SEC Statements On Cybersecurity




Posted by on November 28, 2017

SEC Statements On Cybersecurity- Today is the first in a LawCast series on the SEC’s recent statements and initiatives on Cybersecurity. On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked in 2016. Since the original statement, the SEC has confirmed that personal information on at least two individuals was obtained in the incident and that the hacking likely originated in Eastern Europe. Following Jay Clayton’s initial statement, on September 25, 2017, the SEC announced two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s).

The issue of cybersecurity is at the forefront for the SEC, and Jay Clayton is asking the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts.

Upon taking office in May, 2017, Chair Clayton formed a senior-level cybersecurity working group to coordinate the sharing of information, risk monitoring and incident response efforts. Chair Clayton’s September 20, 2017 statement was part of the SEC’s ongoing initiatives and necessary to inform the public of the SEC’s own hacking incident. In addition to the revelation regarding the EDGAR hacking, Chair Jay Clayton’s statement emphasized the importance of cybersecurity to not only the SEC, but all market participants.

All market participants engage in data collection, storage, analysis, availability and protection to some extent, all of which are open to cybersecurity risks. Cyber attacks can be perpetrated by identity thieves, unscrupulous contractors and vendors, malicious employees, business competitors, prospective insider traders and market manipulators, hackers, terrorists, state-sponsored actors and others. Furthermore, the effects of attacks can be significant, including loss or exposure of consumer data, theft or exposure of intellectual property, investor losses resulting from the theft of funds, market value declines in companies’ subject to cyber attacks, and regulatory, reputational and litigation risks.

Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery. Chair Clayton’s statement provides detail on the SEC’s approach to cybersecurity, including: (i) the types of data they collect, hold and make publicly available; (ii) how the SEC manages cybersecurity risks and responds to cyber events; (iii) how the SEC incorporates cybersecurity considerations in their risk-based supervision of entities they regulate; (iv) how the SEC coordinates with other regulators to identify and mitigate cybersecurity risks; and (v) how the SEC uses its oversight and enforcement authorities, including to pursue cyber threats.