Cybersecurity continues to be “top-of-mind” for the Security and Exchange Commission (SEC). That point couldn’t be made more clear than in comments and remarks made during the annual “SEC Speaks” conference in Washington, D.C. on February 23 and 24. Read more for a full summary of the conference, including the SEC’s discussion of cybersecurity-related risk and incident disclosures, the Enforcement division’s formation of a Cyber Unit in the fall of 2017, and the SEC’s increased emphasis on the need for insider trading policies that address the impact of cyber events.
In a much anticipated move, on March 2, 2016, the Consumer Financial Protection Bureau (CFPB) entered the cybersecurity foray with its first enforcement action against Dwolla, Inc., an online payment processing start-up. Pursuant to its authority under Sections 1031(a) and 1036(a)(1) of the Consumer Financial Protection Act of 2010, the CFPB fined Dwolla $100,000 and secured a five-year consent order imposing strict requirements on management and the Board of Directors. This CFPB enforcement action offers important insights into the contours of “reasonable cybersecurity” for certain financial services entities, and important lessons for conducting cybersecurity risk assessments. These issues dovetail with significant activity we recently reported on in the cybersecurity arena by the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the Federal Trade Commission (FTC), the Department of Health and Human Services’ Office of Civil Rights (HHS-OCR), and a host of other state and federal regulators.
On August 11, 2015, the SEC announced that it was bringing fraud charges against 32 defendants for their alleged participation in a five-year, international hacking and insider trading scheme. According to the SEC, two Ukrainian men hacked into at least two major newswire services, stole non-public copies of embargoed corporate announcements containing quarterly and annual earnings data, and provided the announcements to 30 other defendants, who traded off the information. In parallel actions, the U.S. Attorney’s Offices for the District of New Jersey and the Eastern District of New York also announced criminal charges against some defendants named in the SEC’s action. The SEC’s enforcement action may be a harbinger of events to come. As we have written, cybersecurity is emerging as the SEC’s newest area of focus for enforcement actions.
On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts. FINRA issued a similar, more extensive “Report on Cybersecurity Practices” on the same day.