Close
Updated:

SEC Looks to Tighten its Grip on Cybersecurity Measures

In light of the ever-expanding role of digital technology in daily life, along with a string of recent high-profile cyberattacks, it is fitting that the Securities and Exchange Commission (“SEC”) has included cybersecurity risks on their 2021 regulatory agenda. The SEC last provided cybersecurity guidance in 2018, though critics argue that the 2018 Guidance was insufficient and merely reiterated the SEC’s formal guidance from 2011. [1] However, given recent executive-branch interest in cybersecurity issues, it is predicted that cybersecurity rules set forth in 2021 will offer more actionable and concrete protective measures for investors.  [1]

As a vast swath of sensitive, personal data is shared in the digital space, and as businesses and the government rely increasingly on complex computing systems to maintain their operations, cyber risks have multiplied exponentially. Cyber attackers target sensitive personal data in an effort to compromise a business, a business’s clients, or the public at large, often while demanding a ransom.

So far in 2021, numerous cyberattacks have taken place. Most notably, the Colonial Pipeline was hacked in May, resulting in gasoline shortages across the Southern United States, and in June, a cyberattack on a large meat manufacturer halted a quarter of all beef operations in the United States for two days. [2] Countless other large- and small-scale cyberattacks occur regularly, amplifying the need for investor protection from such future occurrences.

The SEC’s renewed focus on cybersecurity risks expands beyond their commitment to adopting additional cybersecurity guidance and regulations – it is also echoed in recent enforcement actions they have taken.

In recent months, the SEC has levied charges against two large companies in connection with cybersecurity deficiencies. First, in May, the broker-dealer GWFS Equities (“GWFS”) was charged with violations of federal securities laws which require the filing of Suspicious Activity Reports (“SARs”).  [3] The SEC found that GWFS had failed to file SARs for approximately 130 instances of bad actors what had attempted to access customer data and retirement accounts. [3]

The Director of the SEC’s Denver office, Kurt Gottschall, noted that GWFS’s failure to file SARs for suspicious activity “deprived law enforcement of critical information relating to the threat that … bad actors pose to retirees’ accounts,” highlighting the risks associated with a company skirting cybersecurity regulations. [3] Although GWFS neither admitted to nor denied the SEC’s charges, a settlement was reached, resulting in a hefty $1.5 million penalty as well as an order for GWFS to cease any further violations of this kind. [3]

Then, in June, the SEC charged First American Title Insurance Company (“First American”) with violations to disclosure controls which posed cybersecurity threats to sensitive customer data. [4]. The SEC alleged that First American was deficient in reporting cybersecurity vulnerabilities, and a settlement agreement was reached with a $484,000 penalty against First American. [4]

Moving forward, the SEC has made clear its intention to foster cybersecurity protections. In particular, the SEC will likely create or strengthen cybersecurity disclosure obligations of public companies, whose investors are put at risk when breaches and attacks occur. While the new SEC rules won’t be made public until this Fall, public companies should prepare themselves by remaining vigilant in their efforts to protect customers and investors from the litany of cybersecurity threats that exist each day.

Sources:

[1] https://www.jdsupra.com/legalnews/sec-increasingly-turns-focus-toward-3610987/

[2] https://nymag.com/intelligencer/article/ransomware-attacks-2021.html

[3] https://www.sec.gov/news/press-release/2021-82

[4] https://www.sidley.com/en/insights/newsupdates/2021/06/sec-announces-settled-charges-against-first-american-for-cybersecurity-disclosure-controls-failures

Contact Us