On May 20, 2021, the Securities and Exchange Commission's (SEC) new Chair, Gary Gensler, pledged that the SEC would "stay abreast of [technological] developments" and that it "should be ready to bring cases involving issues such as crypto, cyber, and fintech." Indeed, it has done just that.
On Aug. 30, 2021, the SEC published three new cybersecurity enforcement actions against eight companies (Cetera Advisor Networks LLC, et. al; KMS Financial Services, Inc.; and Cambridge Investment Research, Inc. and Cambridge Investment Research Advisors, Inc.), alleging they "fail[ed] to adopt written policies and procedures reasonably designed to protect customer records and information."
All of these companies entered into settlement negotiations with the SEC. After considering remedial measures undertaken by each of them, the SEC entered into agreements requiring that they (1) cease and desist from committing or causing any further violations; (2) agree to be publicly censured by the SEC; and (3) pay fines (ranging from $200,000-300,000).
These three enforcement actions were announced on the heels of two other recent actions, one from Aug. 16 and one from June 15. In these two other actions, the SEC determined that Pearson PLC, a company that provides educational resources to schools and universities, and First American Financial Corporation, an insurance company, failed to maintain cybersecurity-related disclosure controls and procedures. The companies agreed to remediate cybersecurity deficiencies and pay fines ($487,000 and $1 million, respectively).
So what?
If you're counting, that's five cybersecurity enforcement actions by the SEC in two months. Before these, the SEC had only published one other action, dating all the way back to 2018. Which is to say, more enforcement actions are likely.
In mid-June, reports indicated that the SEC sent numerous information requests to a number of regulated entities. These requests for information mirror prior information requests that later led to informal investigations and enforcement actions.
In 2016, the SEC announced charges to 72 firms following an information request related to disclosure failures by municipal securities underwriters. Similarly, in 2019, the SEC charged 79 investment firms after an information sweep was performed. In other words, these recent enforcement actions may just be the beginning.
What does the SEC want?
The SEC has asked companies for particular procedural details about data governance and incident response plans—including how data is stored, transmitted or categorized, along with the incident response plan's included communication guidelines.
But the questions are not just procedural in nature. The SEC has also been asking companies about their business continuity plans and data backup practices, and for specific information relating to ransomware events including forensic reports, root cause analyses, network configuration details and patch management program details.
In short, the SEC is looking to determine whether companies adequately protect customer information and whether they are changing their policies and procedures in light of cybersecurity incidents that have impacted their electronic systems, directly or through third parties (e.g., SolarWinds, Microsoft, Accellion and Kaseya, to name just a few that have experienced cyberattacks).
Do the basics
The SEC's sudden series of enforcement actions highlights the challenges companies face in understanding whether their collection, maintenance and storage of customer information complies with expanding legal obligations. But at a minimum, the following baseline requirements will help organizations keep pace:
- Refine your Cybersecurity Incident Response Plans (IRP)
- An IRP should include detailed response processes that
articulate communication, documentation and evaluation activities.
- For example, compare the NIST Computer Security Incident Handling Guide which has 20 recommendations for an incident response plan.
- An IRP should include detailed response processes that
articulate communication, documentation and evaluation activities.
- Reassess your Cybersecurity Risk Assessment (RA)
- Certain statutes and regulations mandate RAs and provide
guidance and tools to assist them.
- For example, conduct an assessment to analyze your alignment with industry standards and ensure vulnerabilities targeted by ransomware have been addressed.
- Certain statutes and regulations mandate RAs and provide
guidance and tools to assist them.
- Refocus your Written Information Security Program (WISP)
- Check to see if your WISP includes updated administrative, technical
and physical safeguards, as some states now require.
- For example, evaluate and adjust your program in light of any changes to your operations, risk posture or business arrangements.
- Check to see if your WISP includes updated administrative, technical
and physical safeguards, as some states now require.
The above measures are merely starting points and are taken into account by the SEC and other regulators when an organization's cybersecurity practices are called into question before or after a cybersecurity incident occurs.
Originally Published 3 September 2021
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
