Last month, the SEC announced the creation of a new “Cyber Unit” within the Enforcement Division to target misconduct related to cybersecurity. The unit is being created in conjunction with internal SEC initiatives to strengthen cybersecurity in the wake of the agency’s infamous data breach last year.
While the SEC’s cybersecurity problems rightly received public attention, broker-dealers, investment advisors, and US public companies should not ignore the Enforcement Division’s new emphasis on investigating and prosecuting “cyber-related misconduct.” The focus of the new Cyber Unit will be on (1) “Market manipulation schemes involving false information spread through electronic and social media”; (2) “Hacking to obtain material nonpublic information”; (3) “Intrusions into retail brokerage accounts”; and other securities law violations involving electronically-stored information.
The SEC has already begun pursuing cybersecurity cases, including at least nine new cases in 2016-2017. Most of these cases involve alleged insider trading based on hacked information, or alleged use of online tools for illegal market manipulation. In one notable case filed this year, a man in Virginia allegedly purchased call options in Fitbit and then filed fake documents in the SEC’s EDGAR database showing a tender offer for the company, which caused Fitbit’s price to jump more than 10% and netted him more than $3,100. Criminal charges were also filed against him separately by the US Attorney's Office for the Southern District of New York.
Recent SEC cases also include alleged violations of the so-called “Safeguards Rule,” which requires broker-dealers and investment advisors to have policies and procedures that are “reasonably designed” to “[i]nsure the security and confidentiality of customer records and information,” among other things. For example, R.T. Jones Capital Equities Management paid $75,000 in penalties in 2015 to resolve allegations that it failed to adequately protect the personally identifiable information of approximately 100,000 individuals following a hack that allegedly left thousands of the firm’s clients vulnerable to theft. More cases are surely on the horizon, as the two SEC Commissioner Nominees told the Senate Banking Committee this week that cybersecurity would be among their top priorities.