The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: SEC

  • From Vol. 3 No.7 (Apr. 5, 2017)

    Best Practices for Mitigating Compliance Risks When Investment Advisers Use Social Media 

    The advent of Twitter, Facebook, LinkedIn and other social media forums has had a dramatic impact on society at large, including the investment funds industry. Yet, investment advisers and firms may not fully grasp the compliance and operational risks that new technologies and sites can pose. Questions abound as to whether social media can be used to provide material information to certain investors at the expense of others, when the line is crossed from informational content to marketing a fund and whether the social media accounts of individual employees and representatives need to be monitored for compliance purposes. In-house compliance officers, outside counsel and an SEC branch chief in the Chief Counsel’s Office of the SEC’s Division of Investment Management discussed and offered insights on these issues at a recent Regulatory Compliance Association PracticEdge session. See also “What It Takes to Establish Compliant Social Media Policies for the Workplace” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    SEC Emphasizes Protecting Information From More Than Just Cyber Threats in Deutsche Bank Case

    While regulators and companies have recently focused on cybersecurity efforts to keep data secure, the SEC’s recent administrative proceeding against Deutsche Bank Securities Inc. (DBSI) emphasizes that policies and practices to secure data must continue to safeguard nonpublic information from all types of dissemination methods, from emails and chats, to telephone calls and in-person meetings. The SEC announced last week that DBSI agreed to pay a $9.5 million penalty for (1) failing to properly safeguard material nonpublic information generated by its research analysts, (2) publishing an improper research report and (3) failing to properly preserve and provide electronic chat records sought by the SEC. The SEC emphasized that employees must receive clear definitions and training so that they understand what information should not be shared. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Key Post-Breach Shareholder Litigation, Disclosure and Insurance Selection Considerations

    Publicly traded companies face an array of cyber-related decisions beyond how to best secure their data – chief among them are when and to whom to disclose cyber risks, how to handle shareholder litigation that follows a breach and what type of insurance policy to choose to mitigate post-breach costs. At a recent seminar hosted by the Practising Law Institute, speakers from Labaton Sucharow, BitSight Technologies and Beecher Carlson addressed considerations for making disclosures to investors both prior to and following data breaches, elements of a securities fraud case and the scope of possible insurance coverage to mitigate losses following a breach. See also “Proactive Steps to Protect Your Company in Anticipation of Future Data Security Litigation” Part One (Nov. 25, 2015); Part Two (Dec. 9, 2015).

    Read Full Article …
  • From Vol. 2 No.11 (May 25, 2016)

    Key Considerations for Public Companies for Mitigating and Disclosing Cybersecurity Risks

    The SEC has continued to emphasize cybersecurity preparedness, yet it has promulgated no specific requirement forcing public companies to disclose cybersecurity risks and incidents. In response, public companies are agonizing over how to proactively mitigate cyber attacks, how much information should be disclosed, and when such disclosures should be made. In a guest article, Richard A. Blunk, managing director and general counsel of Thermopylae Ventures, LLC and Apprameya Iyengar, an attorney at Morrison Cohen LLP, provide key considerations for public companies mitigating and disclosing cybersecurity risks. See also “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two)” (Aug. 12, 2015); Part Two (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    SEC Teaches Broker-Dealer a Lesson About Keeping Business Emails Secure

    In its continued enforcement of appropriate cybersecurity controls, the SEC initiated administrative proceedings against Craig Scott Capital, LLC (CSC), a broker-dealer based in Uniondale, New York, and its two principals for failing to protect confidential consumer information by using personal email addresses for business matters. “The enforcement action, including the fines imposed, reflects how seriously SEC takes the adoption of and compliance with proper policies and procedures,” Anastasia Rockas, a partner at Skadden, told The Cybersecurity Law Report. The SEC, alleging no harm to consumers, fined CSC $100,000 and its two principals $25,000 each. See also “Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.9 (Apr. 27, 2016)

    Regulators Speak Candidly About Cybersecurity Trends, Priorities and Coordination

    Understanding the regulators’ priorities and concerns can help a company work effectively with them to investigate and respond to cybersecurity incidents. In a recent panel at the ABA National Institute on Cybersecurity Litigation, authorities from the DOJ, the SEC, the FCC and the Connecticut Attorney General’s office weighed in about the cyber threat landscape, their agencies’ enforcement priorities, strategies for collaboration (including when and how information shared with the government will remain confidential) and effective incident response. See also “Private and Public Sector Perspectives on Producing Data to the Government” (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Navigating FCA and SEC Cybersecurity Expectations (Part One of Two)

    Given the increased scrutiny of cybersecurity by governments around the globe, regulated entities operating in more than one jurisdiction must be aware of the relevant regulatory cybersecurity expectations.  This two-part series looks at the operations of the U.K. Financial Conduct Authority (FCA) and the SEC, both of which have increased their focus on cybersecurity, but with differing approaches.  Part One discusses the FCA and SEC as regulators of financial services in their respective jurisdictions and outlines the guidance issued, and the methods adopted, by the two regulators.  Part Two will explore how the financial sector is navigating the current regulatory environments, including existing guidance, in the U.S. and abroad and how the industry can simultaneously satisfy the requirements of each regulator.  See also “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One)” (Aug. 12, 2015) and Part Two (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Cybersecurity and Whistleblowing Converge in a New Wave of SEC Activity

    The SEC has long-prioritized incentivizing corporate whistleblowers to report violations of the securities laws, and protecting them when they do.  Increasingly, the federal agency also has vigorously enforced certain key aspects of cybersecurity, as its importance has permeated every facet of the way registered entities operate.  In a recent webinar, Orrick attorneys Mark Mermelstein, Jill Rosenberg and Renee Phillips examined how these two formerly disassociated areas of regulatory enforcement are converging in a new wave of SEC guidance and enforcement.  This article discusses the practitioners’ insights on the SEC’s recent initiatives and enforcement actions both in cybersecurity and whistleblowing contexts; the applicable regulations; and how companies can address and mitigate the risks of cybersecurity whistleblower actions.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments” (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    How the Financial Services Sector Can Meet the Cybersecurity Challenge:  A Snapshot of the Regulatory Landscape (Part One of Two)

    The cyber focus has become increasingly intense for the financial services sector.  Industry compliance personnel are challenged to keep up with cybersecurity requirements in this area, with new major regulatory developments occurring on a regular basis.  In a guest article, the first in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, explores the current cybersecurity regulatory expectations applicable to the financial services sector.  The second article will provide a practical blueprint for building a cyber compliance program.  See also “Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    What the OCIE Cybersecurity Risk Alert Means for Investment Advisers and Broker-Dealers

    Continuing its emphasis on the cyber-preparedness of broker dealers, the SEC Office of Compliance Inspections and Examinations (OCIE) announced a second round of examinations “to assess implementation of firm procedures and controls.”  On September 15, 2015, OCIE issued a Risk Alert detailing its concerns, as well as sample requests for information in six focus areas: governance and risk assessments, access controls, data security, vendor management, training and incident response.  We analyze the alert and explore the cybersecurity implications for investment advisers and broker-dealers.  See also “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 10 (Aug. 12, 2015); Part Two, Vol. 1, No. 11 (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part Two of Two)

    Public companies grapple with when and how to disclose the various cybersecurity risks they face and the incidents they experience in their SEC filings.  How much is enough to disclose to satisfy regulators and how much is too much – both to preserve reputations and avoid giving would-be hackers ammunition?  The first part of this two-part article series provided guidance on making appropriate disclosures to meet SEC and investor expectations.  This second part provides suggestions on risk themes to include in risk disclosures as well as examples of relevant disclosures made in the 10-K filings for The New York Times, Home Depot, Morgan Stanley and Target.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two)

    The SEC has made clear that material cybersecurity risks and incidents should be disclosed to investors.  However, determining what is material, as well as when and how to disclose, is less clear.  This article, the first in a two-part series, provides guidance on how to make appropriate disclosures that will meet the expectations of the SEC and investors regarding form, substance and timing.  The second article will provide suggestions and examples for language to use in disclosures.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …