SEC Chair Jay Clayton declared cyber security one of the top enforcement issues at the securities regulator on Tuesday, according to a Reuters article. In line with this comment, we expect that there will be an uptick in the number of rewards to whistleblowers who report cyber security problems that violate securities laws.
It has been a few months since we have talked about cybersecurity here, but it is back on our radar because of the announcement from Equifax yesterday that the personal and financial information of 143 million Americans was compromised this year.
This seems like an undeniable area for more whistleblowing in the future. Investment banks and hedge funds are an obvious target of hackers, and it seems unlikely that one of the largest will be able to escape making a breach announcement at some point similar to the one Equifax did earlier this week.
Clayton described the problem as substantial and systemic, as well as not one that the investing public fully understands. Former SEC Chair Mary Jo White made similar comments last year about the importance of this area, calling cybersecurity the biggest risk to the financial markets.
Cybersecurity implicates a number of issues in securities law:
1. Insider trading: Hackers that steal information to gain a market advantage. There have already been reports of individuals trading on information stolen from various large corporate vendors, such as press release services and top mergers and acquisitions law firms. The current laws against insider trading reach this conduct as they protect against the use of material nonpublic information to the disadvantage of other investors.
2. Sensitive Information: Financial firms have a duty to protect sensitive client information. If an investment bank is hacked and client information taken, they will be subject to fines if they did not take reasonable steps to safeguard the client information in the first place. The most egregious cases will the fact that this is a developing area,
3. Disclosures: Publicly traded companies are required to provide accurate disclosures to investors about material events in the business. If a corporation hides a breach from the public or delays reporting to its investors in order to avoid the negative publicity and hit to its stock price, then the SEC would be within its power to step in and fine the company.
4. Market Access: If a hacker were to illegally take control of the computer systems of an investment bank or hedge fund with substantial assets, it could wreak havoc on asset valuations.
All of these issues could become the subject of whistleblower tips. The Dodd-Frank Act authorizes the SEC to pay rewards of between 10 and 30 percent of the government penalties in cases where they exceed $1 million. While government enforcement efforts are likely to resist overreaching in a developing area, comments like this from Jay Clayton suggest that cybersecurity tips from whistleblowers will be welcomed.