurity requirements in their vendor and business partner contracts, while few of the advisers (24%) incorporate such requirements.
  • Over half of the broker-dealers (58%) maintain insurance for cybersecurity incidents, while only a small number of the advisers (21%) maintain such insurance.

Recent Developments Concerning Cybersecurity Disclosure for Public Companies

Cyber incidents have become more common — and more severe — in recent years. Like other federal agencies, the Securities and Exchange Commission (“Commission”) has recently been analyzing the applicability of its existing regulations relating to cybersecurity risks. The Commission’s efforts are focused on maintaining the integrity of market systems, protecting customer data and the disclosure of material information. We provide an overview of recent developments in public company cybersecurity disclosure of particular interest to public companies.

Commissioner Aguilar Speech

In a speech on June 10, 2014, Commissioner Luis Aguilar made remarks on cybersecurity issues during a conference hosted by the New York Stock Exchange. Commissioner Aguilar noted the increasing cost and frequency of cyber attacks on public companies. He also expressed concern as to the severe impact that cyber attacks could have on the integrity of the capital markets and on public companies and investors. The commissioner advocated for boards of directors’ having an expanded role in preparing for cybersecurity risks as well as in coordinating responses when breaches occur. He also encouraged companies “to go beyond the impact on the company and to also consider the impact on others.” He continued, “It is possible that a cyber attack may not have a direct material adverse impact on the company itself, but that a loss of customers’ personal and financial data could have devastating effects on the lives of the company’s customers and many Americans.” Although Commissioner Aguilar was careful to note that he does not speak for the full Commission, his speech demonstrates that cybersecurity issues continue to concern officials at the highest levels of the agency.

Disclosure Principles

The Commission’s Division of Corporation Finance (“Division”) made its first significant foray into formalizing guidance on public company cybersecurity disclosure in October 2011 with Disclosure Guidance: Topic No. 2 — Cybersecurity. There, the Division reiterated that the federal security laws are designed to elicit disclosure of timely, comprehensive and accurate information about risks and events that a reasonable investor would consider important to an investment decision. Thus, although the Commission’s existing disclosure requirements do not explicitly refer to cybersecurity risks and cyber incidents, general principles of materiality may nonetheless require a public company to discuss these issues. The Division noted that existing disclosure requirements under Regulation S-K, such as risk factors, MD&A, description of business, legal proceedings and financial statement disclosure, could be implicated by cyber risks and cyber incidents. The guidance was careful to note that companies are not required to make disclosures that could provide a “roadmap” for those who seek to infiltrate a company’s network in the future. To the extent cyber incidents pose a risk for a registrant, disclosure controls and procedures may also be implicated. These topics received additional attention at a roundtable on cybersecurity the Commission hosted on March 26, 2014. And on April 15, 2014, the Commission’s Office of Compliance Inspections and Examinations issued a risk alert in which it announced its plans to conduct targeted examinations of more than 50 registered broker-dealers and registered investment advisers with respect to cybersecurity readiness.

In a speech on May 1, 2014, Shelley Parratt, a deputy director of the Division, observed that cybersecurity remains an important focus for the Division as new incidents of hacking emerge. Although the full text of her speech was not made publicly available, media accounts indicate Parratt amplified Disclosure Guidance Topic No. 2 and highlighted the following themes for public companies in crafting cybersecurity disclosures for investors:

  • how information submitted to the Commission would be updated as threats evolve and risks change;
  • how the company would respond in the event of a material breach;
  • whether there are aspects of the company’s operations that give rise to material cybersecurity risks;
  • the potential consequences and costs associated with cyber incidents;
  • whether the company has outsourced functions that expose it to cybersecurity risks; and
  • whether the company has experienced a material cybersecurity incident, and, if so, whether its disclosure is current with respect to that incident.

Nevertheless, Parratt reiterated that companies need not make disclosures that would essentially serve as a roadmap of a public company’s vulnerabilities.

Staff in the Division has been active in recent years in commenting on public company periodic reports regarding cybersecurity issues. Drawn from publicly available comment letters to registrants, examples of these staff comments read as follows:

  • You indicate that you have been subject to ongoing cyber attacks, but that those attacks have not had a material impact upon your operations. We also note that you recently reported unusual activity on your website and news stories indicate that the Company, like other financial institutions, has been subject to cyber attacks and breaches. In order for investors to better understand the extent to which the risk of cyber attacks may impact your business, they must be able to understand the fact that you have experienced attacks. Please revise your disclosure in future filings, starting with your next 10-Q, to disclose that you have experienced attacks to place the risk of cybersecurity breaches in context for your investors.
  • It appears that you may have experienced one or more security breaches or cyber attacks that did not result in a material adverse effect on your operations. If true, beginning with your next periodic filing, please simply state this fact so investors are aware that you are currently experiencing these cyber risks.
  • We note that it is reported that companies in your industry have been the target of cyber attacks. In your next Form 10-Q, please provide a separate discussion of the risks posed to your operations from your dependence upon technology or to your business, operations or reputation by cyber attacks. In addition, in order to provide the proper context for your risk factor disclosure, and as your letter of response suggests, please confirm that you will disclose that you have experienced cyber attacks.
  • We note that you acknowledge that you have been subject, and will likely continue to be subject, to attempts to breach the security of your networks and IT infrastructure through cyber attack, malware, computer viruses and other means of unauthorized access. It does not appear that you have previously disclosed to your investors that this risk is one that you are currently subject to and actively working to prevent. Beginning with your next Form 10-Q, please confirm that you will disclose that you have been subject, and will likely continue to be subject, to attempts to breach the security of your networks and IT infrastructure through cyber attack, malware, computer viruses and other means of unauthorized access.
  • We note that you added cyber attacks to the list of potential catastrophic events in this risk factor. In future filings, beginning with your next Form 10-Q, please provide a separate discussion of the risks posed to your operations from your dependence upon technology or to your business, operations or reputation by cyber attacks. In addition, please tell us whether you have experienced cyber attacks in the past. If so, please also disclose that you have experienced such cyber attacks in order to provide the proper context for your risk factor disclosure. Please refer to the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 for additional information.
  • We note your disclosure that the Company’s computer network was the target of a cyber attack that you believe was sponsored by a foreign government, designed to interfere with your journalism and undermine your reporting. We also note your disclosure that you have implemented controls and taken other preventative actions to further strengthen your systems against future attacks. If the amount of the increased expenditures in cybersecurity protection measures was or is expected to be material to your financial statements, please revise your discussion in MD&A to discuss these increased expenditures. Also, if material, please revise the notes to your financial statements to disclose how you are accounting for these expenditures, including the capitalization of any costs related to internal use software.
  • We note you disclose that you and your service providers collect and retain significant volumes of certain types of personally identifiable and other information pertaining to your customers, stockholders and employees and that a significant actual or potential theft, loss, fraudulent use or misuse of customer, stockholder, employee or your data by cybercrime or otherwise could adversely impact your reputation and could result in significant costs, fines, litigation or regulatory action against you. We note the disclosure in your latest Form 10-Q referencing prior data breach incidents. Beginning with your next Form 10-Q, please state that you have experienced data breach incidents in the past in order to provide the proper context for your risk factor disclosure. Please refer to the Division of Corporation Finance’s Disclosure Guidance Topic No. 2 for additional information.

Shareholder Litigation

Private litigants have also been focusing on public company cybersecurity disclosure. In shareholder litigation arising out of Target’s highly publicized 2013 data breach, the plaintiffs have alleged that the company’s officers and directors engaged in a pattern of wrongdoing involving breaches of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control. Specifically, the plaintiffs alleged that officers and directors breached duties of loyalty and good faith by allowing the company to release a series of false and misleading statements to the public describing the data breach, by failing to oversee the company’s business and operations, and by failing to monitor practices that resulted in the data breach. The plaintiffs’ complaint also alleged that officers and directors made the decision to conceal the full scope of the breach so as not to impair holiday sales, with the cumulative effect of these actions’ being a further erosion of customer confidence and damage to the company’ reputation. Shareholder suits against public companies that are making similar allegations are becoming increasingly common in the aftermath of cyber attacks.

Takeaways

Despite calls from some members of Congress and other groups for further Commission guidance on the topic of cybersecurity disclosure, it is not likely the Commission will take any formal action in the near term. Instead, existing law and recent Commission pronouncements should continue to guide public companies in satisfying their disclosure obligations. At a more fundamental level, public companies should address the growing cybersecurity risk head-on. Examples of proactive action for public companies include:

  • developing an appropriate enterprise-wide governance structure for addressing cybersecurity;
  • identifying and assessing sensitive data;
  • developing effective information security policies and procedures;
  • calibrating disclosure controls and procedures to encompass cybersecurity disclosure, when material;
  • assessing technical, physical and administrative protections on a continuing basis;
  • managing employee and vendor cybersecurity risks;
  • training personnel to identify risks and manage them appropriately;
  • preparing a cyber incident response plan tailored to the unique needs of a public company, including (among other things) protocols for managing investor relations, press releases, communications with regulators/law enforcement and public disclosures in the event of a cyber incident;
  • keeping the board of directors and appropriate board committees apprised of compliance efforts and enterprise risks; and
  • practicing the cyber incident response plan on a regular basis.

SEC Issues New Guidance on the Use of Social Media

On April 21, 2014, the Securities and Exchange Commission’s Division of Corporation Finance published new Compliance and Disclosure Interpretations (“C&DIs”) concerning the use of social media in certain securities offerings, business combinations and proxy contests. Notably, the C&DIs permit the use of an active hyperlink to satisfy the cautionary legend requirements in social media communications when the social media platform limits the text or number of characters that may be included (e.g., Twitter). The C&DIs also clarify that postings or messages re-transmitted by unrelated third parties generally will not be attributable to the issuer (so issuers will not be required to ensure that third parties comply with the guidance). In addition, requirements regarding cautionary legends contemplated by the C&DIs apply to both issuers and other soliciting parties in proxy fights or tender offers. Accordingly, although the new guidance will allow issuers to communicate with their shareholders and potential investors via social media, it also may prove useful to activists in proxy fights and tender offers.

Read the full client alert on the SEC’s new C&DIs.

Puerto Rico Health Insurer Reports Record Fine Following PHI Breach Incident

Triple-S Management Corporation reported in the 8-K it recently filed with the U.S. Securities and Exchange Commission that its health insurance subsidiary, Triple-S Salud, Inc. (“Triple S”), which is Puerto Rico’s largest health insurer, will be fined $6.8 million for a data breach that occurred in September 2013. The civil monetary penalty, which is being levied by the Puerto Rico Health Insurance Administration, will be the largest fine ever imposed following a breach of protected health information.

According to the filing, in September 2013, Triple S mailed pamphlets to its Medicare Advantage beneficiaries that inadvertently displayed the beneficiaries’ Medicare Health Insurance Claim Numbers. Following the breach, which affected more than 13,000 individuals, Triple S conducted an investigation, notified affected individuals and reported the incident to Puerto Rican authorities as well as the Department of Health and Human Services’ Office for Civil Rights. Triple S also offered one year of credit monitoring at no charge to the affected individuals.

According to the 8-K, Triple S was notified of the pending sanctions on February 11, 2014. In addition to the proposed monetary penalty, Triple S will be required to suspend new enrollments of Dual Eligible Medicare beneficiaries and notify existing beneficiaries of their right to disenroll from the Triple S Medicare Advantage plan. In the 8-K, Triple S noted that it is responding to the allegations that it “failed to take all required steps in response to the breach” and has the right to request an administrative hearing on the issue. The 8-K concluded by noting that Triple S is “working to prevent this type of incident from happening again.”

View the 8-K.