By: Richard Borden, Jay Shapiro, Lori Smith and Gwenn Barney
Chairman Jay Clayton of the U.S. Securities and Exchange Commission (SEC) announced two new initiatives on September 25, 2017. The Commission has created a Cyber Unit that will focus on cyber-related misconduct and a Retail Strategy Task Force to help protect retail investors.
The announcement concerning the Cyber Unit follows a statement made several days earlier by Chairman Clayton in which he noted that the SEC “is focused on identifying and managing cybersecurity risks and ensuring that market participants – including issuers, intermediaries, investors and government authorities – are actively and effectively engaged in this effort and are appropriately informing investors and other market participants of these risks.”
The disclosure last week that hackers breached the SEC’s computer system in October 2016, gaining access to EDGAR, the electronic filing system for public company data, raised significant questions about the SEC’s ability to protect its own systems and information. While the SEC discovered the breach last year, the SEC has said that it only became aware last month that information obtained by the hackers may have been used for illegal trading activities. The hackers took advantage of a vulnerability in the part of the system used by companies to submit test filings to ensure that they format correctly. Companies are supposed to use dummy data for this process, but some companies did not do so and their data was not protected. The system is a potentially lucrative source for hackers to access sensitive nonpublic information before it is released to the rest of the market.
Notably, this is not the first time that the EDGAR system has been hacked. In 2015, an FBI investigation uncovered that an international hacking ring had stolen more than 150,000 news releases that were scheduled to be delivered to investors. There are some reports that the FBI is considering whether the current hack may have been perpetrated by the same group that was involved in the press release hack. Also in 2015, an incident occurred where fake information was posted on the site about the takeover of Avon Products which impacted the company’s stock price during the period between posting and when the fake information was discovered. There have been other instances of hacking detected at the SEC in which overseas hackers have targeted nonpublic information.
Given the above, the SEC is hiring additional personnel to assist with its cybersecurity efforts. However, in testimony to the Senate Banking Committee today, Chairman Clayton said that the SEC needs more money to dedicate to this area. Clayton further said that there will be increased focus on issuer cybersecurity and risks. Clayton was asked about the Equifax breach but declined to comment directly. He did say that all companies “should be disclosing more” and that there should be “better disclosure about their risk portfolios and sooner disclosures about intrusions.” In the past, the SEC’s resources had been focused more on exchanges, broker-dealers and investment advisors, but we anticipate that going forward the SEC will not be satisfied with broadly worded risk factors as a substitute for adoption of robust policies and audit and disclosure procedures for all publicly traded companies. Chairman Clayton has also called upon the SEC’s Office of Inspector General to launch its own investigation of the breach to determine the scope of the information that was stolen and how the SEC responded to the incident.
The frequent attacks on the SEC by hackers trying to access data or disrupt the public markets are a significant concern to the stability of the markets. The SEC will soon be expanding the amount and type of data that it collects when it begins the first stage of the Consolidated Audit Trail, or CAT, later this year. This system will track trading activity in the U.S. equity and options market. Clayton has said that through CAT “the SEC will have access to significant, nonpublic, market sensitive data and personally identifiable information” and that “cybersecurity has been and will remain a key element in the development of CAT systems.”
The SEC has also recently made clear that it is focused on initial coin offerings and the latest digital currencies, an area that has shown that it is ripe for fraud and abuse and has largely gone unregulated to date.[1]
Robert Cohen, who had been the co-chief of the Market Abuse Unit, was named the chief of the Cyber Unit. The unit will target:
- Market manipulation schemes involving false information spread through electronic and social media
- Hacking to obtain material nonpublic information
- Violations involving distributed ledger technology and initial coin offerings
- Misconduct perpetrated using the dark web
- Intrusions into retail brokerage accounts
- Cyber-related threats to trading platforms and other critical market infrastructure
This unit’s operations will allow the SEC to join the FBI in the latter’s ongoing and increasing efforts to identify and investigate cyber-related illegal activity.
In addition to the new Cyber Unit, the SEC established the Retail Strategy Task Force which will develop targeted initiatives to identify misconduct and fraud impacting retail investors such as the sale of unsuitable structured products and microcap pump-and-dump schemes. The task force will leverage data analytics and technology to identify misconduct that has widespread large scale impact on retail investors. Like the Cyber Unit, the Retail Strategy Task Force will include enforcement personnel from around the country.
If you have questions or would like additional information, please contact Rick Borden (bordenr@whiteandwilliams.com; 212.631.4439), Jay Shapiro (shapiroj@whiteandwilliams.com; 212.714.3063), Lori Smith (smithl@whiteandwilliams.com; 212.714.3075), or Gwenn Barney (barneyg@whiteandwilliams.com; 215.864.7063).