SEC Commissioner: Firms must be prepared for cyberattacks

The U.S. Securities and Exchange Commission expects firms to be prepared for cybersecurity risks, and act in advance to take “measures to prevent and mitigate damage from these threats”, SEC Commissioner Elad Roisman said. His statements were made,in an October 29 speech to the Los Angeles County Bar Association about cybersecurity - “a topic that is becoming increasingly important for companies and regulators."

While it “is sometimes overlooked," Roisman stressed firms should know that “today, the threat of a cyber-attack is so constant and significant for every market participant that it should be viewed as a substantial likelihood." Thus, the SEC will not be satisfied by mere postmortem disclosure. Rather, it will inquire whether its registrants acted in advance to prepare for the attack, and to contain and minimize the attack harms once it was waged.

There is a reason Roisman continues to hammer on this point - it means that for cybersecurity threats, the SEC is stepping out of its traditional role, to focus almost exclusively on firms compliance with their disclosure obligations, and assumes a much broader and more intrusive approach, requiring firms to implement and monitor internal controls for cyber attacks.

Obligations to implement and monitor internal controls are typically imposed and scrutinized by DE judges. The SEC role, which stems from the disclosure obligations of the 33 and 34 acts, is typically related to imposing and monitoring proper disclosure.

Nevertheless, Roisman points to public firms obligations, under the Securities Exchange Act of 1934, to devise internal accounting controls and monitor them, as a source for the SEC power to scrutinize firms actions in preparation and response to cyberthreats and attacks.

Being aware of the significance of this approach, Roisman noted that the SEC has subscribed to it for a while now. In particular, he explained, as far back as 2018 the SEC issued guidance to public firms on coping with cyber security threats, making it clear that “a company’s cybersecurity responsibilities go beyond disclosures and disclosure controls. It can also implicate internal controls over financial reporting.”

The guidance advised firms that “cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws," but in effect it focuses primarily on firms’ obligations to disclose.

However, the SEC has indeed already taken a significant step in that direction. As Roisman noted, “shortly after the Commission’s 2018 disclosure guidance, the Commission issued a ‘21A report’ regarding an investigation into nine issuers who had been victims of cyber fraud... The issuers collectively lost $100 million to these schemes. We stressed in the report that companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) of the Securities Exchange Act of 1934 to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds."

Disclosure obligations and firms’ compliance with them were not the focus of any of these investigations, nor was the 21A report. Rather, the SEC focused on the controls that firms should implement to protect against such attacks and minizmie their damage. And as the 21A report concludes, firms have an obligation to implement and monitor such internal controls: “Public issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly."

Finally, Roisman stressed the need “to respond promptly to known breaches, by adopting and implementing firm-wide enhanced security measures, as well as the need to communicate accurately with affected clients regarding breaches'." He described three cases in which the SEC brought actions against broker firms, who, after having their email system taken over by an attacker, did not act promptly enough to protect their customers. One of the companies the SEC brought action against was Cetera Entities, the attack on which exposed personal information of more than 4000 customers, since “none of the taken over accounts were protected in a manner consistent with the Cetera Entities' policies." Also, the SEC's order found that the company “sent breach notifications to the firms' clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents." 

These enforcement actions, Commissioner Roisman believes, are important for “market integrity” and “investor protection”, as well as “a robust national economy and ultimately for national security."