The Securities Exchange Commission (“SEC”) has been busy the last couple months on the cyber front. On September 20, the SEC announced a renewed focus on cybersecurity efforts and disclosed that it had been a victim of a cyber-attack, which may have allowed hackers to use nonpublic information to make illicit gains. The press release revealed that the breach was induced by software vulnerability in the SEC’s EDGAR system. In a more detailed statement on the matter, SEC Chairman Jay Clayton opened the door for cyber-attack related enforcement actions directed at public companies. He warned them that the failure to “take their periodic and current disclosure obligations regarding cybersecurity risks seriously… may result in an enforcement action.”
In an effort to reduce the risk of cyber-attacks (and the embarrassment that comes with them), the SEC appears to be putting its money where its mouth is—perhaps not by choice. Clayton recently told the Senate Banking Committee that the SEC is hiring additional employees to aid in cybersecurity prevention efforts and creating a new cybersecurity unit (discussed in more detail on this blog). In October, the House Financial Services Committee approved a bill directing the SEC to examine and further develop its internal cybersecurity risk controls. The bill was approved 59-1 in committee.
Expect more guidance on both cyber-attack enforcement actions and the SEC’s cybersecurity controls in the coming months.