chevron-down Created with Sketch Beta.

The Business Lawyer

Winter 2022-2023 | Volume 78, Issue 1

The Securities and Exchange Commission’s Increased Focus on Cybersecurity

Sasha Hondagneu-Messner


  • A review of legal developments from the Securities and Exchange Commission involving cybersecurity between the survey dates of June 1, 2020, and May 31, 2021.
The Securities and Exchange Commission’s Increased Focus on Cybersecurity
Photo by Lena Taranenko on Unsplash

Jump to:

I. Introduction

During the survey period the Securities and Exchange Commission (“SEC”) exhibited a heightened focus on cybersecurity. This focus has consisted of increased staffing in its Crypto Assets and Cyber Unit, settled enforcement actions for both SEC-regulated entities and public companies, and proposed rules governing cybersecurity disclosures for SEC-regulated entities and public companies.

II. Increased Staffing Devoted to Cybersecurity

In May 2022, the SEC announced that it nearly doubled the positions in the Crypto Assets and Cyber Unit, which is “the unit responsible for protecting investors in crypto markets and from cyber-related threats.” In its press release, the SEC emphasized the unit’s actions against “SEC registrants and public companies for failing to maintain adequate cybersecurity controls and for failing to appropriately disclose cyber-related risks and incidents.” Gurbir S. Grewal, director of the SEC’s Division of Enforcement, stated that cyber-related threats continue to pose “existential risks” to financial markets and participants, and emphasized the need to further regulate crypto markets. The SEC has been vocal in its intentions to bring actions against registrants to ensure organizations are maintaining adequate cybersecurity controls and disclosing cyber-related incidents.

III. Recent Cybersecurity Enforcement Actions

In June 2021, the SEC settled charges for nearly half a million dollars against First American Financial Corporation, a company focused on real estate settlement services. The SEC alleged that First American had violations pertaining to its disclosure controls and cybersecurity vulnerability procedures, resulting in a breach that exposed hundreds of millions of customer images, which included highly sensitive information. The SEC’s order states that during the breach, senior executives were not provided with necessary information for their assessment of the company’s disclosure response, with the result that the company omitted critical information from its disclosure reports. The SEC emphasized that issuers must ensure that those who are responsible for public disclosures in an organization receive information that is important to investors, especially information pertaining to cybersecurity and system vulnerabilities.

In August 2021, the SEC settled charges for $1 million against Pearson plc, a London-based public company that provides services to schools and universities. The SEC alleged that Pearson “misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including dates of births and email addresses.” The SEC charged that Pearson referred to the event as a hypothetical risk, even though it knew the breach had already occurred and specific information was already stolen. Additionally, the SEC indicated that Pearson claimed it had strict protections in the event of a cybersecurity incident; however, once the event occurred, Pearson failed to patch the critical vulnerability for months. The SEC highlighted the importance for public companies to be forthcoming and provide accurate information to investors about cyber-related incidents.

Also in August 2021, the SEC sanctioned several Commission-registered broker dealers and investment advisory firms for failures in their cybersecurity policies and procedures. The policy failures allegedly resulted in email account takeovers by unauthorized third parties, which exposed personal information of thousands of clients and customers. According to the SEC’s press release, these enforcement actions stemmed from violations of “Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information.”

IV. Proposed Rules Related to Cybersecurity

The SEC recently proposed new cybersecurity rules for registered investment advisors and funds, as well as public companies. As of the date of this survey, the proposals have not been enacted, and the SEC is reviewing public comments.

A. Investment Advisors and Funds

On February 9, 2022, the SEC proposed new rules for registered investment advisors and funds. The proposed rules focus on cybersecurity risk management, reporting procedures for significant cybersecurity incidents, appropriate disclosure practices, and requirements for fund boards. Specifically, under the proposed rules, registered advisors and funds will be required to: (1) enact policies and procedures to address cybersecurity risks; (2) report significant cybersecurity events within forty-eight hours; (3) disclose cybersecurity risks and incidents; and (4) impose specific requirements and duties for registered fund boards, such as reviewing reports of cyber incidents and material changes to policies and procedures.

B. Public Companies

On March 9, 2022, the SEC proposed rules concerning public companies and their cybersecurity risk management and governance procedures. The proposed rules focus on new requirements for public companies concerning reporting, disclosure, and governance of cybersecurity incidents. Some of the key features include requiring public companies to: (1) report material cybersecurity incidents within four business days; (2) provide updates on previous material cyber incidents; (3) disclose policies and procedures for managing cyber-related risks; (4) disclose a company’s cybersecurity governance, such as information related to the board’s oversight and management’s role concerning cyber-related risks; and (5) provide information on whether a cybersecurity expert is present on a public company’s board of directors.