SEC Considering More Stringent Requirements For Cybersecurity Disclosures in the Wake of Stock Manipulating Hacking Case

Following up on clues earlier this year that the SEC may increase its scrutiny of cybersecurity disclosures, SEC Chairman Mary Jo White has asked the Commission to evaluate current guidance for cybersecurity disclosures and to consider whether more stringent requirements are necessary.  White asked the Commission to assemble a report on general practice and compliance with existing guidelines, and to make recommendations for future guidance.  White did not yet commit to changes to the current guidelines, issued in October 2011, pending issuance of the report.

Senator Jay Rockefeller, who disclosed the Chairman’s directive, has recently encouraged the SEC to provide further guidance on cybersecurity disclosures.  He has already sponsored legislation in this arena, including the Cybersecurity Act of 2012, which would have pushed the private sector to share internal information within the industry and with government agencies.  The proposed legislation in 2012 would have also encouraged the enactment of protective measures for computer networks.  Senator Rockefeller has expressed concern about the lack of information regarding cybersecurity risks, and appears poised to push for additional disclosures. 

The SEC’s review of its guidelines comes on the heels of the May 13, 2013 sentencing of Christopher Rad.  Mr. Rad was convicted of a global conspiracy to use spam emails, virus-infected computers, and hacked brokerage accounts to manipulate the price and volume of a number of different stocks.  In particular, the Justice Department claimed that Rad coordinated with hackers in Russia and China to artificially inflate the volume of the targeted stocks, both with spam campaigns using virus-infected computers and by hacking into brokerage accounts in order to use those accounts to buy and sell stocks.  Rad’s scheme purportedly netted him approximately $2.8 million. Rad was sentenced to 71 months in prison and five years of supervised release, and was fined $30,000, with restitution to be determined at a later date.

Rad’s purported hacking scheme demonstrates the breadth of cybersecurity risks in the securities markets, both from direct attacks on companies and indirect stock manipulation.  Similar stories have emerged over the last few years, including hacked brokerage accounts, identity theft, and stock manipulation.  Some or all of these issues may be addressed by future legislation or by the SEC upon completion of its report.