Crown image Columbia Law School

SEC Commissioner Speaks on the Emerging Challenge of Cybersecurity

Good afternoon.  Thank you for the kind introduction and the opportunity to speak to the Los Angeles County Bar Association today.  Before I begin, let me issue the standard disclaimer that the views I share are my own and do not represent those of the Securities and Exchange Commission (the “SEC”) or my fellow Commissioners.

Today I would like to speak with you about cybersecurity, a topic that is becoming increasingly important for companies and regulators as more of our registrants’ operations have moved online.  The threats, strategies, and motives of cybercriminals can take many forms.  To name just a few, they may be: simple account intrusions that seek to steal assets from an investor’s or customer’s accounts; ransomware attacks that seek to disable business operations in order to extract payments; and even acts of “hacktivism” that disrupt services to make a political point.  Cyber events can often be hard to detect, hard to measure quickly, and can involve reporting obligations to multiple government agencies and stakeholders.

The reasons I want to talk about this today are manifold, including to emphasize the challenging position SEC registrants, in particular, face when dealing with cyber threats.  I also want to stress that the SEC is only one part of the cyber regulatory landscape, but we have some specific requirements and guidance in place about areas on which to focus.  Finally, I will note that I believe there is more that the Commission should contemplate in terms of cyber guidance and/or rules to ensure that companies understand our expectations and investors get the benefit of increased disclosure and protections by companies.

Understanding that You May Be a Victim

Before I go further, it’s important to acknowledge a point that is sometimes overlooked in discussions about cybersecurity.  In the case of cyber-crimes, companies are the targets and victims.  The last thing a company wants is to suffer this kind of criminal and illegal attack.  But, today, the threat of a cyber-attack is so constant and significant for every market participant that it should be viewed as a substantial likelihood.

The SEC has imposed specific obligations on particular registrants relating to certain cybersecurity risks.  But it’s undeniable that our registrants, who have more general obligations under the securities laws—such as to serve the best interests of clients or to shareholders—also are accountable for taking measures to prevent and mitigate damage from these threats as part of their broader responsibilities.

Accordingly, it has become increasingly important for market participants to work with counsel and other experts on preparing for potential cyber-attacks before they happen—that is, devising a plan for monitoring for cyber threats, responding to potential breaches, and understanding when information must be reported outside the company and to whom.

Cybersecurity and the SEC

In the United States, aspects of cybersecurity are the responsibilities of multiple government agencies, including the SEC.  Just in the financial services space, there are a myriad of regulators that oversee registrants with differing requirements and obligations.[1]  Because of this, it is not uncommon for market participants under the SEC’s jurisdiction to be subject to multiple authorities’ obligations regarding cybersecurity, including obligations to report to a federal agency or to the public.

But the SEC has an important interest in cybersecurity, which has a nexus to every part of the SEC’s three-part mission: to protect investors; maintain fair, orderly, and efficient markets; and facilitate capital formation.  For example, securing investors’ account data is a clear prerequisite for investor protection.  The market integrity that characterizes fair, orderly, and efficient markets requires, at the very least, reliable clearing and settlement, which relies on secure data.  And, of course, security is the foundation on which a stable and growing economy is based.

Rulemaking

Historical Targeted and Flexible Approach

To date, the Commission’s regulatory approach to cybersecurity has largely reflected the fact that we do not regulate this area in a vacuum.  First, we have been very targeted in imposing affirmative requirements on our registrants related to cybersecurity, only focusing on certain registrants and certain areas that we have identified as posing the highest risk.  Second, our rules have largely been principles-based, as we have endeavored to provide registrants flexibility to address cybersecurity obligations in the context of their particular business and circumstances.

Regulation SCI: A Case Study

Regulation Systems Compliance and Integrity (“Regulation SCI”), the Commission’s most extensive policymaking in cybersecurity, is a good example of this approach.  It applies only to the institutions that constitute the backbone of the securities markets:  the stock and options exchanges, alternative trading systems, certain clearing agencies, and other self-regulatory entities like FINRA and MSRB.  The Commission adopted Regulation SCI in 2014 to strengthen the technological infrastructure of the U.S. securities markets, applying specific obligations to these entities.[2]  Regulation SCI requires these entities to establish what we can call cybersecurity policies and procedures.  These policies and procedures must be reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets as well as notify the Commission of any problems.[3]

I believe the implementation of Regulation SCI has increased the preparedness and resiliency of the markets and the overall market system.  It has also ensured that through notifications, the Commission is made aware of SCI events (breaches, system issues, etc.).  This has enabled us not only to examine for compliance, but also to promote best practices and inform other market participants of potential issues and vulnerabilities.

Advisers and Broker-Dealers

I appreciate the Commission’s historical approach to regulating cybersecurity and believe it has brought many benefits to our markets.  But it is time that the Commission consider rules that provide registrants—particularly investment advisers and public issuers—with more of an idea of what we expect of them in today’s marketplace.

Existing Rules with Specific Obligations

The SEC has adopted certain principles-based rules for investment advisers and broker-dealers where particular cyber vulnerabilities have been identified.  In 2000, the Commission implemented the privacy title provisions of the Gramm-Leach-Bliley Act of 1999 when it finalized Rule 30(a) of Regulation S-P, known as the “Safeguards Rule.”[4]  The rule requires registered broker-dealers and investment advisers to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”[5]  It also requires that such written policies and procedures be reasonably designed to: ensure the security and confidentiality of customer information; protect against any anticipated threats or hazards to its security or integrity; and protect against unauthorized access to it that could result in substantial harm or inconvenience to any customer.[6]

In 2013, the Commission also adopted (jointly with the CFTC) an identity theft “Red Flags Rule” that requires certain SEC-regulated entities (primarily brokers, dealers, and investment companies, and some registered investment advisers) to adopt a written identity theft program that includes policies and procedures designed to, among other things, identify, and address relevant types of identity theft red flags.[7]

Cybersecurity as Part of More General Obligations

But besides these specific rules, there are other more general rules that cover obligations relating to cybersecurity.  For example, Rule 206-4(7) under the Investment Advisers Act of 1940 (the “Advisers Act”) requires advisers to adopt and implement written compliance policies and procedures reasonably designed to prevent violations (by the adviser or its supervised persons) of the Advisers Act and the rules adopted by the Commission thereunder.  In addition, the SEC staff in the Division of Investment Management has issued guidance over the years about how advisers should be thinking about cybersecurity concerns in the context of their fiduciary duties.[8]

Areas for Additional Guidance or Rules

Given the increasing and inevitable reliance of advisers on technology in their businesses, it is time that the Commission bring more clarity to this issue in cases where there may be confusion about whether to notify the Commission and investors in the event of a cybersecurity breach.  Of course, any such obligation should be principles-based and allow advisers the flexibility to tailor notification measures to their business and the facts and circumstances of the situation.  But, there should be some framework for reporting cyber-incidents to clients and to the Commission, to the extent the adviser has identified them to be material.

One precedent we could look to as a potential model in this regard is the set of requirements that FINRA has imposed on broker-dealers to alert it of certain systems-related incidents.  In addition to the rules applicable to broker-dealers that I have previously mentioned, FINRA has rules regarding supervisory procedures and business continuity planning, which can implicate cybersecurity. [9]  FINRA also has a rule requiring a broker-dealer member to promptly report to FINRA if it has, or reasonably should have, concluded that it has violated any securities-, insurance-, commodities-, financial- or investment-related laws, rules, regulations or standards of conduct of any domestic or foreign regulatory body or self-regulatory organization.[10]  FINRA has stated that, under this rule, it expects its members to report only conduct that has widespread or potential widespread impact to the member, its customers or the markets, or conduct that arises from a material failure of the member’s systems, policies or practices involving numerous customers, multiple errors or significant dollar amounts.[11]  But, FINRA has also encouraged firms to report material cyber events to their regulatory coordinator even if it does not meet the threshold outlined in its rule.[12]

We must also be cognizant of the size and resources of smaller registrants, and I applaud the work of FINRA to help provide resources for broker dealers with respect to cybersecurity. I also applaud the work of private organizations to help registrants with cyber readiness, entities like the FS-ISAC (Financial Services Information Sharing and Analysis Center).[13]  I also hope that the industry and fellow registrants will help each other.  When one entity has a cyber-incident or when one entity fails to act appropriately after a cyber-incident, it raises concerns about an entire industry.

Public Issuers

For public issuers, which constitute a large percentage of our registrants, the Commission has issued guidance with respect to disclosure of cybersecurity matters and a report regarding cybersecurity implications for internal controls.

In 2018, the Commission released guidance stressing that issuers need to be alert to the prospects of cybersecurity incidents with an eye toward keeping their investors informed.[14]   Although there is no existing issuer disclosure requirement explicitly referring to cybersecurity risks and cyber incidents, the Commission guidance makes clear that companies nonetheless may be obligated to disclose them.  These obligations arise generally from the disclosure requirements set forth in Regulation S-K and Regulation S-X, which require public companies to make disclosure regarding, among other things, their business and operations, risk factors, management’s discussion and analysis, and disclosure controls and procedures.[15]

Accordingly, the Commission guidance urges “public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.”[16]  A necessary prerequisite of this is that public companies adopt and implement disclosure controls and procedures to enable them to discern the impact of cybersecurity risks and incidents.  Of course, this in turn relies on engaged and informed officers, directors and others.

A company’s cybersecurity responsibilities go beyond disclosures and disclosure controls.  It can also implicate internal controls over financial reporting.  Shortly after the Commission’s 2018 disclosure guidance, the Commission issued a “21A report” regarding an investigation into nine issuers who had been victims of cyber fraud.[17]  As the report describes, in those frauds, company personnel received spoofed or otherwise compromised electronic communications purporting to be from a company executive or vendor.  These communications prompted the personnel to wire large sums or pay invoices to accounts controlled by the perpetrators of the scheme.  The issuers collectively lost $100 million to these schemes.[18]  We stressed in the report that companies should pay particular attention to the obligations imposed by Section 13(b)(2)(B) of the Securities Exchange Act of 1934 to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.[19]

As some of you may have noticed, the Commission’s regulatory agenda includes possible regulatory action with regard to issuers, which could build on the Commission’s 2018 guidance.[20]  I have not seen any draft rule, so I cannot speak as to its nature or merits.  But I will let you know some of the things that I would be looking for as I consider any additional rules in this area.  First, we need to define any new legal obligations clearly.  Second, we need to make sure that these obligations do not create inconsistencies with requirements established by our sister government agencies.  Third, we should recognize that some registrants have greater resources than others, and we should not try to set the resource requirements for an entity.  And finally, because issuers’ businesses vary, the cybersecurity-related risks they face also will vary, and therefore a principles-based rule would likely work best.

As we consider rules for any of our registrants, public issuers, investment advisers, broker-dealers, or others, we need to work with our fellow regulators, law enforcement, and the national security community to make sure we are not imposing any new requirements that conflict with their mandates.  For example, we must understand that law enforcement or national security agencies may tell a firm not to disclose information to an agency such as the Commission until a later time.  This could prevent timely notification.  And we should also not require disclosure of information which would provide a roadmap for how to infiltrate a registrant’s systems.  Any disclosure would need to be tailored to ensure that this outcome would not be likely—the goal is to provide investors with material information.

Enforcement and Examinations

While I believe there is room for the SEC to further clarify obligations and provide guidance to our registrants about their cybersecurity obligations, there already exist some well-defined obligations that are relevant to cybersecurity preparedness and response.  Accordingly, some of the SEC’s most important work relating to cybersecurity has been through our Enforcement and Examination programs.

Enforcement

I have talked a lot about having principles-based rules and allowing flexibility for our registered entities when it comes to affirmative obligations relating to cybersecurity.  That is not to say that anything goes, and it’s not to say that clear violations of existing rules do not occur.

The Enforcement Division has been investigating possible failures of market participants to live up to their cybersecurity obligations for several years.  This effort has been spearheaded by the division’s Cyber Unit, which was established in 2017 to investigate and prosecute technology-related violations of the federal securities laws.  The Cyber Unit had an early impact on cases involving digital assets, initial coin offerings, and digital asset trading venues that functioned as unregistered securities exchanges.  But this is just part of the Cyber Unit’s portfolio.  They also investigate cybersecurity violations including cybersecurity controls at regulated entities; issuer disclosures of cybersecurity incidents and risks; and cyber-related manipulations, such as brokerage account takeovers.

In 2021, Enforcement has brought a number of cases in the cybersecurity area.  On the disclosure front, Enforcement has brought two notable settled actions this summer involving public companies’ disclosures regarding cybersecurity incidents.[21]  Of course, not every cybersecurity incident and breach gives rise to an enforcement action—as you can tell by noting the number of cases we have brought in this space.  The idea is not to blame the victim, but rather to address situations in which an entity did not fulfill its responsibilities under the law.

Most recently, Enforcement settled actions against a handful of firms for violations stemming from a failure to adopt and implement cybersecurity policies and procedures as required by the Safeguards Rule.[22]  In each of these cases, the firm had employed cloud-based email systems for its personnel (including independent contractors), some of which were later taken over by unauthorized third parties.  This resulted in exposing personally identifiable information (“PII”) of at least thousands of firm customers and clients.  The orders reinforce the need for registrants to respond promptly to known breaches, by adopting and implementing firm-wide enhanced security measures, as well as the need to communicate accurately with affected clients regarding breaches.[23]

I believe Enforcement’s—and the Cyber Unit’s—involvement here has been a good thing.  Where we allow latitude in our rules (whether existing or future), we must be prepared to identify and bring cases against those entities who do not meet the obligations those rules impose.  This is not only in the interest of advancing the SEC’s mission (especially market integrity and investor protection aspects), but also in the interest of a robust national economy and ultimately for national security as well.

Examinations

Finally, I’d be remiss if I did not mention the work of our Examinations Division (“EXAMS”), which plays a key role in ensuring compliance with Regulation SCI as well as existing requirements for broker-dealers and investment advisers.  EXAMS has made cybersecurity a priority in its examinations for a number of years now.  This has allowed them not only to encourage compliance, but also to learn a great deal about best practices—the ways that registered entities are addressing cybersecurity.  Last year, EXAMS synthesized their observations regarding cybersecurity and resiliency into a useful report that I believe is helpful for all registered entities.[24]  Since the report, the staff has continued to share the perspectives they gain in their examinations in a number of cybersecurity-related Risk Alerts.  On this front, I am particularly proud of EXAMS’ July 2020 Ransomware Alert, which discussed the threat of ransomware attacks months before the wave of prominent recent attacks.[25]

Conclusion

Taking a step back, I note that cybersecurity will only become more important in our personal and professional lives.  As you can see, the SEC, like many government agencies and private parties, is devoting significant resources to assessing and addressing cybersecurity.  We are not alone.  Congress is also considering legislation in this area and it would be great if we could achieve a cross-federal government solution to the coordination needed among regulators as well as other issues.[26]  This is a large and complicated problem, and there is much work left to be done.  However, I am happy that we are trying to bring greater clarity and hopefully will work hand-in-hand with the public and registrants to understand what can be done to ensure appropriate cyber-readiness and protections for investors.

While I have talked a lot today about areas where I hope the Commission will bring more clarity to our registrants in the cybersecurity arena, I will offer that there are several things registrants can think about doing right now.  Identifying, ahead of time, certain providers and experts that a registrant should call in the event of a cyber-incident shows prudence and diligence.  Similarly, table-top exercises are a way that companies can proactively work to mitigate harm in case of a cyber-event.  That’s not to say that such lists or exercises will address every cyber event or incident.  But, they offer a level of procedures and pro-active measures that a company can undertake in recognition of this potential risk.

I will close by encouraging people to come meet with me, and my fellow Commissioners, and the SEC staff on this topic.  I would appreciate any thoughts on this topic and what the SEC can do to further our important mission of protecting investors, maintaining fair, orderly, and efficient markets, and facilitating capital formation.  Thank you for your time today.  I’m happy to take any questions you might have.

ENDNOTES

[1] See Financial Services and Cybersecurity: The Federal Role, available at https://crsreports.congress.gov/product/pdf/R/R44429; additional resources can be found on the Cybersecurity page of the Commission’s website, available at https://www.sec.gov/spotlight/cybersecurity, and on the website of the Cybersecurity and Infrastructure Security Agency, available at https://www.cisa.gov/.

[2] Regulation Systems Compliance and Integrity, 79 Fed. Reg. 234, 72252 et seq. (Dec. 5, 2014), available at https://www.govinfo.gov/content/pkg/FR-2014-12-05/pdf/2014-27767.pdf.

[3] See Id.

[4] Privacy of Consumer Financial Information (Regulation S-P), 65 Fed. Reg. 126, 40334 et seq. (June 29, 2000), available at https://www.govinfo.gov/content/pkg/FR-2000-06-29/pdf/00-16269.pdf.

[5] 17 C.F.R. 248.30(a).

[6] Id.

[7] Identity Theft Red Flags Rules, 78 Fed. Reg. 76, 23638 et seq., available at https://www.govinfo.gov/content/pkg/FR-2013-04-19/pdf/2013-08830.pdf.

[8] See Cybersecurity Guidance, No. 2015-02, Division of Investment Management (Apr. 2015), available at https://www.sec.gov/investment/im-guidance-2015-02.pdf. The Division of Examinations also has issued risk alerts relating to specific cybersecurity issues.  See, e.g., Investment Adviser and Broker-Dealer Compliance Issues

Related to Regulation S-P – Privacy Notices and Safeguard Policies (Apr. 16, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf. See also Safeguarding Customer Records and Information in Network Storage – Use of Third Party Security Features (May 23, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Network%20Storage.pdfSee also Cybersecurity and Resiliency Observations, available at https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf.

[9] See FINRA Rules 3110 (Supervision); 3120 (Supervisory Control System); and 4370 (Business Continuity Plans and Emergency Contact Information).

[10] FINRA Rule 4530(b).

[11] FINRA Rule 4530 Supplementary Material .01.

[12] See FINRA Report on Cybersecurity Practices, at 24 (Feb. 2015), available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

[13] Financial Services Information Sharing and Analysis Center, available at https://www.fsisac.com/ (last visited Oct. 29, 2021).

[14]  See Commission Statement and Guidance on Public Company Cybersecurity Disclosures, Release Nos. 33-10459; 34-82746 (Feb. 26, 2018), available at https://www.sec.gov/rules/interp/2018/33-10459.pdf. The staff of the Division of Corporation Finance blazed our trail here by releasing cybersecurity-related disclosure guidance in 2011.  See CF Disclosure Guidance: Topic No. 2: Cybersecurity (Oct. 13, 2011), available at https://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm.

[15]  Id. at 7-8.

[16]  Id. at 4.

[17] Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934

Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies and

Related Internal Accounting Controls Requirements, Release No. 84429 (Oct. 16, 2018), available at https://www.sec.gov/litigation/investreport/34-84429.pdf.

[18] Id. at 2-3.

[19] Id. at 6.

[20] SEC Announces Annual Regulatory Agenda (June 11, 2021), available at https://www.sec.gov/news/press-release/2021-99.

[21] See SEC Charges Issuer with Cybersecurity Disclosure Controls Failures (June 15, 2021), available at https://www.sec.gov/news/press-release/2021-102; SEC Charges Pearson plc for Misleading Investors About Cyber Breach (Aug. 16, 2021), available at https://www.sec.gov/news/press-release/2021-154).

[22] See SEC Announces Three Actions Charging Deficient Cybersecurity Procedures (Aug. 30, 2021), available at https://www.sec.gov/news/press-release/2021-169.

[23] Id. See also Cetera Advisor Networks LLC, et al., Exchange Act Release No. 92800 (Aug. 30, 2021) (IA with a 206(4)-7 violation related to cybersecurity), available at https://www.sec.gov/litigation/admin/2021/34-92800.pdf.

[24] Cybersecurity and Resiliency Observations, available at https://www.sec.gov/files/OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf

[25] See Cybersecurity: Ransomware Alert, OCIE Risk Alert (July 10, 2020), available at https://www.sec.gov/files/Risk%20Alert%20-%20Ransomware.pdf; Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies, OCIE Risk Alert (Apr. 26, 2019), available at https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf.

[26] See, e.g., Brian Fung and Alex Marquardt, “Senators Draft Bill that Would Require Many Entities to Report Cyber Breaches within 24 Hours,” CNN (June 16, 2021), available at https://www.cnn.com/2021/06/16/politics/bill-report-cyber-breach-24-hours/index.html.

These remarks were delivered on October 29, 2021, by Elad L. Roisman, commissioner of the U.S. Securities and Exchange Commission, to the Los Angeles County Bar Association.