By Amanda Maine, J.D.
Securities Enforcement Forum West 2021, a virtual event hosted by the Securities Docket, featured a panel discussion on the SEC’s focus on cybersecurity issues, including disclosure, enforcement, and how companies and regulated entities should approach cyber intrusions by malicious actors. The panelists discussed when to contact government officials in the event of a cyberattack, factors to be considered when disclosing an attack to the government and investors, and the role of due diligence in engaging vendors.
SEC’s view. Brent Wilner, senior counsel in the SEC’s Cyber Unit, outlined how the Enforcement Division looks at cybersecurity issues. He pointed out that Gary Gensler was sworn in as the new SEC chair only recently and that the Cyber Unit intends to follow his lead and his priorities. However, Wilner noted that cybersecurity threats present an ever-growing risk that regulators and enforcement officials must address.
Wilner said that the Cyber Unit’s efforts can be described in two parts: regulated entities and public companies. Regulated entities, including broker-dealers, investment advisers, and self-regulatory organizations, are subject to SEC rules mandating controls on cybersecurity and customer data, including Regulation SP, Regulation S-ID, and Regulation SCI. Wilner highlighted a recent settled enforcement proceeding brought against GWFS Equities, a broker-dealer focused on retirement services. GWFS agreed to pay a $1.5 million civil penalty to settle charges that, despite being aware of increasing attempts by external bad actors to gain access to the retirement accounts of individual plan participants, it failed to file approximately 130 Suspicious Activity Reports (SARs) as required by the federal securities laws.
Regarding public company issuers, cybersecurity is implicated by the disclosure and internal accounting controls requirements, Wilner said. Public companies must evaluate when a cyber intrusion should be disclosed to the public and should consider cyber threats when implementing internal accounting controls.
View from the defense bar. Panel moderator John Reed Stark, president of John Reed Stark Consulting LLC, asked Susan Resley of Morgan Lewis & Bockius what she advises her clients when they tell her that they have experienced a cyberattack. According to Resley, while it won’t "get you over the finish line" when talking to the SEC, it doesn’t hurt to remind the staff that the company or firm is the victim in cases of cyberattacks. She also stressed the importance of having a plan in place to respond to the attack. When there is a cyber breach, the SEC will want to know about the company’s disclosure controls, internal controls, and its insider trading policy, she advised. There must be a system in place because these types of events cannot be handled "on the fly," she warned.
Jack Bennett, managing director in the Cyber Risk practice at Kroll, echoed these sentiments. In addition to the necessity of having a plan in place, it is important to have a relationship with people before you need them, he said. Bennett also voiced his support for independent third-party assessments of a company’s cyber response plans. Using a third-party assessment can show that a company is thoughtful and is taking necessary precautions. If the company is taken to court over a cyber intrusion, this independent assessment can show that despite the company’s efforts to be proactive, it still got hit, which can demonstrate reasonableness, Bennett remarked.
Communicating with enforcement officials and the public. Stark inquired when a company should contact the government, such as the SEC or the FBI, about a cyberattack. Resley said that it is possible to give a high-level description of the breach without waiving privilege, but counsel must be mindful that class action plaintiffs may want to bring suit against the company, and once the SEC is told what happened, it is harder to argue that the information is privileged. She also noted that while the SEC cannot tell a company to waive its privilege, not revealing more information could lead to the loss of cooperation points in settlement negotiations.
Bennett said the time to talk to the FBI and other enforcement officials is not in the middle of a crisis because they will be seeking documents, which can get in the way of the company’s own response. He advised that companies get to know their local FBI branch and its cyber unit and have a conversation early on.
There are also questions about when a cyberattack should be disclosed to the public, including investors, Resley said. When making a disclosure to investors, it must be meaningful, she advised. It is not enough to say just that the company had a breach. If a disclosure is made, the company needs to say what occurred, how it occurred, and who was affected, Resley recommended.
Due diligence for vendors. Stark also asked what kind of due diligence should be undertaken by companies in selecting vendors. Resley remarked that a cyberattack on a vendor is a tough situation because not only is the company a victim, it has little control over the situation. She advised engaging with an established entity as opposed to a "fly-by-night" company and following up on the vendor. The level of due diligence required may depend on what kind of data the vendor is hosting, she added. For the company’s "crown jewels," one would expect a high level of due diligence work.
Wilner noted that guidance from the Office of Compliance Inspections and Examinations (OCIE, now the Division of Examinations) features some tangible observations about vendor management, including establishing a vendor management program to ensure that vendors meet security requirements and that appropriate safeguards are implemented; understanding vendor relationships, including all contract terms; and monitoring the vendor relationship to ensure that the vendor continues to meet security requirements and to be aware of changes to the vendor’s services or personnel.
He also drew attention to the SEC’s 2018 investigative report on cyber threats. In addition to outlining business email compromises at companies, the report highlighted how fake vendors impersonated a company’s actual vendors to gain access to critical account information.