The Securities & Exchange Commission is interested in investigating potential violations of the securities laws due to poor cyber security practices. If you have evidence of a financial institution at risk of being hacked or a public company which has not disclosed a material cyber attack to investors, please contact us for additional information about the SEC Whistleblower Program and for legal representation during your report to the SEC.
The SEC has launched a number of investigations into corporate disclosures in this area and inquired into the security of technology systems at various financial institutions within its purview. Several staff members of the Commission have made public comments about the agency’s focus in this area and we expect that the SEC will start enforcement actions based on cyber security issues highlighted by whistleblowers in the future. If you have evidence in this area, one of our SEC whistleblower lawyers can assist you.
An Important Areas for Whistleblowers
Hacking Incidents are Increasing and Companies are Unprepared
Attempts to hack the technology systems of businesses are on the increase. According to a study last year conducted by CNNMoney and the Ponemon Institute, nearly half of adult Americans have had their information exposed by a cyber attack.
Many companies have not taken sufficient steps to protect their information and customer data from exposure. Target, Home Depot, JPMorgan Chase and other companies have disclosed security breaches by hackers resulting in millions of their customers at risk due to the exposure of their personal information.
The consequences for both individuals and the companies that suffer attacks could be severe. Through cyber attacks, hackers may be able to gain access to a variety of personal information gathered by the company about its customers. Depending on the type of company and the extent of the data breach, hackers may gain access to a customer’s email, password, social security information, credit card numbers, bank account numbers and more. In some cases, the information exposed could be sold by the hacker(s) to other people to misuse. For the corporations, the negative publicity threatens their customer base and their profits.
SEC Comments on Importance of Cyber Security
The director of the Security & Exchange Commission’s Chicago Regional Office, David Glockner, told the audience at the Practising Law Institute’s SEC Speaks conference in February that these cases are high on the SEC’s radar screen even though they haven’t brought a significant number of cases in this area to date.
The director of the Security & Exchange Commission’s Chicago Regional Office, David Glockner, told the audience at the Practising Law Institute’s SEC Speaks conference in February 2015 that these cases are high on the SEC’s radar screen even though they haven’t brought a significant number of cases in this area to date.
Only a few days later, Glockner warned compliance professionals at an annual conference of the Investment Adviser Association regarding the importance of strong governance on protecting data and systems from cyber attacks.
Disclosure of hacking incidents effecting corporations and consumers is currently governed by a conglomeration of state and federal laws. As a result of this patchwork system, some businesses may attempt to avoid the negative publicity from disclosing problems with its cyber security protections and data breaches of customer information.
In early 2015, President Obama announced federal legislation to force US companies to provide information about data breaches called the Personal Data Notification and Protection Act. The legislation requires companies to notify customers of the exposure of their personal information in a data breach within 30 days of its discovery. If passed, the law would replace the varying requirements for disclosure imposed by each state for the protection of its residents.
Potential Areas to Report to the SEC
Financial Institution Risk Controls
The SEC is charged with ensuring the orderly operation of the markets. If financial companies, including alternative exchanges, banks, hedge funds, broker-dealers and advisors, do not have adequate controls against cyber attacks, a breach could allow the hacker to influence the market and undermine the integrity of the system.
The SEC has issued rules to protect against the impact of lapses in cyber security on market integrity. Regulation Systems Compliance and Integrity (“Regulation SCI”) applies to self-regulatory organizations, alternative trading systems and clearing agencies, and plan processors. It requires covered organizations to have systems with levels of security adequate to maintain operational capacity and maintain fair and orderly markets. It also requires them to take corrective action following a system intrusion and to report these events to the Commission.
The Dodd-Frank Act also directed the SEC and the CFTC to require financial institutions and creditors to develop and implement an identity theft prevention program concerning both existing accounts and the opening of accounts. The SEC and CFTC jointly adopted Regulation S-ID to provide guidance regarding its ID Red Flag Rules. The date for implementation of the policies and procedures by covered businesses was November 20, 2013. For the SEC, this regulation built on its previously issued Regulation S-P in 2000 regarding privacy rules created under the authority of section 504 of the Gramm-Leach-Bliley Act.
The SEC has made this area a priority. In a press release in February 2015, SEC Chair Mary Jo White indicated that assessing the cybersecurity readiness of market participants “has been and will continue to be an important focus of the SEC.” White also spoke at an SEC Roundtable on Cybersecurity in March 2014, impressing upon the participants the Commission’s focus on cybersecurity at a broad range of financial institutions, including self-regulatory organizations, large alternative trading systems, registered-investment advisors, broker dealers and funds.
Public Company Disclosures
Federal securities laws require a public company to disclose hacking incidents when it is material to the company. There is no specific securities law explicitly requiring the disclosure of a breach or poor cyber security controls. Instead, it is covered by the general requirement that companies report material information to investors. Information is considered material if there is a substantial likelihood that a reasonable investor would attach importance to it when making an investment decision.
The potential adverse consequences for a company from a breach of cyber security could be severe. This includes both short term costs to taking appropriate corrective action, increasing protection, and resulting litigation as well as longer term loss of revenues and reputational damage. When the impact of a single breach of security or the collective cost of hacking attempts becomes material, it must be disclosed.
In October 2011, the SEC provided guidance on when a public company would need to make a disclosure regarding cyber incidents and cybersecurity risks. Companies must disclose aspects of their business which pose a material risk, including the potential for a failure of their IT security protections. The company may also need to disclose cyber attacks in order to place discussions about these risks in the appropriate context to investors and avoid a misleading disclosure.
In July 2014, Bloomberg reported on SEC investigations into multiple companies, including Target, over their handling of cyber attack disclosures.
The Benefits of Reporting
The Right Thing to Do
Whistleblowers have become an increasingly important tool for law enforcement agencies. Without tips from individuals with non-public information, a company’s violation of the securities laws and fraud against investors may go unnoticed for years. In order to facilitate disclosures, the SEC allows anonymous reporting and takes measures to protect the identity of its whistleblowers.
The SEC will pay eligible whistleblowers a reward of between 10 and 30 percent of the amount recovered from enforcement actions over $1 million.
Although the SEC has issued rules to protect internal whistleblowers, these rules have been challenged by employers and their validity in the courts is still up in the air. The only way to ensure that a whistleblower qualifies for the Dodd-Frank protections is to report to the SEC.