Although the Securities and Exchange Commission (SEC) and New York State Department of Financial Services (NYDFS) have both focused on cybersecurity for many years, recent actions from both agencies demonstrate that cybersecurity is—and will remain—a high enforcement priority. The SEC’s Office of Compliance Inspections and Examinations (OCIE) recently released important guidance that suggests that this evolving area might become an even greater priority for the Commission in the near future. Similarly, the NYDFS recently filed charges in its first enforcement action under the NYDFS cybersecurity regulation, 23 N.Y.C.R.R. Part 500 (Part 500). We discuss both of these developments (and other cyber-related issues) below.
OCIE Risk Alert
On July 10, OCIE issued a risk alert that encouraged market participants to monitor alerts published by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and share information about threats with their third-party service providers.
More importantly, the OCIE risk alert provided market participants with the staff’s observations regarding “how to enhance cybersecurity preparedness and operational resiliency to address ransomware attacks.” In that regard, OCIE noted that certain registrants utilized the following measures:
- Assessing, testing, and periodically updating incident response and resiliency plans (e.g., policies and procedures governing ransomware attacks) including processes to notify management and compliance as well as external constituencies (e.g., customers and regulators).
- Reviewing “operational resiliency” including an assessment of which systems can be restored and ensuring adequate back-up procedures for important data.
- Implementing appropriate controls and safeguards including the use of current technology, managing user access through systems and procedures that limit access as appropriate, and implementing perimeter security controls.
We encourage registrants to read OCIE’s risk alert in its entirety and assess the need to revise applicable policies, procedures, systems, and controls. Importantly, OCIE’s carefully worded alert notes that its current guidance is based on “observations” from its reviews of cybersecurity programs at registered entities, suggesting that OCIE views such measures as the industry standard in 2020. Accordingly, we expect OCIE examiners to have this risk alert close at hand when drawing conclusions with respect to the adequacy of a firm’s supervisory, compliance, and other risk management systems. Mindful of the fact that today’s examination priorities become tomorrow’s enforcement priorities, we strongly suggest that registrants assess their cybersecurity and make any necessary revisions to conform to OCIE’s view of the industry standard.
Additional Measures Foreshadow an Increase in SEC Cybersecurity Enforcement
The cautionary tone of OCIE’s guidance is consistent with the SEC’s views and recent actions on cybersecurity. On July 28, the SEC announced the creation of a new specialized unit within OCIE designed to rapidly respond to current market threats and critical matters. Not surprisingly, this “Event and Emerging Risks Examination Team” (EERT) was specifically tasked with addressing cybersecurity incidents (and other significant market events that could have a systemic impact or that place investor assets at risk). In light of the EERT’s mission of rapidly responding to market crises, we would not be surprised to see enforcement actions resulting from this initiative in short order. It is worth noting that Adam Storch, the individual tapped by SEC Chairman Clayton to lead the EERT, has an enforcement background serving as the Enforcement Division’s Managing Executive and Chief Operating Officer before returning to private practice.
The SEC brought several cybersecurity cases in recent years, and we expect the Commission to continue to focus enforcement resources on cyber-related misconduct. In 2017, the SEC created the Cyber Unit within the Enforcement Division, which focuses on market manipulation schemes, hacking efforts to obtain and trade on material nonpublic information, misconduct on the dark web and violations involving distributed ledger technology. Tellingly, in December 2019, Chairman Clayton appointed one of his close advisors on enforcement matters, Kristina Littman, to serve as the second director of the SEC’s Cyber Unit—emphasizing cyber-related misconduct as a priority at the highest levels within the SEC. And while there is uncertainty as to the remaining length of Chairman Clayton’s tenure, we expect that cyber enforcement will remain a priority regardless of the political regime.
Since its inception, the Cyber Unit has brought enforcement actions related to cybersecurity controls and disclosures regarding cyber incidents and risks. The unit has also focused on insider trading on the basis of information obtained through breaches and cyber-related market manipulation. Over the past three years, the unit’s staff has acquired deep expertise regarding digital assets, initial coin offerings, and cryptocurrencies.
First Enforcement Charges By NYDFS Under Part 500
On July 21, 2020, NYDFS filed charges against First American Title Insurance Company alleging deficiencies in the company’s cybersecurity program in violation of Part 500 (New York’s cybersecurity regulations applicable to financial institutions). The NYDFS alleged that the company’s inadequate cybersecurity systems resulted in a significant breach of sensitive nonpublic information including personally identifiable information. The NYDFS also alleged that the company failed to have required controls including: (1) adequate cybersecurity policies and procedures, (2) a periodic risk assessment process to evaluate the program, (3) access controls to properly limit access to sensitive data, (4) training for all personnel regarding the handling of sensitive information, and (5) encryption or alternate compensating controls for sensitive data in transit and at rest. The NYDFS alleges that these control failures not only led to the vulnerability that caused the breach, but also prevented the breach from being handled properly when it occurred. The vulnerability that revealed sensitive information was present in the company’s systems for several years; however, according to the NYDFS, even after the company discovered the vulnerability, it was not remediated for several months.
The NYDFS enforcement action demonstrates New York State’s commitment to cybersecurity and willingness to bring enforcement actions to ensure compliance with Part 500. It also highlights the importance of supervising and reviewing all cybersecurity events. Prompt and adequate attention must be paid to all alerts of possible breach. In the First American case, the initial vulnerability was misclassified and therefore not addressed for five months. The enforcement action charges that the response to the incident failed to follow policies and procedures and was not handled with sufficient seriousness. This action demonstrates the importance of carefully reviewing and addressing all vulnerabilities identified, and doing so in a timely manner. Finally, this case illustrates the importance of having a strong culture of compliance regarding cybersecurity issues.
The Twitter Breach and the Government’s Response
On July 15, hackers hijacked approximately 130 Twitter accounts—including those belonging to Barack Obama, Joe Biden, Warren Buffett, and Elon Musk—and sent messages from those accounts to promote a cryptocurrency offering. The compromised accounts posted the address of a bitcoin wallet and claimed that investors were guaranteed to receive returns equal to twice the amount that they invested.
On July 31, criminal investigators with the Internal Revenue Service announced charges against three individuals for their roles in perpetrating the Twitter attack. The IRS’s investigation is ongoing, and other law enforcement agencies, including the FBI, are also conducting inquiries. New York Governor Andrew Cuomo has called on New York State authorities to probe the breach for potential violations of state law, and Florida authorities are also working closely with federal investigators (the three individuals arrested by the IRS are Florida residents). Twitter has also announced that it is conducting an internal investigation and that it is enhancing its cybersecurity safeguards and controls.
Although the SEC has not disclosed that it has also launched an investigation, it would not be surprising if the agency is conducting a non-public inquiry of the breach to determine whether the federal securities laws were violated. That investigation would likely be conducted by the Cyber Unit, which has garnered considerable substantive expertise in investigating crypto-related offering frauds. In December 2017, just two months after the unit was created, the Cyber Unit brought its first enforcement action in the context of an initial coin offering in which fraudsters falsely claimed that the securities at issue would generate a 1,354 percent profit in under a month. And just last month, the Cyber Unit—working closely with the Enforcement Division’s Asset Management Unit—filed an emergency action and obtained a temporary restraining order to halt an offering fraud that was perpetrated by a private fund that purported to invest in digital assets.
The Cyber Unit also has substantial experience investigating complex fraud involving hacking. In January 2019, the SEC announced an enforcement action against various traders who traded on confidential information that they stole while hacking the SEC’s EDGAR database. EDGAR contains, among other information, periodic reports filed by many issuers of securities, and the Defendants obtained information from the database shortly before it was made public. In resolving the EDGAR enforcement action with two traders, the Commission touted “the SEC’s ability to investigate complex schemes conducted both here and abroad to hold their perpetrators accountable.” In light of the egregious nature of the misconduct and the difficulty in deterring and detecting cyber-related fraud, expect the SEC to continue to take aggressive positions in this area, including potentially in connection with an eventual enforcement action against the perpetrators of the Twitter hack.
This article originally appeared on pillsburylaw.com.
© 2020 Pillsbury Winthrop Shaw Pittman LLP