Learn about how the Securities and Exchange Commission views cybersecurity, examples of how the SEC enforces the financial market, and more in this week's Data Protection 101, our series on the fundamentals of information security.
SEC Cybersecurity relates to cyber threats that put public companies at risk. Here’s an overview of SEC Cybersecurity, the SEC’s role in cybersecurity, and enforcement.
Definition of SEC Cybersecurity
SEC Cybersecurity is a term to encompass the Securities and Exchange Commission’s guidance role in the overall spectrum of cyber threats against public companies. The SEC is a federal agency charged with the task of ensuring the protection of investors. According to the official webpage, “The mission of the U.S. Securities and Exchange Commission is to protect investors, maintain fair, orderly, and efficient markets, and facilitate capital formation.” The agency’s efforts to guide against and prevent breaches in cybersecurity are simply an extension of the SEC’s function.
The Securities and Exchange Commission’s Role in Cybersecurity
There are several ways the SEC carries out its mission. This includes:
- Offering guidance to investors about safe online trading practices
- Providing resources to prevent cyber-related crimes
- Offering guidance to organizations on reporting breaches and other cybersecurity threats
- Use civil law to pursue criminal activity and wrongdoing
In order to further understand SEC Cybersecurity, there are several items to explore. Statements published, resources provided, and the laws enforced provide a detailed look on the subject.
Commission Statement and Guidance on Public Company Cybersecurity Disclosures
On February 21st, 2018, The SEC published a commissioned statement to take effect five days later on February 26th, 2018. The statement is for interpretive guidance, or recommendations, specifically for public companies on the subject of “preparing disclosures about cybersecurity risks and incidents.” With the dramatic increase of data breaches and other malicious problems of the hostile Internet, companies are being caught unaware. The statement aims to protect investors by recommending best practices for companies in terms of their cybersecurity.
Resources Provided by the SEC for Cybersecurity
The SEC provides many cybersecurity resources, including documents, roundtable discussions, and tips on a resources page for investors and other entities, such as:
- Public Companies
- Investment and Financial Advisors/Companies
- Stock Brokers/Dealers
- Self-Regulatory Organizations
While all of the provided materials are useful, organizations seeking a comprehensive understanding of SEC Cybersecurity will find the resources below particularly valuable:
- SEC Cybersecurity Roundtable: This was a live, recorded roundtable discussion from 2014. There is a transcript and other materials derived from the meeting available. It remains a resource recommended for all those involved in securities.
- FINRA Cybersecurity Page: The Financial Industry Regulatory Authority also has a page full of helpful resources and checklists for companies, individuals, and other entities.
- The Commission Statement: Released by the SEC in early 2018 (and linked above) to provide a list of recommendations and rules for public companies, the commission statement provides a clear understanding of the Commission’s overarching goals and objectives.
Examples of SEC Cybersecurity Enforcement
The online world is perhaps one of the most hostile environments for financial markets. With no shortage of malicious software and wrong-doing, there are now multiple cases of law enforcement. In fact, the SEC has a page dedicated to publishing these cases in multiple categories, including:
- Digital Currency and Initial Coin Offerings (ICOs)
- Account Intrusion
- Hacker and Insider Trading
- Market Manipulation
- Safeguarding Customer Information
- Trading Suspensions
Cases of note include:
- Morgan Stanley Failed to Safeguard Customer Data
- Day Trader Charged in Brokerage Account Takeover Scheme
- Securities and Exchange Commission v. Iat Hong, et al.
Requirements of Public Companies
While the commissioned statement covers an array of topics and provides many action items that companies should put in place, there are two distinct ways companies are affected. The first includes how a public company reports cybersecurity matters to the SEC and the second is how those same matters are disclosed to the public.
Reporting to the SEC
Public companies are required to report on methods of securing cyber data, risks associated to their organization, and incidents related to cybersecurity. This reporting is done through a number of forms. Many of these forms are listed and mentioned in the recent commission statement made by the SEC.
Federal, state, and local governments have begun to enforce companies to report when incidents occur. Public companies also report these incidents to the SEC. In addition, public companies are also asked to provide details regarding the measures taken to protect against cyber threats.
There are several requirements when it comes to alerting the public. Like reporting to the SEC, public companies should provide individuals with information on what they do to prevent cyber incidents as well as when breaches occur. Potential risks and vulnerabilities should also be public knowledge to all potential investors.
These measures, and others, are employed by the Securities and Exchange Commission to provide fairness in our markets. SEC cybersecurity encompasses the recommendations, oversight and enforcements made to ensure that fairness.