SEC and DOJ Hacking Prosecutions Highlight SEC’s Increased Interest in Cybersecurity Risks

The US Securities and Exchange Commission (SEC) and the Department of Justice (DOJ) recently filed civil and criminal actions in the largest hacking and securities fraud scheme of its kind ever prosecuted.[1] During a five-year period, the defendants allegedly stole approximately 150,000 confidential press releases from the servers of three newswire companies that contained information prepared by scores of public companies. Unbeknownst to the companies, the defendant hackers, who appear to all be foreign nationals, then sold the press releases to traders who traded ahead of the confidential information’s public release and reaped millions of dollars in illegal profits.

This case highlights the need for companies to ensure that they have adequate internal controls that cover data transfer at all stages of the use and life cycle. Any weak link in a cybersecurity program may be exploited or used by hackers as a back door to gain access to information. In this case, the cyber attack targeted third-party newswires and not the companies that originally created and possessed the information. A strong cybersecurity program is essential for companies to protect valuable and sensitive information and to avoid possible enforcement actions, fines, reputational harm, loss of business, and class action or other lawsuits brought for damages suffered by customers or clients.

The SEC’s focus is not limited to public companies. Recent findings by the SEC confirm the widespread nature of cybersecurity attacks in the financial industry. In February 2015, the SEC’s Office of Compliance Inspectors and Examinations (OCIE) released a Risk Alert announcing that it had examined scores of broker-dealers and investment advisers’ cybersecurity protocols.[2] Among the areas that the Risk Alert report focused on were identification and assessment of cybersecurity risks, risk associated with vendors and other third parties’ systems, detection of unauthorized activity, risks associated with remote customer access, and the absence of a chief information security officer and/or cyber insurance.[3]  Strikingly, OCIE  found that 88% of the broker-dealers and 74% of the investment advisers examined had experienced a cyber attack, either directly or through a vendor.[4]

The SEC’s increased emphasis on the adequacy of internal controls (generally) and cybersecurity at all stages of data transfer (specifically) should particularly interest public companies and financial institutions in their approach to detecting and mitigating cyber risks.

Read the original full article on JDSUPRA Business Advisor.