The SEC, through its Office of Compliance Inspections and Examinations (“OCIE”), recently issued its most detailed cyber guidance to date. OCIE had previously issued several cybersecurity risk alerts over the past few years. This most recent release, however, offers much more than a risk alert. OCIE’s “Cybersecurity and Resiliency Observations” goes into significantly more detail than OCIE’s prior risk alerts in this area and is fashioned in a vastly different and more user-friendly format. Thus, it is required reading for SEC regulated entities because, rest assured, it will be closely followed and applied by OCIE staff conducting cyber examinations, as well as by the Division of Enforcement’s “Cyber Unit.”
Last week, the Department
of Justice (“DOJ”) and the Securities & Exchange
Commission (“SEC”) announced charges connected to a large-scale,
international conspiracy to hack into the SEC’s Electronic Data Gathering,
Analysis and Retrieval (“EDGAR”) system and profit by trading on stolen
material, non-public information. The
conduct underlying these cases was one of the principal reasons that the SEC created
its Division of Enforcement “Cyber Unit” to target cyber-related
securities fraud violations.
In a 16-count indictment unsealed in
the United States District Court for the District of New Jersey, two Ukrainian
citizens, Artem Radchenko and Oleksander Ieremenko, were charged with
securities fraud conspiracy, wire fraud conspiracy, computer fraud conspiracy,
wire fraud, and computer fraud. The SEC’s complaint charged nine defendants – Ieremenko,
six traders in California, Ukraine, and Russian, and two entities – with antifraud
violations of the federal securities laws.
The charging documents allege that
Ieremenko and Radchenko hacked into the EDGAR system and stole thousands … Read More »
The Securities and Exchange Commission (SEC) recently released a report detailing whether or not certain companies that had fallen victim to cyber-related frauds had violated the Securities Exchange Act of 1934 by failing to have proper internal accounting controls. The nine companies investigated by the SEC fell prey to fraudulent “business email compromise” schemes, which are responsible for the highest estimated out-of-pocket losses of any cyber-related crimes in the last five years. The primary question for the SEC was whether or not the companies had failed to enact compliant internal accounting controls that may have prevented such fraud.
This alert details the SEC’s finding and advice for companies in an environment where cybersecurity is increasingly complicated and essential.
Read the full alert.
On April 24, 2018, the Securities and Exchange Commission (SEC) announced its most significant case ever filed against a respondent for one of the world’s largest data breaches. Albata, Inc., f/d/b/a Yahoo! Inc., (“Yahoo”) settled with the SEC to charges of violating Section 17(a)(2) and 17 (a)(3) of the Securities Act of 1933 (“Securities Act”), amongst other charges, and agreed to various remedies, including a $35 million penalty.
In summary, the SEC alleged that in December of 2014 Yahoo’s information security team learned that Russian hackers stole what was referred to internally as the company’s “crown jewels”: usernames, email addresses, phone numbers, birthdates, encrypted passwords, and security questions and answers for more than 500 million users. Although information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of … Read More »
On September 25, 2017, the Securities and Exchange Commission announced the creation of an Enforcement Division “Cyber Unit” that will focus on cyber-related violative conduct. The timing of this is much more than coincidental; indeed it’s obvious. Just last week, SEC Chairman Jay Clayton disclosed: 1) a 2016 intrusion of the SEC’s EDGAR system due to a software vulnerability in the test filing component of the system, resulting in access to nonpublic information; and 2) the creation of a senior-level cybersecurity working group. Since the disclosure of the EDGAR breach, the financial press has reported that SEC Enforcement, the Secret Service, and the FBI have been investigating, and that Chairman Clayton asked the SEC’s Office of Inspector General to investigate. On September 26, 2017, Chairman Clayton appears before the Senate Committee on Banking, Housing, and Urban Affairs where he will … Read More »
SEC Charges Investment Adviser with Failure to Adopt Proper Cybersecurity Policies and Procedures Prior to Cyberattack
On Tuesday, September 22, 2015, the SEC charged an investment adviser with failing to adopt a written policy and procedure reasonably designed to safeguard customer records and information. The charge spawned from a July 2013 cyberattack on the investment adviser’s third party-hosted server, which potentially compromised the personally identifiable information (“PII”) of over 100,000 individuals stored on the server. Without admitting or denying the SEC’s findings, the investment adviser has agreed to settle the charge for approximately $75,000 and cease and desist from committing or causing any future violations of the SEC’s “Safeguards Rule.”
Rule 30(a) of Regulation S-P (the “Safeguards Rule”) requires every investment adviser registered with the SEC to adopt written policies and procedures reasonably designed to safeguard customer records and information. Specifically, the policies and procedures must be reasonably designed to: (1) insure the security and confidentiality of … Read More »
SEC to Examine Registered Broker-Dealers’ and Investment Advisers’ Procedures for Countering Cybersecurity Threats
Background and Purposes
On April 15, 2014, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a “Risk Alert” explaining a new initiative to assess cybersecurity preparedness in the securities industry. Although not an official rule, regulation or statement of the SEC, the Risk Alert advised that OCIE will be conducting examinations of more than 50 registered broker-dealers and registered investment advisers, regarding their cybersecurity and data security procedures and policies.
OCIE’s cybersecurity initiative is designed to obtain information about the industry’s recent experiences with certain types of cyber threats. The examinations will focus on the following topics: the firm’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with … Read More »