In a February 19th speech at the annual SEC Speaks conference, Stephanie Avakian, Deputy Director of the SEC’s Division of Enforcement, explained what the SEC expects of entities that experience a cyber intrusion and how the SEC decides whether to investigate such entities.

With respect to responding to cyber intrusion, the SEC’s stated expectations are high level and axiomatic. Entities are expected to (1) assess the situation, (2) address the problem and (3) minimize the damage. Ms. Avakian emphasized the importance of quickly involving authorities such as the FBI or Department of Homeland Security.

Ms. Avakian also expressed awareness of the practical impediments to self-reporting cyber intrusions to the SEC. Specifically, entities may be hesitant to do so for fear of triggering an investigation and enforcement action regarding their policies/procedures and implementation thereof. To assuage this concern, Ms. Avakian noted that the SEC’s goals in the cybersecurity area are to prevent hacking, protect customer data and ensure the smooth operation of America’s financial system. In other words, the SEC—at least from a priority standpoint—is on the same side as the entities that may fall prey to a cyber intrusion. In the case of registrants, when investigating cyber intrusions the SEC will focus on whether a registrant had policies and procedures reasonably designed to protect customer data and related remediation action plans. In the case of public companies, the SEC is not looking to second-guess good-faith decisions regarding data privacy, and would likely not bring an enforcement action against a cyber intrusion victim absent a “significant” disclosure issue. Ms. Avakian also pointed out that entities who self-disclose cyber intrusions will be rewarded with cooperation credit.  

Ms. Avakian highlighted a recent case that exemplifies the SEC’s approach to cyber intrusions in the registrant context. In September 2015, the SEC charged R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”) with violating Rule 30(a) of Regulation S-P under the Securities Act of 1933. Rule 30(a) requires “[e]very broker, dealer, and investment company, and every investment adviser registered with the [SEC]” to “adopt written policies and procedures” regarding the safeguarding of customer information. 17 CFR 248.30(a). Specifically, the written policies and procedures must be “reasonably designed” to, among other things, protect against threats to the security of customer information and protect against unauthorized access to customer information. In the R.T. Jones case, a registered investment adviser had agreements with a retirement plan administrator and retirement plan sponsors to provide investment advice to individual plan participants through a managed account program. In order to confirm individuals’ eligibility for the managed account program, R.T. Jones required prospective clients to use their name, date of birth and Social Security Number to log on to its website. Although R.T. Jones did not control or maintain client account information, it did store unencrypted and unmodified client login information (name, date of birth and Social Security Number) on its third party-hosted web server. The web server fell victim to a cyberattack launched from China and which obtained access to all client login information. In assessing a civil money penalty, the SEC noted that R.T. Jones “failed to adopt any written policies and procedures reasonably designed to safeguard its clients’ [information]” as required by Rule 30(a) of Regulation S-P. The SEC specifically identified R.T. Jones’ failures to conduct periodic risk assessments, employ a firewall to protect the web server, encrypt client information and establish procedures for responding to cybersecurity incidents.

While Ms. Avakian stated that entities who fall prey to cyber intrusions are viewed as “victims,” and articulated cybersecurity priorities that are consistent and compatible with the interests of both registrants and public companies, the SEC may nonetheless bring enforcement actions where (1) registrants are subject to cyber intrusions and have failed to follow applicable regulations regarding the implementation and maintenance of policies and procedures reasonably designed to protect clients’ information or (2) public companies have “significant” disclosure issues.

Photo of Joshua Nichols Joshua Nichols

Joshua Nichols is an Associate in Vedder Price’s Litigation practice area. He focuses extensively on defending corporations, officers and directors in government investigations. He has defended investigations by the DOJ, SEC, SIGTARP, OCC, CFTC and Illinois Securities Department, and has served as lead associate in the defense of 33 current and former bank directors and officers against FDIC investigations and claims totaling over $279 million.

Additionally, Mr. Nichols counsels and represents clients on a wide variety of business and commercial disputes, including actions for breach of contract, securities fraud, restrictive-covenant violations and director and officer liability, in both state and federal court as well as before FINRA and the American Arbitration Association. Mr. Nichols also drafts complex EB-1 immigrant petitions and O-1 nonimmigrant petitions for outstanding researchers, professors and individuals with extraordinary ability.

In 2016, Mr. Nichols was selected for inclusion as an Illinois Rising Star by Super Lawyers Magazine.

Photo of Junaid A. Zubairi Junaid A. Zubairi

Mr. Zubairi is the Chair of Vedder Price’s Government Enforcement & Special Investigations practice and regularly practices before the Securities and Exchange Commission (SEC), U.S. Attorney’s Office, U.S. Commodity Futures Trading Commission (CFTC) and other federal and state agencies.

His practice includes representing companies and individuals in government investigations and securities litigation, conducting internal investigations, advising clients on investment services matters, counseling clients during regulatory examinations, counseling clients on Foreign Corrupt Practices Act (FCPA) matters and providing general compliance and remediation advice.

Mr. Zubairi has successfully represented public companies, investment advisers, broker-dealers, accounting firms and officers and directors in complex matters involving financial statement restatements, alleged financial fraud, books and records and internal control violations, whistleblower allegations, conflicts of interest, board governance and oversight, supervision and insider trading.

Prior to joining Vedder Price, Mr. Zubairi was a senior attorney with the SEC, Division of Enforcement. At the SEC, Mr. Zubairi was the lead attorney on numerous high-profile investigations and litigations involving investment adviser and broker-dealer misconduct, financial fraud, officer and director liability, insider trading and pay-to-play practices. Mr. Zubairi spearheaded several complex investigations that resulted in substantial settlements against large public companies.