Cybersecurity remains a top priority for the US Securities and Exchange Commission (“SEC” or the “Commission”) despite a change in leadership. On June 8, 2017, Stephanie Avakian and Steven Peikin were named the new co-directors of the SEC Division of Enforcement.1 These appointments followed a change in presidential administration and the confirmation of new Commission Chairman Jay Clayton, all of which generated considerable speculation over whether the change in leadership would bring with it new enforcement priorities at the SEC. However, recent statements by Co-Directors Peikin and Avakian make clear that cybersecurity will remain a high enforcement priority at the SEC. In particular, Co-Director Peikin has been quoted as saying that “the greatest threat to our markets right now is the cyber threat.”2 Similarly, Co-Director Avakian noted that there has been a recent “uptick” in cybercrime investigations and added that she anticipates seeing “the cyber threat continue to emerge” in coming years.3
These statements build on prior SEC Chair Mary Jo White’s comment in 2016 that “[w]ith the cyber field steadily evolving and expanding, it is imperative we continue to enhance our coordinated approach to cybersecurity policy across the SEC.”4
The recent statements from Co-Directors Avakian and Peikin also underscore the cybersecurity initiatives that the SEC and Financial Industry Regulatory Authority (“FINRA”) have launched since 2014, including targeted examinations of broker-dealers and investment advisers as part of a cybersecurity preparedness initiative run by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”)5 and a cybersecurity examination sweep of member broker-dealers by FINRA.6 Moreover, OCIE has identified cybersecurity as an examination priority every year since 2014, including in 2017. In June 2016, Christopher Hetner was appointed the SEC’s first senior advisor to the chair for cybersecurity policy.7 Additionally, following the May 2017 WannaCry ransomware attack, OCIE issued a ransomware risk alert providing advice to registered firms on protecting themselves from WannaCry ransomware and reminding them of the importance of addressing cybersecurity risks as well as formulating appropriate response strategies.8 OCIE also noted that many firms were still not conducting adequate periodic risk assessments, penetration testing, and vulnerability scans on critical systems.9
In 2015, the SEC’s Division of Investment Management issued guidance for registered funds and investment advisers that included the following recommendations:
Conduct regular assessments of information collection practices, cybersecurity threats, and security controls;
Design a strategy for preventing, detecting and responding to threats; and,
Implement the strategy through written policies and procedures and training for the relevant officers and employees.10
The SEC’s focus on cybersecurity is not limited to registered entities such as investment advisers and broker-dealers. The SEC has also addressed cybersecurity for issuers of public securities. In 2011, the SEC’s Division of Corporation Finance released guidance to assist issuers in assessing their disclosure obligations regarding cybersecurity. This guidance explained that existing disclosure requirements may impose an obligation on issuers to disclose significant cybersecurity risks and incidents.
In addition to its regulatory activity, the SEC has targeted cybersecurity violations in enforcement actions. In particular, the Division of Enforcement has focused on the “safeguards rule,” adopted in 2000 as part of Regulation S-P under the Gramm-Leach-Bliley Act.11 Recent enforcement actions targeting violations of the safeguards rule show that the SEC is serious about cybersecurity compliance.12 Moreover, some of these SEC enforcement actions were accompanied by separate criminal prosecutions of individuals involved in the violations.13
While the change in leadership at the SEC could foreshadow shifts in regulatory and/or enforcement priorities, current signs indicate that cybersecurity will continue to be an important focus. The new enforcement co-directors’ very clear initial statements on cybersecurity mean that firms should expect cybersecurity enforcement and examination activity to continue under the new administration.
(The Firm thanks Daniel Tingley, a summer associate in our Washington DC office, who helped draft this Legal Update.)