SEC Cyber Briefing: Regulatory Expectations for 2019

Craig A. Newman is a partner at Patterson Belknap Webb & Tyler LLP. This post is based on a Patterson Belknap memorandum by Mr. Newman.

Cybersecurity has played an important role in the U.S. Securities and Exchange Commission’s regulatory agenda during the past year.

And it’s likely to become even more important in 2019.

During 2018, the SEC has made significant moves on three fronts: issuing long-awaited guidance concerning cybersecurity disclosure issues for public companies; commencing enforcement actions against several companies for cyber-related ball drops; and finally, issuing an investigatory report about internal control failures relating to cyber or “business compromise” email fraud, which resulted in $100 million in losses.

We’ll look at each of these developments and the way they will likely influence the SEC’s regulatory and enforcement agenda in the coming year.

SEC’s 2018 Guidance

In late February 2018, the Commission released updated interpretive guidance urging companies to be more transparent in disclosing cybersecurity risks in their public filings; to disclose material data security incidents in a “timely fashion;” and to implement safeguards such as trading bans to prevent insiders from selling securities after a breach is detected but before it is publicly disclosed. The guidance also underscores the responsibilities of senior management and boards in cyber risk oversight.

The SEC’s updated guidance reiterates and reinforces the Commission’s Staff guidance issued seven years ago by the Division of Corporate Finance, which called for companies to assess what disclosures might be required about cybersecurity risks and incidents. But the new guidance—issued by the Commission itself—underscores the “grave threats to investors” and our financial systems posed by cybercrime and the uptick in the sophistication and severity of cyber-attacks on public companies. It also encourages focused and tailored cyber disclosures based on an assessment of a company’s risk profile rather than general boilerplate disclosures.

The updated guidance focuses on six key areas:

Pre-Incident Public Disclosure

Although the updated guidance does not require detailed disclosures about a company’s IT systems or vulnerabilities—to avoid giving a roadmap for mischief—but advises a holistic assessment based on the overall materiality of cyber risk to an organization and its operations. In particular, the Commission advises companies to consider among the following in preparing cyber risk disclosures:

  • Prior cybersecurity incidents including their severity and frequency
  • Probability of incident occurrence and potential magnitude of an incident
  • Limitations on the company’s ability to prevent or mitigate cyber risk
  • Particular industry specific or third-party vendor/supplier risk
  • Potential for reputational harm
  • Legal risks and costs of enforcement actions by other regulatory bodies (specifically referencing New York’s new cybersecurity regulations for financial institutions and insurance companies)

Board Oversight

When deemed material, the Commission advises that proxy statements contain disclosures about a board’s role and engagement in cyber risk oversight. The Commission also noted that cyber risk disclosures might, depending on the circumstances, be reflected not only in risk factor disclosures but in the company’s MD&A, description of its business, disclosure of legal proceedings, and financial reporting “to provide reasonable assurance that information about the range and magnitude of the financial impacts of a cybersecurity incident would be incorporated into its financial statements….”

Data Security Incident Disclosure

One of the most challenging and practical questions for any organization is the public disclosure of a data security incident. Although the guidance makes clear that timely disclosure of material cybersecurity incidents is required, it concedes that “some material facts may not be available at the time of the initial disclosure.” Cooperation with law enforcement and incident investigation—which the Commission acknowledges is “often … lengthy”—will affect the scope of any disclosure. That said, the guidance warned that cooperation with law enforcement or ongoing investigations does not, “on its own,” provide a basis for not disclosing a material cybersecurity incident.

Controls and Procedures

As has been the trend with state-level data security regulations, the guidance also focuses on the role of senior corporate leaders and a company’s board of directors. To that end, the guidance encourages the following steps:

  • Assess existing disclosure controls and procedures to ensure that cyber risk and incident information “is processed and reported” to critical stakeholders “including up the corporate ladder” so that senior management is able to make informed disclosure decisions and compliance certifications, together with controls to assess compliance with such controls and procedures on a regular basis
  • If such controls are lacking, develop and implement a process so that important cyber risk and incident information is collected and elevated to senior levels for appropriate decision-making and oversight

Insider Trading and Regulation FD

Finally, the guidance reminds companies of the risk posed by insiders who trade securities between the time a breach is discovered and when it is publicly disclosed. The Commission “encourages” public companies to put in place policies and procedures to prevent trading on material non-public information relating to cybersecurity risks and incidents including trading restrictions to avoid even the “appearance of improper trading during the period following an incident and prior to the dissemination of disclosure.”

The Commission encourages “companies to consider how their codes of ethics and insider trading policies take into account and prevent trading on the basis of material nonpublic information related to cybersecurity risks and incidents.”

The guidance also warns against disclosing cybersecurity incident information selectively and reminds companies to disclose incident information on Form 8-K to manage the risk of selective disclosure.

Key Takeaways

  • Revisit and, if necessary, refresh data security related public disclosures to ensure compliance with the new guidance
  • Consider adequacy of internal controls and procedures for identifying cybersecurity risks and incidents as part of the design and effectiveness of a company’s disclosure controls and procedures
  • Update existing enterprise-wide data security policies, plans, and procedures
  • Ensure that controls are in place to escalate cyber risk and incident engagement and oversight by senior corporate leaders and the board
  • Review data security incident disclosure process to ensure key stakeholders are notified of significant data security incidents and establish a decision-making process and protocol to timely disclose material cybersecurity incidents
  • Revise codes of conduct and internal securities trading policies to ensure that, as appropriate, securities trading restrictions are put in place upon the detection of a material cybersecurity incident

2018 Enforcement Actions

It’s been a busy year for the Cyber Unit at the Securities and Exchange CommissionDuring 2018, the SEC brought 20 stand-alone cases related to cybersecurity, and has 225 cyber-related investigations that it deems “ongoing.” That’s according to the enforcement division’s 2018 Annual Report.

In several cases, the enforcement actions were first-of-their-kind. In April 2018, the agency filed its first enforcement action against a public company for failing to promptly tell investors of a major cyber-attack. And in another first, the agency used a long dormant identity theft regulation and enforced it against an investment adviser when a cyber-attack compromised investment information for thousands of customers. The agency pursued other cases as well—from insider trading based on impending news of a major cyber-attack to the flawed use of automated technology to guard against fraud.

Here is a brief look at the agency’s more notable enforcement actions during the past year.

Yahoo!’s Tardy Disclosure

The SEC’s $35 million settlement over the Yahoo! data breach provides an object lesson in the consequences of failing to promptly disclose a major cyber-attack.

In its first action based on a cybersecurity disclosure violation, the SEC fined Altaba Inc.—formerly Yahoo!—for not disclosing in a timely manner one of the largest reported hacks in U.S. history. Yahoo! was charged with misleading investors by waiting for almost two years to disclose the fact that hackers associated with the Russian Federation stole the personal information of hundreds of millions of Yahoo! users.

Yahoo has acknowledged that the 2014 hacking and a separate incident in 2013 affected 3 billion user accounts.

The complaint charges the company with acting “negligently” in not informing investors earlier of the hack and for filing materially misleading reports with the Commission. The settlement does not rule out further enforcement proceedings.

Yahoo’s senior managers and internal legal team were told about the breach but they failed to fully investigate it, the SEC alleged.

“By December 2014, Yahoo’s information security team had determined that hackers had stolen copies of Yahoo’s user data base files … and likely even Yahoo’s entire user database of billions of users…Yahoo’s information security team,” said the SEC complaint. “Within days after Yahoo’s information security team reached these conclusions, members of Yahoo’s senior management and legal teams received various internal reports…stating that the theft of hundreds of millions of Yahoo users’ personal information had occurred.”

“Yahoo’s senior management and legal teams did not share the information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings,” according to the SEC complaint.

It was not until September 2016 that Yahoo publicly disclosed the breach, shortly before closing the sale of its Internet operating unit to Verizon Communications Inc. The day the hack was announced, Yahoo’s stock fell 3 percent. The tardy disclosure also reduced Verizon’s acquisition cost by $350 million or 7.25 percent.

Identity Theft Rule

In another first, the SEC dusted off its “Identity Theft Red Flags Rule” to censure Voya Financial Advisors, an Iowa-based investment adviser, for allowing hackers to access Social Security Numbers, account balances and even details of client investment accounts.

The SEC adopted the red flags rule five years ago but until this year, has not enforced it, nor has it punished firms for ignoring the rule.

The Identity Theft Red Flags Rule—called “Regulation S-ID”—requires designated financial firms to develop and implement a written identity theft prevention program “designed to detect, prevent, and mitigate identity theft” for investment accounts. The rule also requires board oversight of the identity theft program.

During a six-day period in 2016, the SEC charged, cybercriminals called Voya’s helpline impersonating the firm’s independent investment representatives—who make up the largest segment of its workforce. Even though some of the telephone numbers used by the hackers had been flagged in Voya’s system for possible fraud, the callers were able to convince Voya’s helpline to reset their passwords and provide new passwords over the phone.

The intruders used the new passwords to gain access to customer information and to create new online customer profiles and identities, according to the agency.

The hackers were also able to change customer phone numbers and addresses, which meant account statements and confirmations would be re-routed to the hackers, without as much as triggering a fraud alert. In several instances, the SEC said, hackers used “@yopmail.com,” a disposable email service that allows users create an email address, to review incoming emails and then destroy everything.

In all, the SEC charged, 5,600 client accounts were compromised.

Voya had an identity theft program in place for nearly a decade but it has languished in recent years. The program fell far below the requirements of the rule. It also was not approved by the firm’s board or senior leaders, as is required and was ignored by Voya’s security team. “VFA’s [Voya Financial Advisors] board of directors or a designated member of VFA’s management did not administer and oversee the Identity Theft Prevention Program, as required by the Identity Theft Red Flags Rule,” charged the SEC. The agency deemed Voya’s violation of the Red Flags Rule to be “willful.”

Voya neither admitted nor denied the SEC’s charges.

In the settlement, Voya agreed to pay a $1 million penalty and to make a series of improvements to its data security environment including the retention of an independent consultant to review its policies and procedures for compliance with the Identity Theft Red Flags Rule. 

Equifax & Insider Trading

The interplay between insider trading and data security was underscored by two cases brought in the aftermath of the Equifax Inc. data breach, which exposed the personal information for 150 million Americans.

In the first case, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before news of the Equifax breach went public. The government’s charges against Ying allege that he sent a text message to a colleague, saying that the hack “sounds bad.” Ying then allegedly searched the web to research how Experian’s 2015 breach impacted its stock price. Ying—it is alleged—exercised all of his available employee stock options and then sold his shares, netting nearly a million dollars in proceeds before the breach was disclosed in September 2017. The trade avoided more than $100,000 in losses, according to the SEC.

And in the second case, the agency charged a former Equifax manager with buying put options—a bet that the stock price would go down—before the breach was disclosed. The complaint alleged that Sudhakar Reddy Bonthu, an Equifax software engineer, used confidential information he learned while creating a website for consumers affected by the breach. The SEC charged that Bonthu’s purchase of put options netted him more than $75,000 in profits.

These two cases are not connected to concerns that surfaced shortly after the Equifax breach was disclosed that top executives had sold $1.8 million in shares soon after suspicious activity was detected in late July 2017. Those executives were cleared by an internal investigation.

Mizuho’s Buy-Back Debacle

The SEC fined the U.S.-based securities trading unit of Mizuho Bank $1.25 million for its mishandling of confidential client information related to stock buyback programs. The agency charged that the bank shared confidential information with traders and hedge funds, in violation of the firm’s own policies.

Stock share buybacks occur when a publicly traded company buys its shares back from its shareholders. While companies may publicly disclose some information about their buyback programs, they typically do not reveal the specific dates on which they intend to execute the buyback trades. Traders privy to this information can use it to take advantage of the buyback order by front-running trades or putting on a hedge position prior to the buyback date.

Mizuho, however, failed to safeguard this material nonpublic information in buyback programs it executed. According to the SEC, Mizuho traders at the desk overseeing the buyback program, the International Sales Trading Desk, “routinely” passed buyback order information to traders at the separate U.S. Equity Trading Desk, which had no role in executing the buyback program. Also, on several occasions traders at the U.S. Equity Trading Desk shared the buyback order information with other external Mizuho clients, said the SEC.

As a result of these missteps, the SEC found that Mizuho had violated Section 15(g) of the Exchange Act, which requires registered broker-dealers to establish, maintain and enforce written policies and procedures to prevent the misuse of material nonpublic information. As punishment, the SEC imposed a cease-and-desist order prohibiting Mizuho from committing future violations of Section 15(g), issued the $1.25 million fine, and censured the company.

Mizuho did not admit to or deny any of the SEC’s findings.

Trusting Automated Technology

Public companies worried about cybersecurity risk would be well served to pay attention to a recent crackdown on the use of automated technology to detect investment advisor fraud.

A recent settlement with Ameriprise Financial Services Inc., a registered investment adviser and broker dealer, suggests that the Commission isn’t inclined to look the other way when a technology failure goes undetected.

In the Ameriprise case, the company used automated surveillance tools to prevent and detect employee fraud—much like internal monitoring is used to detect unusual activity within a company’s data security environment. But the technology was limited. Ameriprise’s fraud detection system suffered from a technical error that went undetected for several years. Because of the shortcoming, the SEC charged, insiders were able to “perpetrate a fraud” and siphon more than $1 million from client accounts.

And a second system—used to monitor cash disbursements from client accounts—suffered from design limitations and was unable to detect bogus fund transfers. “On multiple occasions,” according to the SEC, “Ameriprise did not detect the fraudulent transfer of funds from client accounts ….”

The SEC found that Ameriprise “lacked a reasonable mechanism to prevent and detect situations where a representative sought to misappropriate money from a client account” and imposed a $4.5 million civil penalty on the company for violations of the Investment Advisers Act of 1940. In the consent order, Amerprise did not admit or deny wrongdoing.

SEC’s Wire Fraud “BEC” Investigation

Wire fraud committed by cybercriminals is not a new phenomenon. The FBI and other government agencies have regularly warned against wire fraud scams—called “business email compromises” or BECs—where criminals pose as vendors or company executives and use email to dupe company insiders into wiring money into bank accounts controlled by the perpetrators. And in some instances, the amounts involved are staggering.

In an investigative report, the SEC studied the internal accounting controls of nine public companies affected by wire fraud to determine if federal securities laws may have been violated by failing to have a sufficient system of internal accounting controls in place. The companies were in various sectors including technology, machinery, real estate, energy, finance, and consumer goods. In total, the nine companies investigated by the agency suffered losses totaling nearly $100 million as a result of the frauds. For the most part, the funds were not recoverable. The SEC found that there were typically two different scenarios under which companies were scammed by cybercriminals. In the first scenario, a person posing as a senior company executive—most typically, a Chief Financial Officer or Chief Executive Officer—used a spoofed email domain and address to arrange for a wire transfer to a foreign bank account controlled by the criminals.

The second scenario involved a fake vendor or supplier to the company. The perpetrator would hack into the email account of a legitimate employee of the vendor, communicate with company personnel about an invoice that was due for payment, and then redirect the wire transfer to an account under the criminal’s control.

Of the nine companies investigated by the SEC, each lost a minimum of $1 million. Two companies lost more than $30 million and one company was taken for more than $45 million. Although no charges were brought against the companies, the SEC emphasized that “[c]ybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with federal securities laws.” And in a clear warning, the SEC urged companies to reassess internal accounting controls “in light of emerging risks, including risks arising from cyber-related frauds,” and “calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly.”

The SEC advised companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investors assets from cyber-related frauds.” Under Section 13(b)(2)(B) of the Securities Exchange Act of 1934 (15 U.S.C. § 78m(b)(2)(B)), internal controls must reasonably assure that:

  • transactions are executed in accordance with management’s general or specific authorization; and
  • access to assets is permitted only in accordance with management’s general or specific authorization.

The report emphasized that BCE scams are not particularly sophisticated and often successful not because companies don’t have policies and procedures in place but because “the responsible personnel did not sufficiently understand the company’s existing controls or did not recognize indications in the emailed instructions that those communications lacked reliability.” Beyond the nine companies investigated by the SEC, the price tag for BCEs is soaring. In a report issued in July 2018, the FBI estimated that fraud involving BCEs has cost companies more than $5 billion since 2013.  Between October 2013 and May 2018, the FBI has tracked more than 78,000 instances of global email fraud. The tab for these losses exceeded $12 billion. Additionally, the FBI reports that Asian banks in China and Hong Kong remain the main destinations for fraudulent fund transfers but that financial institutions in the United Kingdom, Mexico and Turkey have been identified recently as “prominent destinations.”

The FBI has published a list of precautionary measures for businesses to mitigate the risk of BEC fraud including:

  • frequently monitor your email exchange server for changes in configuration and custom rules for specific accounts;
  • consider adding an email banner stating when an email comes from outside your organization so they are easily noticed;
  • conduct end-user education and training on the BEC threat and how to identify a spear phishing email;
  • ensure that company policies provide for verification of any changes to existing invoices, bank deposit information, and contact information;
  • contact requestors by phone before complying with email requests for payments or personnel records; and
  • consider requiring two parties sign off on payment transfers.

Looking Ahead: 2019’s Priorities

No doubt, the SEC’s initiatives in 2018 foreshadow a continued focus on cybersecurity. While predictions are always uncertain, there are five areas the Commission has made clear are regulatory priorities:

  • Cybersecurity Risk Disclosures. Since issuing its interpretative guidance earlier in 2018, the agency has been focused on the adequacy of public company cyber risk disclosure. While not scientific by any means, there appears to be an uptick in comment letters by the agency addressing specific cyber disclosure issues. This enhanced focus on cyber risk disclosure—albeit a balance between saying too much or too little about an organization’s cyber risk and defenses—should continue into 2019.
  • Timely Disclosure of Cybersecurity Incidents.With the Yahoo enforcement action as a baseline, the SEC is sure to be scrutinizing the timeliness of public company disclosures when victimized by a cyber-attack or other material data security incident. While these disclosures in many instances come down to hard-fought judgment calls about materiality, the agency has made clear that public companies have a duty to promptly inform the markets of material cybersecurity incidents.
  • Insider Trading Controls. The Commission’s 2018 interpretative guidance and its enforcement actions against two Equifax employees for allegedly trading on inside information make plain that insider trading will remain a priority. Public companies would be well advised to review their data security incident response plans and insider trading policies to ensure that they address trading halts between the time that a cybersecurity event is discovered and publicly disclosed. The SEC will undoubtedly be on the lookout for companies that don’t heed this advice.
  • Effectiveness of Data Security Policies. A theme in several enforcement actions is the effectiveness of a company’s data security policies. In all likelihood, the SEC will come at this issue in two different ways. First, it will review policies to ensure that they are aligned with an organization’s risk profile and risk environment in which it operates. Second, how do these policies filter down in an organization to ensure that they are followed and enforced? In large part, this depends on employee training and the priority an organization puts on its cybersecurity hygiene.
  • Internal Accounting Controls. The Commission’s investigatory report sent a clear message to public companies: revisit the effectiveness of internal accounting controls to guard against BCE and wire fraud. With the global cost of this crime running into the billions, the SEC is unlikely to let its detailed report gather dust. The report is the proverbial shot across the bow. Public companies are well advised to revisit, and if necessary, enhance their internal control process not just for wire transfers but any significant movement of funds.
Both comments and trackbacks are currently closed.