SEC’s Initiatives on Cybersecurity
Posted by Laura Anthony, Esq. on December 04, 2017
SEC’s Initiatives on Cybersecurity- The SEC collects, stores and transmits data in three broad categories, including: (i) public facing data through the EDGAR system; (ii) non-public information including personally identifiable information related to supervisory and enforcement functions; and (iii) non-public information including personally identifiable information related to the SEC’s internal operations. The first category involves data provided to the SEC by companies (such as public reports under the Exchange Act, and notices of private offerings on Form D) and investors (such as Section 13 and Section 16 filings). The second category includes data on companies, broker-dealers, investment advisors, investment companies, self-regulatory organizations (including FINRA), alternative trading systems, clearing agencies, credit rating agencies, municipal advisors and other market participants.
The third category of data includes personnel records, internal investigations and data related to risk management and internal control processes.
The SEC like all market participants is “the subject of frequent attempts by unauthorized actors to disrupt access to its public-facing systems, access its data, or otherwise cause damage to its technology infrastructure, including through the use of phishing, malware and other attack vectors.”
As did occur with the EDGAR hacking, attackers stand to profit from information through trading activities, identity theft and a myriad of other improper uses of the illegally obtained information. In addition to outside attacks, the SEC monitors for unauthorized actions by personnel. In 2014, an internal review uncovered that certain laptops with sensitive information could not be located. There have also been instances where SEC personnel have used non-secure personal email accounts to transmit nonpublic information. The SEC mitigates the internal risk by requiring all personnel to complete privacy and security training. To protect against all of its cyber-related threats, the SEC employs an agency-wide cybersecurity detection, protection and prevention program. The program includes cybersecurity protocols and controls, network protections, system monitoring and detection processes, vendor risk management processes, and regular cybersecurity and privacy training for employees. However, in light of current and changing technological advancements, the SEC intends to step up its efforts overall. As mentioned earlier in this Lawcast series, in that regard, the SEC is seeking an increase in its annual budget, and a lift on its current hiring limitations.
Just as the SEC expects public companies to maintain internal controls, including from the top down, on cybersecurity matters, so the SEC has internal policies and procedures requiring senior management to maintain policies, and to coordinate with other offices and divisions with respect to cybersecurity efforts, including risk reporting and testing.
Although all offices have responsibilities, the SEC Office of Information Technology has overall management and responsibility for the agency’s cybersecurity. The SEC’s cybersecurity program is subject to review from internal and external independent auditors, including to ensure compliance with the Federal Information Security Modernization Act of 2014 (“FISMA”).
The SEC also must report cybersecurity matters to outside agencies, including the Office of Management and Budget and the Department of Homeland Security, and has established information-sharing relationships with the National Cybersecurity and Communications Integration Center (“NCCIC”), the Financial and Banking Information Infrastructure Committee (“FBIIC”), and the Financial Services Information Sharing and Analysis Center (“FS-ISAC”).