Participating in a panel at the “SEC Speaks” event on February 19, Deputy Director of the SEC’s Enforcement Division Stephanie Avakian expressed that the Commission continues to focus on cybersecurity as a top priority in 2016.
Avakian discussed the Commission’s cybersecurity concerns in three contexts: (1) failure of registered entities to follow Rule 30(a) of Regulation S-P (the “Safeguards Rule”) in protecting customers’ records and information; (2) illicit securities trading following theft of material non-public information; and (3) cyber-related disclosures by public companies, including disclosure of material intrusions.
On the issue of disclosures, Avakian confirmed the Commission’s position that a “company that has been the victim of an intrusion is just that: a victim,” and noted that accurate disclosure can be difficult immediately following a breach. No rules regarding cyber-related disclosures have been promulgated by the SEC to date, but in 2011 the Division of Corporation Finance published guidance regarding cybersecurity risks and cyber incidents, and stated that a “registrant may need to disclose known or threatened cyber incidents to place the discussion of cybersecurity risks in context.” While the Commission has not yet brought any actions arising out of this guidance, Avakian said that she could envision an enforcement action in the event of a “significant disclosure failure.” Finally, she encouraged companies that are victims of cyberattacks to involve law enforcement as soon as possible following a breach.
Avakian’s statements come in the wake of SEC Enforcement Director Andrew Ceresney’s comment last month that the Commission is unlikely to penalize companies related to cybersecurity disclosures. Ceresney has been quoted: “I’m not saying it’s not possible, but it would need to be a very clear violation for there to be a case.”