Tuesday, May 19, 2020

Enforcement Forum panelists examine cybersecurity and the use of data analytics, AI in SEC investigations

By Amanda Maine, J.D.

While much of this year’s virtual Securities Docket Enforcement Forum West conference focused on the impact of the COVID-19 pandemic on securities enforcement and litigation, SEC officials and securities litigators were eager to share their thoughts on other important enforcement issues, including how and when to disclose cybersecurity attacks and the SEC’s use of data analytics, artificial intelligence, and machine learning to advance its enforcement efforts. Cybersecurity will continue to be a priority, not just in enforcement, but also for compliance exams. The SEC will also continue to use technology to track trading patterns for identifying illegal practices such as insider trading and churning.

Cybersecurity focus. John Berry, a partner at Munger, Tolles & Olson and former associate regional director for the SEC’s Los Angeles office, said that the SEC has made cybersecurity enforcement a priority, as evidenced by a recent publication by the SEC’s Office of Compliance Inspections and Examinations (OCIE) outlining its observations on cybersecurity gleaned from thousands of examinations. The publication noted that OCIE has published eight risk alerts related to cybersecurity.

Berry referred to two SEC enforcement actions highlighting the Enforcement Division’s focus on cybersecurity. Voya Financial Advisors, a dually-registered broker-dealer/investment adviser, agreed to pay $1 million to settle charges that it violated Regulation S-P (the Safeguards Rule) and Regulation S-ID (the Identity Theft Red Flags Rule). The SEC’s order found that Voya lacked policies and procedures that could have prevented outside actors from gaining access to usernames and passwords in violation of Reg. S-P and Reg. S-ID. In the second case, Morgan Stanley Smith Barney was penalized $1 million for lacking policies and procedures that should have prevented an employee, who was later hacked by a third party, from downloading and transferring confidential customer data to his personal server at home. Berry noted that client funds in both cases were not lost from the intrusions, but the SEC’s response shows that protecting customer information is important and that the Enforcement Division will pursue these cases even if the customer funds themselves were not affected.

Panel moderator Peter Altman of Akin Gump posed a scenario in which a former compliance officer who had left a hypothetical firm gained access to customer accounts and inquired how firms should approach this kind of breach. Ken C. Joseph of Duff & Phelps said that situations like this illustrate why incident response plans are necessary. A firm in this scenario should engage outside counsel, form a team to investigate the incident and preserve all data and logs, and communicate with management. The firm should also engage disclosure counsel to determine if the breach created a disclosure obligation, Joseph said.

Altman asked the panelists why companies should report cyber incidents to the government and asked if it is really in their best interests. Brent Wilner, senior counsel in the SEC’s Cyber Unit, said that the enforcement staff and the Commission are mindful that when a cyberattack occurs, the company or entity is the victim of the crime. Wilner stressed that the Division has taken a “measured enforcement approach” that encourages firms to cooperate in such an event. In general, Enforcement will try to avoid second-guessing good faith decisions, and if a firm handled a cyberattack reasonably, the SEC will recognize this, Wilner advised.

However, Wilner warned against hiding cyber breaches from the SEC, especially if “the facts are bad.” He cited the SEC’s enforcement action against the company formerly known as Yahoo!, which had experienced what was at the time the largest-ever cyber theft of user information and failed to disclose it for nearly two years. Wilner added that the SEC has good relationships with other regulators and law enforcement agencies and advised that companies whose systems were targeted by criminal elements should consider informing the criminal authorities about it in addition to the SEC.

Artificial intelligence and data analytics. The evolving role of data analytics and artificial intelligence (AI) in conducting securities investigations was also a topic of discussion at the conference. Tracy Davis, an assistant regional director in the SEC’s San Francisco office, said that the SEC has made use of data analytics to bring insider trading cases. Compared to 20 years ago, when the staff would have to examine blue sheets in a manual process to identify possible patterns of insider trading, now the staff can make use of data analytics to identify anomalous trades or trading relationships, she said, such as a spike in trading in the securities of a particular issuer before a big announcement.

The use of data analytics to identify insider trading patterns also gives the enforcement staff the benefit of being able to work covertly, Davis remarked. By doing so, it is less likely that a target will get tipped off about an investigation and try to flee the country, which gives the SEC time to file an emergency action and to freeze assets and bank accounts, Davis observed.

The SEC has used data analytics and AI tools in other areas aside from insider trading, Davis said. For example, the SEC uses data analytics for risk assessment to help determine where the staff should focus its resources for examinations. Davis also noted that data analytics and AI are also used to look at filings such as Forms 10-K and Forms 10-Q to pull information out of these filings, including particular disclosures, such as disclosures relating to COVID-19.

Data analytics and AI can also help the staff track down incidents of market manipulation, according to Davis. This includes identifying individuals who are engaged in misconduct related to thinly-traded stocks, as well as individuals who have been the subject of a suspension or an associational, an officer-and-director, or a penny stock bar. The SEC has an internal system to keep track of individuals who have been suspended or barred and will use AI to pull that information together to scan for those names in SEC filings, Davis explained.

Davis also noted that the SEC uses data analytics to go after incidents of churning where brokers execute trades solely for the purpose of generating fees and commissions. With the use of AI, the staff can identify anomalous trades by specific brokers that might suggest that they are engaged in a pattern of churning, Davis remarked.