Testifying at an oversight hearing before the Senate Banking Committee on September 26, 2017, SEC Chairman Jay Clayton addressed concerns over the SEC’s disclosure of a 2016 cyber-security breach involving its own EDGAR system for corporate filings, as well as the massive breach of the Equifax credit reporting agency database that put in jeopardy the personal information of over 140 million Americans.
Mr. Clayton responded to these concerns in part by referring to new agency organizational efforts, many of which predate these cyber incidents. In his prepared remarks, Mr. Clayton touted these new enforcement initiatives to combat cyber-based threats and to protect retail investors. According to his testimony, these initiatives have “various components, including the formation of a senior-level cybersecurity working group to coordinate information sharing, risk and threat monitoring, incident response and other cross-divisional and interagency efforts and an assessment of reporting and escalation procedures.”
Additional statements issued by the SEC on the day after the hearing clarify that the new Cyber Unit intends to focus the Enforcement Division’s cyber expertise on cyber-related misconduct, including: 1) market manipulation using electronic and social media; 2) hacking; 3) violations involving distributed ledger technology and initial coin offerings; 4) misconduct perpetrated using the dark web; 5) intrusions into retail brokerage accounts; and 6) “cyber-related threats to trading platforms and other critical market infrastructure.” Robert A. Cohen, former Co-Chief of the Market Abuse Unit, has been appointed Chief of the new Cyber Unit.
The SEC is also launching a Retail Strategy Task Force to specifically target ways to identify misconduct impacting retail investors. The task force will “leverage data analytics and technology to identify large-scale misconduct affecting retail investors” and “will include enforcement personnel from around the country and will work with staff across the SEC, including from the SEC’s National Exam Program and the Office of Investor Education and Advocacy.”
According to reports, the SEC is working in cooperation with prosecutors at the Justice Department investigating whether top officials at Equifax violated insider-trading laws when they sold stock before the company disclosed that it had been hacked.
With respect to the EDGAR system intrusion, as reported in Bloomberg, Mr. Clayton asserted that the SEC is under constant attack from “nefarious actors” and noted that “he only became aware last month of the seriousness of the [EDGAR] intrusion.” Further he said “he isn’t 100 percent certain that last year’s attack is the only time the agency has been breached.”
In an October 2, 2017, update on the EDGAR system breach, the SEC disclosed that, following a forensic analysis, the breach did compromise the names, birth dates and social security numbers of at least two individuals. (SEC staff will offer them identify theft protection and monitoring services.)
Chairman Clayton committed to improving “the cyber-security risk profile” of the EDGAR system and other agency systems. He stated that he organized five “workstreams,” including continuing review of the EDGAR breach by the Office of the Inspector General; an Enforcement Division investigation into potential illicit trading emanating from the breach; a full review and “uplift” of the EDGAR system; a general assessment of the agency’s cyber security risk profile including the Consolidated Audit Trail and other systems that hold sensitive market data or personally identifiable information; and an internal review by the Office of General Counsel on response procedures used after the intrusion.
The Equifax breach has not gone unnoticed by state authorities. In response to that incident, the Governor of New York proposed regulations that would give the New York Department of Financial Services (DFS) oversight over credit reporting agencies. The regulation would subject them to examinations by DFS and gives the Superintendent the power to deny or revoke a credit agency’s “authorization to do business with New York’s regulated financial institutions and consumers.” In addition, the proposed regulations would require credit reporting agencies to comply with the NYDFS’ new cybersecurity regulations which require financial services institutions to “have a program in place designed to protect consumers’ private data, including a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.”
Reaction from many quarters to the Equifax and SEC cyber incidents has been vigorous. Reuters reports that the FBI and the Secret Service have begun an investigation into the SEC breach, and the States Attorneys General are just getting started. A $70 billion class action has been filed in the State of Oregon against Equifax, and the Massachusetts Attorney General announced that she will be filing a case against Equifax shortly as well.
It is clear that the public and regulatory pressures on companies that traffic in personally identifiable information is increasing. (See here for a Bates discussion on big data enforcement.) For the foreseeable future, there will be back-to-back congressional hearings digging into every aspect of the Equifax intrusion, additional regulatory reaction once the SEC investigations are concluded, and more states will seek to protect their consumers either through regulatory initiatives like the one introduced by New York or through the filing of lawsuits. Penalties to Equifax are estimated to amount “to more than $700 billion just from the states.” Bates Group will continue to monitor these ongoing developments.