SEC Commissioner: Firms must be prepared for cyberattacks
The U.S. Securities and Exchange Commission is stepping out of its traditional role, and requires firms to implement and monitor internal controls for cyber risks
However, the SEC has indeed already taken a significant step in that direction. As Roisman noted, “shortly after the Commission’s 2018 disclosure guidance, the Commission issued a ‘21A report’ regarding an investigation into nine issuers who had been victims of cyber fraud... The issuers collectively lost $100 million to these schemes. We stressed in the report that companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) of the Securities Exchange Act of 1934 to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds."
Disclosure obligations and firms’ compliance with them were not the focus of any of these investigations, nor was the 21A report. Rather, the SEC focused on the controls that firms should implement to protect against such attacks and minizmie their damage. And as the 21A report concludes, firms have an obligation to implement and monitor such internal controls: “Public issuers subject to the requirements of Section 13(b)(2)(B) must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly."
Finally, Roisman stressed the need “to respond promptly to known breaches, by adopting and implementing firm-wide enhanced security measures, as well as the need to communicate accurately with affected clients regarding breaches'." He described three cases in which the SEC brought actions against broker firms, who, after having their email system taken over by an attacker, did not act promptly enough to protect their customers. One of the companies the SEC brought action against was Cetera Entities, the attack on which exposed personal information of more than 4000 customers, since “none of the taken over accounts were protected in a manner consistent with the Cetera Entities' policies." Also, the SEC's order found that the company “sent breach notifications to the firms' clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents."
These enforcement actions, Commissioner Roisman believes, are important for “market integrity” and “investor protection”, as well as “a robust national economy and ultimately for national security."