On September 25, 2017, the Securities and Exchange Commission announced the creation of an Enforcement Division “Cyber Unit” that will focus on cyber-related violative conduct. The timing of this is much more than coincidental; indeed it’s obvious. Just last week, SEC Chairman Jay Clayton disclosed: 1) a 2016 intrusion of the SEC’s EDGAR system due to a software vulnerability in the test filing component of the system, resulting in access to nonpublic information; and 2) the creation of a senior-level cybersecurity working group. Since the disclosure of the EDGAR breach, the financial press has reported that SEC Enforcement, the Secret Service, and the FBI have been investigating, and that Chairman Clayton asked the SEC’s Office of Inspector General to investigate. On September 26, 2017, Chairman Clayton appears before the Senate Committee on Banking, Housing, and Urban Affairs where he will provide testimony and likely be subject to intense questioning.
Returning to the SEC’s Cyber Unit, while not specifically described as such, it appears to be created in the mold of the other Enforcement Division Specialty Units. This new unit’s mandate includes targeting cyber-related violative conduct, such as: market manipulation schemes involving false information spread through electronic and social media; hacking to obtain material nonpublic information; misuse of distributed ledger technology; misconduct perpetrated via the dark web; intrusions into retail brokerage accounts; and cyber-related threats to trading platforms and other critical market infrastructure. Consistent with this being a new specialty unit, the “Chief” is a former Co-Chief of the SEC’s Market Abuse Specialty Unit. Thus, registrants can expect the Cyber Unit to evolve much as the SEC’s other specialty units have previously. Specifically, this unit will likely: develop and expand SEC internal cyber knowledge; seek to hire external cyber experts; and dedicate its efforts and resources to this specialty area. Consistent with the evolutions of the other specialty units, the Cyber Unit will likely pursue cases that the Enforcement Division generally and historically might not have pursued, such as non-fraud violations considered more technical in nature.
While it’s ironic that the SEC announced the Cyber Unit on the heels of its recent breach, issuers and registrants should take this opportunity to self-assess and implement plans to avoid the SEC’s Cyber Unit in the future. Among various strategies, actively monitoring and assessing the SEC’s cybersecurity guidance and, in particular, the Office of Compliance Inspections and Examinations Risk Alerts, and documenting this work will support arguments of reasonable and diligent efforts. For further and more detailed guidance, look to FINRA’s February 2015 Report on Cybersecurity Practices. While FINRA’s oversight is limited to its member broker-dealer firms, this 46-page report provides plain-language guidance that any company or firm may want to consider reviewing and implementing as appropriate.