Cybersecurity

Looking Out for Main Street: SEC Focuses on Retail, Cybersecurity and Cryptocurrency

The Commissioners and senior officials of the Securities and Exchange Commission (“SEC” or “Commission”) addressed the public on February 23-24 at the annual “SEC Speaks” conference in Washington, D.C. Throughout the conference, many speakers referred to the new energy that SEC Chairman Jay Clayton had brought to the Commission since his confirmation in May 2017. The speakers also seemed relieved that the SEC was finally operating with a full set of commissioners since the recent additions of Robert J. Jackson, Jr. and Hester M. Peirce. Clayton’s address introduced the main refrain of the conference: that the SEC under his leadership is focused on the long-term interests of Main Street investors. Other oft-repeated themes included the challenges presented by cybersecurity and the fast-paced developments in cryptocurrency and blockchain. To address these shifts in focus, the Enforcement division plans to add more resources to the retail, cybersecurity and cryptocurrency spaces.

Following are the key litigation and enforcement takeaways.

Main Street Investors

Commissioner Kara Stein picked up on Clayton’s Main Street investors focus when she asked whether increasingly complex and esoteric investments, such as product strategies and structures that utilize derivatives, were appropriate for retail investors. She explained that it was not a question whether the financial industry could develop and sell these products, but whether it should. She said it was not clear that financial professionals fully understood the products they were selling, and that even if brokers and advisers made disclosures regarding the potential outcomes and risks to investors, complete disclosures might not even be possible due to the products’ complexity. Both SEC and FINRA Enforcement have brought actions related to the sales practices of inverse and leveraged ETFs, as well as the purchase and sale of complex products. Stein opined that gatekeepers needed to remember the real people behind every account number when they were advising clients on how to handle these types of products.

Steven Peikin, Co-Director of the Division of Enforcement, described the SEC’s Share Class Selection Disclosure Initiative as one way in which Enforcement was trying to help Main Street investors. The Initiative was created to address the problem of investment advisers putting their clients into higher fee share classes when no fee or lower fee classes were available. The SEC is incentivizing advisers to self-report this issue by promising not to impose any penalties, and only requiring them to disgorge their profits to investors. Peikin encouraged investment advisers to take advantage of this opportunity, indicating that if the Commission learned that an adviser had engaged in this conduct and did not self-report, it would be subject to significant penalties. The Chief of the SEC’s Broker-Dealer Task Force shared that AML programs and SAR-filing obligations are also a priority for the Enforcement division and OCIE exams. READ MORE

The SEC Wants to Know What’s Next for Blockchain: Are You Keeping Up?

On October 12, 2017, the United States Securities and Exchange Commission’s Investor Advisory Committee met to discuss Blockchain technology and its impact on the securities industry. While Blockchain is best known as the decentralized accounting system that make transactions in Bitcoin and other cryptocurrencies possible, the panel of industry professionals and academics emphasized its potential to transform “mainstream” financial recordkeeping in a way that makes executing and recording all financial transactions more secure and efficient.

SEC Chairman Jay Clayton, who oversaw the proceedings, explained that the Commission seeks to explore the ways in which Blockchain can promote robust and competitive markets, while ensuring that investors are protected and federal securities laws are applied to transactions in cryptocurrencies made possible by the technology.

READ MORE

SEC Chairman Testifies About SEC’s Direction and 2016 Cyberattack

On September 26, 2017, SEC Chairman Jay Clayton testified before the Senate’s Banking, Housing and Urban Affairs Committee regarding the direction of the SEC under his Chairmanship. He also took the opportunity to address the 2016 cyberattack on EDGAR, the agency’s electronic filing system.

As in his first public speech as SEC Chair, in July 2017, Chairman Clayton’s testimony reveals his focus on issues related to cybersecurity, capital formation, and enforcement actions addressing traditional forms of fraud and misconduct. His testimony further reveals his position that regulations should be retroactively evaluated and relaxed as necessary, in order to account for the direct and indirect costs of compliance.

Below are key highlights of Chairman Clayton’s testimony:

READ MORE

New Year, Similar Priorities: SEC Announces 2017 OCIE Areas of Focus

On January 12, 2017 the SEC announced its Office of Compliance Inspections and Examinations (OCIE) priorities for the year, including areas of focus for Retail Investors, Senior Investors and Retirement Investments, Market-wide risks, FINRA oversight, and cybersecurity.  These priorities reflect an extension of previous years’ commitments, in particular with regard to focus on the retirement industry and cybersecurity.  The “Regulation Systems Compliance and Integrity” (Regulation SCI) adopted by the SEC in November 2014 will also be a continued focus.

Once again, protection of retail investors is of primary concern for the OCIE. Among the detailed areas of focus are examining risks related to electronic investment advice, “wrap fee” programs where investors are charged a single fee for bundled advisory and brokerage services, and “Never-before examined” Investment advisers, an initiative that was started in 2014 to engage with newly-registered advisers that had never-before been examined.  Examination of Exchange-Traded funds (ETFs) and continuation of the ReTIRE initiative are two carryovers from 2016 priorities .  The OCIE previously identified ETFs, which are sometimes seen as alternatives to mutual funds, for examination related to compliance with the Securities Exchange Act of 1934 and the Investment Company Act of 1940. ReTIRE, launched in June 2015, places particular focus on those SEC-registered investment advisers and broker dealers who offer retirement-oriented investment services to retail investors, including examining whether there is a reasonable basis for the recommendations made.  This year, the SEC will expand ReTIRE to include “assessing controls surrounding cross-transactions, particularly with respect to fixed income securities.”

READ MORE

The SEC Audit Trail – Several Industry Groups See Problems as Currently Proposed

Last week, several securities industry groups filed critical responses to the SEC’s plan for an audit trail.  While most groups that commented on the SEC’s proposed regulation supported implementing the proposal, several had concerns regarding the cost for investors and firms, and the protection of private data.

READ MORE

Shareholder Derivative Suit Following Data Breach Misses Target

On July 7, 2016, Judge Paul A. Magnuson of the United States District Court for the District of Minnesota granted Defendants’ Motions to Dismiss a shareholder class action that had been initiated following a 2013 holiday season data breach involving customers of Target Corporation (“Target,” or “the Company”).  The data breach, which resulted in the release of information of approximately 70 million consumer credit and debit cards, made headlines as one of the biggest privacy hacks at the time.  Initially disclosed to the public in December 2013, with an estimated 40 million credit and debit cards affected, Target subsequently revealed a little less than a month later that additional consumer data, including customers’ names, mailing addresses, phone numbers and email addresses, were also stolen, and increased its initial estimate to 110 million.

READ MORE

International Hacking and Insider Trading Scheme Exposes Cybersecurity Vulnerabilities at Third-Party Vendors

On August 11, 2015, the SEC announced that it was bringing fraud charges against 32 defendants for their alleged participation in a five-year, international hacking and insider trading scheme.  According to the SEC, two Ukrainian men hacked into at least two major newswire services, stole non-public copies of embargoed corporate announcements containing quarterly and annual earnings data, and provided the announcements to 30 other defendants, who traded off the information.  In parallel actions, the U.S. Attorney’s Offices for the District of New Jersey and the Eastern District of New York also announced criminal charges against some defendants named in the SEC’s action.  The SEC’s enforcement action may be a harbinger of events to come.  As we have written, cybersecurity is emerging as the SEC’s newest area of focus for enforcement actions.

READ MORE

Going for Brokerage: SEC Report Highlights Best (and Worst) Practices in Cybersecurity Preparedness

cybersecurity

On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts.  FINRA issued a similar, more extensive “Report on Cybersecurity Practices” on the same day.

The National Exam Program Risk Alert, “Cybersecurity Examination Sweep Summary” summarizes cybersecurity practices and policies of 57 registered broker-dealers, and 49 registered investment advisers based on examinations conducted by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”).  These findings should be reviewed by CISOs and CIOs who have responsibility for cybersecurity protection because they highlight best practices and areas ripe for improvement.  It is reasonable to assume that both the SEC and FINRA will expect firms to review the findings and tailor their own internal assessments and practices to improve their cybersecurity posture, accordingly.  They also underscore that the simplest cyber-related scams (phishing, fraudulent e-mail scams, etc.) are still remarkably successful.

READ MORE

Where There’s Thunder, There’s Lightning: SEC’s Investigation of IBM’s Cloud Computing Accounting May Be a Harbinger of a New Enforcement Focus

Pen and Calculator

Cloud computing may be the next shoe to drop. On the heels of Mary Jo White’s recent appointment as Chairman of the SEC and predictions that it may refocus enforcement on accounting fraud came word last week that the Commission is investigating IBM’s cloud-computing accounting. In an SEC filing, IBM defended its revenue accounting for cloud-based services, stating “[w]e are confident that the information we have provided has been consistently accurate.”

This may just be the tip of the iceberg for an industry estimated by some analysts to generate global revenues of $131 billion this year, 60% of which originate in the United States.

Cloud computing has no single definition but one basic expression would be the practice of storing and accessing information on servers accessed through the Internet. There are many cloud-computing business models, including Infrastructure as a Service (“IaaS”), in which customers access computing power, such as servers, through physical equipment owned by the provider; Platform as a Service (“PaaS”), in which customers use a provider’s computing environment—including operating systems, programming languages, and databases—to create applications remotely; and Software as a Service (“SaaS”), services that allows users to operate software remotely. Google Documents and the e-Discovery platform Relativity are just two cloud-based services that readers may be familiar with. READ MORE

Recent Study Finds Cybersecurity Disclosures May Fail to Meet SEC Guidelines

Hackers aren’t the only ones after company information. Earlier this week, Wills Fortune 500, a unit of Wills Group Holdings, a global insurance broker providing insurance and risk management services, made available its own report  tracking the response by Fortune 500 companies to the SEC’s October 2011 guidelines for cybersecurity disclosures. The report’s key findings include that, as of April 2013, 85% of Fortune 500 companies were following the SEC guidelines and providing some level of disclosure of cyber exposures. However, close to 40% of the companies failed to provide details on the size of their exposure, stating only that the risk would have an impact on the company without further discussing the extent of the impact. As such, the report concluded that the question whether company disclosures rise to the level mandated by the SEC is debatable, given the paucity of information regarding the probability of incidents and their quantitative and qualitative magnitude.

In light of the findings of the Willis Fortune 500 report, it’s not surprising that SEC Chairman Mary Jo White had previously asked the Commission to evaluate compliance with current guidelines for cybersecurity disclosures, assemble a report on the general practice and compliance with the existing guidelines, and make recommendations for further guidance.