The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: SEC Enforcement

  • From Vol. 3 No.2 (Jan. 25, 2017)

    FINRA Emphasizes the Importance of Proper Electronic Record Storage in Enforcement Actions

    Accurate recordkeeping is one of the core duties of broker-dealers and investment advisers. As the number of electronic records has exploded in recent years, so have the risks of hacks or other malicious acts. FINRA recently settled enforcement actions against 12 of its members, imposing a total of $14.4 million in fines, for their failures to store electronic records in “write once, read many” (commonly referred to as “WORM”) format, as well as other violations of SEC recordkeeping rules. In its press release, FINRA emphasized that the deficiencies affected hundreds of millions of records, and the need to maintain records in the WORM format because “the volume of sensitive financial data stored electronically has risen exponentially and there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records.” This article explores the violations and key terms of the eight separate FINRA Letters of Acceptance, Waiver and Consent (AWCs). See also “FINRA Lays Out Cyber Expectations in Action Against Broker-Dealer” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Morgan Stanley Action Signals SEC’s Continued Enforcement of Safeguards Rule

    Morgan Stanley Smith Barney may have escaped charges under Section 5 of the Federal Trade Commission Act, but it has agreed to pay $1 million to settle charges that it violated the Safeguards Rule. The settlement stems from allegations that employee Galen Marsh transferred data containing the PII of 730,000 customers to his personal server. That data later appeared on multiple internet sites. There was no harm alleged, and this settlement, coupled with the R.T. Jones and Craig Scott Capital actions, may show that the SEC is picking up enforcement of the Safeguards Rule. “Here, the SEC clearly is trying to make a statement to the broker-dealer and investment adviser community about how seriously it takes cyber. This also seems like a message to the FTC that the SEC intends to be the key cop on this part of the cyber beat,” Jeremy Feigelson, a partner at Debevoise, told The Cybersecurity Law Report. We analyze the settlement and its implications. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Cybersecurity and Whistleblowing Converge in a New Wave of SEC Activity

    The SEC has long-prioritized incentivizing corporate whistleblowers to report violations of the securities laws, and protecting them when they do.  Increasingly, the federal agency also has vigorously enforced certain key aspects of cybersecurity, as its importance has permeated every facet of the way registered entities operate.  In a recent webinar, Orrick attorneys Mark Mermelstein, Jill Rosenberg and Renee Phillips examined how these two formerly disassociated areas of regulatory enforcement are converging in a new wave of SEC guidance and enforcement.  This article discusses the practitioners’ insights on the SEC’s recent initiatives and enforcement actions both in cybersecurity and whistleblowing contexts; the applicable regulations; and how companies can address and mitigate the risks of cybersecurity whistleblower actions.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments” (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert

    So far, the SEC’s focus on cybersecurity has largely been relegated to providing guidance to registrants and learning about the state of cybersecurity preparedness through focused examinations.  One sign that the SEC will go further and take action against firms that fail to follow that guidance, regardless of whether harm is alleged, is the recent settlement with investment adviser R.T. Jones Capital Equities Management, Inc.  The firm suffered a cybersecurity breach that compromised information of over 100,000 retirement plan participants and has agreed to pay a $75,000 fine to settle the charges that it violated the Safeguards Rule.  The SEC released a related Investor Alert that offers guidance to individual investors who believe that their personally identifiable information has been compromised.  We provide the highlights.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    After a Cyber Breach, What Laws Are in Play and Who Is Enforcing Them?

    Recent reports detail a breathtaking and unrelenting rise in cyber breaches, with five malware events occurring every second, and 60% of successful attackers able to compromise an organization within minutes.  But the law has not kept pace with technological innovation.  There is no single uniform law protecting individual privacy, nor one that governs all of a company’s obligations or liabilities regarding data security and privacy.  As Jenny Durkan and Alicia Cobb, a partner and associate, respectively, at Quinn Emanuel Urquhart & Sullivan, detail in a guest post, any business that suffers a significant cyber breach almost certainly will face not only multiple civil suits, but multiple investigations by federal and state authorities.  The authors provide a roadmap to the key authorities and the patchwork of relevant rules and regulations.

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry

    The financial sector has been an obvious target of hackers for a long time.  Increased scrutiny of firms’ security from regulators, including the SEC, and customers has raised the stakes even further as firms try to stay ahead of risks.  ACA Compliance Group recently presented a program to help those regulated industries navigate the current cybersecurity landscape.  The panelists, Raj Bakhru and Marc Lotti, both partners at ACA Aponix (the cybersecurity and risk arm of ACA Compliance Group), offered insights into what advisers and fund managers may expect from regulators going forward; discussed common misperceptions about cybersecurity; and explored goals of cybersecurity and technology risk programs. 

    Read Full Article …
  • From Vol. 1 No.1 (Apr. 8, 2015)

    The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions

    When a data security incident has been identified, a company’s initial priorities include understanding, containing and remedying the vulnerabilities.  In the aftermath of a data security incident, however, companies often have to focus nearly as quickly on responding to inquiries from an expanding array of federal, state, and local regulators and law enforcement agencies, including state attorneys general and the FTC.  The SEC is a more recent entrant into the cybersecurity enforcement arena.  It has dramatically increased its focus on these issues in the last four years, and it has signaled an intent to continue to expand its efforts.  This is true not only for financial institutions subject to extensive SEC oversight – such as broker-dealers and investment advisers – but for all publicly-traded companies.  In a guest article, Daniel F. Schubert and Jonathan G. Cedarbaum, partners at WilmerHale, and Leah Schloss, a WilmerHale associate, explain the SEC’s role in cybersecurity enforcement, the SEC’s two primary theories in cyber-related enforcement actions and another theory that the SEC may use to broaden its cyber enforcement authority.

    Read Full Article …