On Wednesday, September 20, 2017, Chairman Jay Clayton of the U.S. Securities and Exchange Commission (the “Commission”) released a public statement addressing cybersecurity risks.
Chairman Clayton’s statement is part of an ongoing effort to communicate the Commission’s approach to cybersecurity in connection with the May 2017 assessments of the Commission’s internal cybersecurity and of its approach to cybersecurity as a regulatory agency.
The statement addressed the Commission’s collection and use of data, the Commission’s management of internal cybersecurity risks, incorporation of cybersecurity considerations in the Commission’s regulatory approach with respect to disclosures and its supervisory programs, coordination by the Commission with other government entities, and enforcement by the Commission of federal securities laws.
The most noteworthy portion of the statement was the revelation by Chairman Clayton that the Commission had discovered in August 2017 that a cyberattack, previously detected in 2016, may have provided the basis for illicit gain through trading. According to Chairman Clayton, a vulnerability in the EDGAR test filing system had allowed individuals to access nonpublic information. It is not believed that any personally identifiable information was obtained through the exploitation of the vulnerability, but the Commission continues to investigate the matter.
The Commission has emphasized in recent months that it utilizes trading data and other information in identifying risks, detecting fraud, and enforcing securities laws (for our blog post regarding recent related comments by the SEC’s Acting Director and Acting Chief Economist, see here). Wednesday’s revelation serves as a reminder that the Commission’s role in collecting and maintaining sensitive nonpublic information may make it a particularly attractive target for cyberattacks. While the particular vulnerability in EDGAR was patched promptly after discovery, the Commission’s investigation is ongoing and cyberattacks will continue to present an ongoing threat not only to companies, but also to the Commission itself.
Chairman Clayton’s statement went on to describe in detail the ways in which the Commission manages cybersecurity risks internally and ways in which cybersecurity considerations inform the Commission’s regulatory approach.
In managing cybersecurity risks internally, the Commission employs an agency-wide cybersecurity detection, protection, and prevention program including cybersecurity protocols and controls, network protections, system monitoring and detection processes, vendor risk management processes, and regular cybersecurity and privacy training for employees. The Commission additionally undergoes regular independent audits and reviews and submits reports relating to cybersecurity to the Office of Management and Budget and the Department of Homeland Security.
The Commission incorporates cybersecurity considerations into its regulatory approach in the context of the Commission's review of public company disclosures, its oversight of critical market technology infrastructure, and its oversight of other regulated entities, including broker-dealers, investment advisers and investment companies. In particular, the Staff of the Division of Corporation Finance (the “Staff”) released guidance in 2011 requiring particular disclosures by public companies relating to cybersecurity risks. Notably, the 2011 guidance indicated that companies should disclose material cybersecurity risks and that companies which have experienced material cyberattacks may need to disclose the existence, costs, and consequences of those attacks in their risk factor analysis. In light of recent cybersecurity events, public companies should take extra caution to ensure that they have met their disclosure obligations.
Chairman Clayton stated that the Commission must regularly review whether its current protective measures are appropriate given the sensitivity of the data that it collects and the associated risks of unauthorized access, including evaluating whether there are any other feasible alternatives of data collection. He emphasized that the Commission will continue to prioritize the promotion of effective cybersecurity practices internally and with respect to market participants, but cyberattacks will remain a concern for companies and for government entities.
In light of these developments and other recently disclosed cyberattacks, registrants should consider whether any modifications to their current practices and policies may be appropriate. Recent events serve as a reminder that confidential information, even that held on a regulator’s system, may be vulnerable. While it is not possible to avoid certain confidential filings that contain sensitive, non-public information (such as responses to SEC comment letters), it is possible that registrants may change the timing of certain filings. For example, a registrant with serious concerns about hacking may file a Current Report on Form 8-K when EDGAR opens in the morning so it immediately appears on the public website, rather than file in the evening (i.e., when filings do not appear on the public website). Although test filings and confidential submissions of IPO registration statements could also become vulnerable, it has yet to be seen if use of these common practices would be curtailed by registrants (or future registrants) if a breach related to these systems were to occur.
Gibson Dunn attorneys Nicolas Dumont, Matthew Haskell and Victor Twu assisted with the preparation of this analysis.