Gurbir Grewal, the Director of Enforcement for the SEC, spoke recently at a Cyber Resilience Summit sponsored by the Financial Times. He laid out five principles that guide the work his division is doing to ensure SEC registrants take their cybersecurity and disclosure obligations seriously.
Guiding principles
Disclosure. Whenever there is a cyber attack on a publicly traded company and other market participants, the division considers the investing public to also be potential victims of those incidents
Appreciating that a business has a lot to contend with when it suffers a cyber breach, the agency wants these entities to remember that the investing public can be the victims of those incidents. It is often their personally identifiable information (PII) or financial details that are compromised, plus the decisions businesses make about how to respond to breaches may be material to these public companies’ investors.
This all boils down to timely and accurate disclosures, so customers and investors get the information they need.
“What worked 12 months ago probably isn’t going to work today, or at a minimum, may be less effective.”
Gurbir S Grewal, Director of the Division of Enforcement, SEC
Policies that work in the real world. Cybersecurity policies must actually work and not just exist on paper, plus they actually need to be implemented. “Having generic ‘check the box’ cybersecurity policies simply does not cut it,” he said.
Grewal mentioned an SEC case from last June against several broker-dealers and investment advisers for deficiencies in their programs to prevent customer identity theft in violation of Regulation S-ID, or the SEC’s Identity Theft Red Flags Rule.
One of the businesses, JPMorgan, had a written program that just restated S-ID’s requirements but never explained how to identify or how to respond to those red flags once identified, Grewal said.
Reviews and reports
Regular reviews. A regular review of cybersecurity policies must be done to keep up with evolving threats. “What worked 12 months ago probably isn’t going to work today, or at a minimum, may be less effective,” he said.
Report up the chain. Grewal also reminds businesses that they must report up the chain to those making disclosure decisions when a cyber incident happens. If they don’t get the right information in a timely way, it does not matter how good the business’s disclosure policies are.
For example, he said, the SEC charged First American Financial Corporation with disclosure controls and procedures violations related to a cybersecurity vulnerability that exposed sensitive customer information. The business only disclosed it after reporters brought it to the company’s attention.
There is no reason companies should be more concerned about their reputations than with coming clean with shareholders and the customers whose data is at risk.
It turns out a member of the company’s information security team had identified the vulnerability months earlier, but they failed to remediate it according to the company’s policies and failed to report it to the senior executives responsible for the company’s disclosures.
“Those executives executives were, therefore, in the dark until the reporter brought the issue to light,” Grewal said.
Tell us first
No gamemanship around disclosure. Grewal said his division has no time for “gamemanship” around the decision to disclose; meaning, there is no reason companies should be more concerned about their reputations than with coming clean with shareholders and the customers whose data is at risk.
In the end, it does nothing to help the company once the breach gets out, and the company could get stiffer penalties for not reporting the matter to the SEC and disclosing the material information to those stakeholders.
He brought up an enforcement action against Pearson, the educational publishing company, which was charged by the SEC for calling, in a special report, a data privacy incident a “hypothetical risk,” even though it had already occurred.
Again, it took a media report for Pearson to disclose the breach.
Cooperation credit
Cooperation credit. Grewal did not label this a sixth principle, but he reminded businesses that self-reporting violations and cooperating with an SEC investigation can lead to lesser or even no penalties in enforcement actions.
“In contrast, firms that do not fulfill their obligations will likely face civil penalties higher than they have in the past,” he said.