Remarks at Financial Times Cyber Resilience Summit
Good morning everyone.
Stefania, thank you for the very kind introduction and thank you to the Financial Times for inviting me to frame the next panel by providing a regulator’s perspective on today’s topic.
Before I do, I must remind you that my remarks this morning are in my official capacity as the Director of the Division of Enforcement, and do not necessarily reflect the views of the Commission, the Commissioners, or other members of the staff.
Today’s summit is about cyber “resilience.” As opposed to cybersecurity, cyber resilience is a concept that recognizes that breaches and cyber incidents are likely going to happen, and that firms must be prepared to respond appropriately when they do. In other words, it’s not a matter of if, but when.
This is certainly true in my world, where SEC registrants, such as public companies, broker-dealers, and investment advisers, possess an incredible amount of electronic data about innumerable entities and individuals. This includes personal identifying information, account information, and other information that is valuable to bad actors. It’s therefore not surprising that they’re often the targets of cyberattacks at the hands of not just enterprising criminals, including insiders and sophisticated hacking groups, but also state-sponsored actors.
In fact, according to a recent poll, more than a third of executives reported that their organization’s accounting and financial data was targeted by cyber adversaries last year.[1]
And as markets grow increasingly complex and global, cyber threats are only going to grow more sophisticated and bring greater risk.
Cybersecurity is therefore foundational to maintaining the integrity of not just our securities markets, but our economy as a whole.
The Commission is doing its part here to address these risks. In addition to enforcing existing rules and requirements, as everyone in this room well knows, the Commission has also proposed and is considering rules enhancing cybersecurity-related policies and procedures at broker-dealers, exchanges, and other market participants.[2]
I’m sure there are probably as many opinions as there are people in this room about those efforts given the number of comments received in connection with those proposals.
But as Enforcement Director, it would be inappropriate for me to weigh in on that debate. Our panelists, on the other hand, are well-positioned to do so, and I, like each of you, look forward to hearing their thoughts.
Instead, what I’d like to do this morning is share with you some – five to be exact – of the principles that guide the work we are doing across the Enforcement Division to ensure that registrants take their cybersecurity and disclosure obligations seriously.
First, when there are cyber attacks on publicly traded companies and other market participants, we consider the investing public to also be potential victims of those incidents.
Now, we fully understand that when, for example, a public company is breached, it can be disruptive and expensive and potentially have consequences for the company’s long-term viability.
We also understand that firms have to make real-time decisions when responding to cyber events and around related disclosures, especially when there are ongoing attacks, or even ongoing internal and criminal investigations.
But we cannot lose focus of the fact that those decisions directly impact customers whose PII or financial information has been compromised —and those decisions may also be material to investors in publicly-traded companies.
So in addition to ensuring that market participants are doing their part to prevent and respond to cyber events, our goal is to prevent additional victimization by ensuring that investors receive timely and accurate required disclosures.
I believe that the enforcement actions that the SEC has brought to date in this space strike the right balance among these various considerations, which leads me to the second principle: firms need to have real policies that work in the real world, and then they need to actually implement them; having generic “check the box” cybersecurity policies simply doesn’t cut it.
What do I mean by that?
The SEC recently charged, in settled actions, several broker-dealers and investment advisers, including JP Morgan and UBS Financial Services, for deficiencies in their programs to prevent customer identity theft in violation of Regulation S-ID, the SEC’s Identity Theft Red Flags Rule.[3]
Regulation S-ID requires financial institutions, including certain broker-dealers and investment advisers, to develop and implement a written identity theft prevention program to identify, detect, and respond to “red flags” that indicate possible identity theft.
As these cases demonstrate, some firms have just been paying lip service to these requirements. For example, the Commission’s Order found that JP Morgan’s written program simply restated Regulation S-ID’s requirements: it instructed JP Morgan staff to “identify relevant red flags” and “respond appropriately to any red flags that are detected to prevent and mitigate identity theft.”[4] Critically, it didn’t explain how to identify or how to respond to those red flags once identified.
A third related principle requires registrants to regularly review and update all relevant cybersecurity policies to keep up with constantly evolving threats. What worked 12 months ago probably isn’t going to work today, or at a minimum may be less effective.
And relatedly, registrants and the professionals that counsel them would be well-served by reviewing the Commission’s enforcement actions and public orders on these topics. They clearly outline what good compliance looks like and where and how registrants fall short with their cybersecurity obligations.
But as we all know, despite the best cyber hygiene, policies, procedures and training, breaches will happen. This leads me to the fourth principle: when a cyber incident does happen, the right information must be reported up the chain to those making disclosure decisions. If they don’t get the right information, it doesn’t matter how robust your disclosure policies are.
For example, in June 2021, the SEC, in a settled order, charged First American Financial Corporation with disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information.[5] According to the SEC’s order, First American only disclosed the vulnerability after a reporter brought it to the company’s attention. You see, although the company’s information security personnel had actually identified that vulnerability months earlier, they failed to remediate it in accordance with the company’s own policies. They then compounded those mistakes by failing to report it to the senior executives responsible for the company’s disclosures. Those executives were, therefore, in the dark until the reporter brought the issue to light.
Finally, we have zero tolerance for gamesmanship around the disclosure decision. Here, I am talking about those instances where folks are more concerned about reputational damage than about coming clean with shareholders and the customers whose data is at risk.
Companies might, for example, stick their head in the sand, or work hard to persuade themselves that disclosure is not necessary based on their hyper technical readings of the rules, or by minimizing the cyber incident.
Don’t do that.
It doesn’t work for the customers whose data is at risk.
It doesn’t work for the shareholders who are kept in the dark about material information.
And it most certainly doesn’t work for the company, which will most likely face stiffer penalties once the breach gets out, as it invariably will, and if it turns out that the company violated its obligations.
The SEC has charged public companies that engaged in these types of behaviors. For example, in August 2021, the SEC charged Pearson, an educational publishing company, with misleading investors about a cyber intrusion involving the theft of millions of student records, including dates of births and email addresses.[6] In a public report, Pearson referred to that data privacy incident as a hypothetical risk, even though it had already occurred. Pearson did not disclose the breach until it was contacted by the media.
By the way, that seems to be a recurring and fitting theme for a conference organized by the FT, doesn’t it? The media reporting on a cyber event at a public company before the company does in accordance with its responsibilities to the investing public.
If you have a material event, or think you might, comply with your disclosure obligations and come and talk to us sooner rather than later – not in six months after you finish your internal investigation. You can always complete that after meeting your disclosure obligations, if any, and reaching out to us.
Keep in mind, if you talk with us, that doesn’t prejudge the outcome of your internal investigation – or ours.
On the other hand, and going back to the first principle I shared, if you wait too long to make the necessary disclosures, you risk creating additional victims.
What I’m about to say next is not a sixth principle because it’s not unique to cyber matters. As I’ve said in many of my public remarks, firms that meaningfully cooperate with an SEC investigation, including by coming in to speak with us or self-reporting, receive real benefits, such as reduced penalties or even no penalties at all. Pearson, the public company I just mentioned, was ordered to pay only $1 million in penalties. As the Order in that case states, the SEC considered Pearson’s cooperation in resolving the case and arriving at that number.
In contrast, firms that do not fulfill their obligations will likely face civil penalties higher than they have in the past.
* * *
Regardless of what additional protections or reporting requirements future rulemaking may yield, I am certain that adherence to these overarching principles will continue to guide our decision making when it comes to protecting investors and the markets against cyber risks.
Our registrants would be well-served by considering them as they work to enhance their cyber resilience.
Thank you so much for inviting me here today and for thinking so critically and thoughtfully about such a timely topic.
I look forward to hearing from our panelists.
[1] According to a Deloitte Center for Controllership poll (Feb. 2023), “During the past 12 months, 34.5% of polled executives report that their organizations’ accounting and financial data were targeted by cyber adversaries.”
[2] See Securities and Exchange Commission, “SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies” (March 9, 2022), available at https://www.sec.gov/news/press-release/2022-39; Securities and Exchange Commission, “SEC Proposes New Requirements to Address Cybersecurity Risks to the U.S. Securities Markets” (March 15, 2023), available at https://www.sec.gov/news/press-release/2023-52.
[3] See Securities and Exchange Commission, “SEC Charges JPMorgan, UBS, and TradeStation for Deficiencies Relating to the Prevention of Customer Identity Theft” (July 27, 2022), available at https://www.sec.gov/news/press-release/2022-131.
[4] See In the Matter of J.P. Morgan Securities LLC, Admin. Proc. File No. 3-20936 (July 27, 2022), available at https://www.sec.gov/litigation/admin/2022/34-95367.pdf.
[5] See Securities and Exchange Commission, “SEC Charges Issuer With Cybersecurity Disclosure Controls Failures” (June 15, 2021), available at https://www.sec.gov/news/press-release/2021-102.
[6] See Securities and Exchange Commission, “SEC Charges Pearson plc for Misleading Investors About Cyber Breach” (Aug. 21, 2021), available at https://www.sec.gov/news/press-release/2021-154.
Last Reviewed or Updated: June 22, 2023