- A review of legal developments from the Securities and Exchange Commission involving cybersecurity between the survey dates of June 1, 2020, and May 31, 2021.
During the survey period the Securities and Exchange Commission (“SEC”) exhibited a heightened focus on cybersecurity. This focus has consisted of increased staffing in its Crypto Assets and Cyber Unit, settled enforcement actions for both SEC-regulated entities and public companies, and proposed rules governing cybersecurity disclosures for SEC-regulated entities and public companies.
In May 2022, the SEC announced that it nearly doubled the positions in the Crypto Assets and Cyber Unit, which is “the unit responsible for protecting investors in crypto markets and from cyber-relatedIn its press release, the SEC emphasized the unit’s actions against “SEC registrants and public companies for failing to maintain adequate cybersecurity controls and for failing to appropriately disclose cyber-related risks and Gurbir S. Grewal, director of the SEC’s Division of Enforcement, stated that cyber-related threats continue to pose “existential risks” to financial markets and participants, and emphasized the need to further regulate crypto The SEC has been vocal in its intentions to bring actions against registrants to ensure organizations are maintaining adequate cybersecurity controls and disclosing cyber-related
In June 2021, the SEC settled charges for nearly half a million dollars against First American Financial Corporation, a company focused on real estate settlementThe SEC alleged that First American had violations pertaining to its disclosure controls and cybersecurity vulnerability procedures, resulting in a breach that exposed hundreds of millions of customer images, which included highly sensitive The SEC’s order states that during the breach, senior executives were not provided with necessary information for their assessment of the company’s disclosure response, with the result that the company omitted critical information from its disclosure The SEC emphasized that issuers must ensure that those who are responsible for public disclosures in an organization receive information that is important to investors, especially information pertaining to cybersecurity and system
In August 2021, the SEC settled charges for $1 million against Pearson plc, a London-based public company that provides services to schools andThe SEC alleged that Pearson “misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including dates of births and email The SEC charged that Pearson referred to the event as a hypothetical risk, even though it knew the breach had already occurred and specific information was already Additionally, the SEC indicated that Pearson claimed it had strict protections in the event of a cybersecurity incident; however, once the event occurred, Pearson failed to patch the critical vulnerability for The SEC highlighted the importance for public companies to be forthcoming and provide accurate information to investors about cyber-related
Also in August 2021, the SEC sanctioned several Commission-registered broker dealers and investment advisory firms for failures in their cybersecurity policies andThe policy failures allegedly resulted in email account takeovers by unauthorized third parties, which exposed personal information of thousands of clients and According to the SEC’s press release, these enforcement actions stemmed from violations of “Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer
The SEC recently proposed new cybersecurity rules for registered investment advisors and funds, as well as public companies. As of the date of this survey, the proposals have not been enacted, and the SEC is reviewing public comments.
On February 9, 2022, the SEC proposed new rules for registered investment advisors andThe proposed rules focus on cybersecurity risk management, reporting procedures for significant cybersecurity incidents, appropriate disclosure practices, and requirements for fund Specifically, under the proposed rules, registered advisors and funds will be required to: (1) enact policies and procedures to address cybersecurity risks; (2) report significant cybersecurity events within forty-eight hours; (3) disclose cybersecurity risks and incidents; and (4) impose specific requirements and duties for registered fund boards, such as reviewing reports of cyber incidents and material changes to policies and
On March 9, 2022, the SEC proposed rules concerning public companies and their cybersecurity risk management and governanceThe proposed rules focus on new requirements for public companies concerning reporting, disclosure, and governance of cybersecurity Some of the key features include requiring public companies to: (1) report material cybersecurity incidents within four business days; (2) provide updates on previous material cyber incidents; (3) disclose policies and procedures for managing cyber-related risks; (4) disclose a company’s cybersecurity governance, such as information related to the board’s oversight and management’s role concerning cyber-related risks; and (5) provide information on whether a cybersecurity expert is present on a public company’s board of