SEC Promises a Stronger Focus on Cybersecurity Enforcement Actions

SEC Promises a Stronger Focus on Cybersecurity Enforcement Actions

Deal makers take note. The Securities and Exchange Commission (SEC) is promising a new wave of cybersecurity enforcement actions, a move that figures to represent one of the more important regulatory trends of 2016.

The news comes on the heels of last year's SEC enforcement action against a St. Louis-based investment advisor that was charged with failing to establish proper policies and procedures for safeguarding client information. The firm settled with the SEC in September 2015, following a security breach that saw the personal information of more than 100,000 clients illegally accessed.

The settlement against the investment advisor was the first of its kind — the SEC had never before pursued an enforcement action against a regulated entity for issues related to cybersecurity. According to recent public statements from Andrew Ceresney, who heads the SEC's enforcement division, more cases of this kind are “in the pipeline.”

This marks the beginning of a potentially transformative new era of enforcement, given the rising number of cybersecurity breaches and the critical importance of online security for virtually every large corporation. The SEC isn't alone in regard to greater enforcement efforts. The Federal Trade Commission, Federal Communications Commission and Consumer Financial Protection Bureau have all increased scrutiny on companies that have fallen short in terms of security preparedness.

How to prepare for a heightened focus on cybersecurity policy

Given the newfound zeal for cybersecurity policy enforcement displayed by a variety of federal agencies, deal makers and large companies are well-advised to take steps to address any potential problems. The SEC has published a set of guidelines for advisors and brokers based on its annual examination results. These SEC exams determine how companies identify online security risks, establish effective policies and procedures governing online security, protect sensitive client data and detect potential outside threats.

Firms who score well on these metrics are more likely to effectively safeguard client information — and ultimately pass SEC muster. Ceresny has also noted that companies self-reporting security lapses may receive lowered fines as a result. He added the SEC recognizes that companies are working diligently to protect client data, and the yardstick firms will be judged by is whether they have “done enough.”

In the case of St. Louis-based advisor, the SEC alleged that the firm failed to take basic precautions such as installing a firewall and encrypting sensitive customer data stored on its network. Mark Eichorn, assistant director for the Federal Trade Commission's Consumer Protection Bureau, recently provided additional examples of companies failing to take even the most limited security measures, including one case in which a company used “admin” as both a username and a password.

The takeaway

With the SEC and other federal agencies heightening their focus on cybersecurity lapses, deal makers and large firms should take steps to ensure their policies and procedures offer sufficient consumer protection. By doing so, they lower the odds of facing a cybersecurity “double whammy” — a security breach, followed by a regulatory sanction.


To learn more about how CT can help you better manage your legal service needs, contact a CT representative at 844-316-8948 (toll-free US).

Questions? We can help.

Have a specific question about a product? A CT Specialist will follow up with a custom quote along with a comprehensive assessment of your needs.