2021 has been a transformative year for cybersecurity enforcement. With Gary Gensler as the new SEC Chairman, the agency has taken a renewed focus on cybersecurity disclosures and policies and procedures designed to protect investors and customers alike. In addition to indicating that the SEC’s Division of Enforcement will be more aggressive with respect to cybersecurity disclosures, and the extension of the statute of limitations for SEC actions from five to ten years, there have been a wave of notable SEC enforcement actions that have put cybersecurity at the forefront of the SEC, prompting firms to broadly reconsider their approach to cybersecurity.
- In June, the SEC settled charges against First American Financial Corporation with an approximate $500k penalty. The circumstances of the settlement are rather standard: Due to inadequate policies and procedures, information security personnel who were aware of a vulnerability did not inform senior executives. What’s notable is that this is the first time that the SEC has issued a penalty for cybersecurity in the absence of a breach.
- In connection with the Solar Winds breaches, the SEC asked firms to voluntarily report what steps they were taking to protect themselves or remediate issues, with relief provided to any firms not meeting standards if they were to self-report. This is unusual not only because of the nature of the request—a sweep with voluntary participation is an uncommon approach—but also because of the scope of the request. Hundreds of firms were a part of the request, which will provide the SEC with a mountain of data on how firms are implementing protective measures for cybersecurity compliance.
- In August, the SEC settled charges against Pearson plc in matters relating to negligence and disclosures. While there was a breach at Pearson, what’s unique is the aggressive approach that the SEC took in its legal case. Since quantitative materiality was questionable, the SEC heavily emphasized the qualitative materiality of Pearson’s business model, hinging on its responsibility to safeguard the personal information of its clients. This suggests that the SEC is taking a more hardline approach to ensuring cybersecurity compliance.
- In mid-September, the SEC announced a significant $10m penalty against App Annie, including a $300k sanction against its co-founder and CEO. The firm—an alternative data provider—misled investors and customers by alleging it anonymized and aggregated confidential client data, when in reality the data was not anonymous. While not necessarily tied to a breach, or the threat of one, it’s clear from the ruling and penalty that the SEC is considering the treatment of confidential client data with extreme care.
Mirroring the SEC’s stance on cybersecurity, FINRA issued NTM 21-29, reminding member firms of their supervisory obligations with respect to cybersecurity, Regulation S-P and protecting client data. Of course, adequate policies and procedures commensurate with your firm’s risk level are table stakes. But FINRA points to some recent exam findings around cybersecurity—namely disciplinary actions for firms that failed to adequately safeguard their customer’s private information. Seeing this highlighted in an NTM, it is clear that protecting this data is on FINRA’s radar as well.
As a provider of services related to handling and processing customer information, Hearsay has always prioritized overarching SEC and FINRA regulatory requirements. Our platform ensures transparency in audit trails and recordkeeping, facilitates PII masking to hide sensitive information where appropriate, and complies with deletion requests in the event that a customer needs to ensure data integrity.
Cybersecurity is very much on the radar of the regulatory bodies. In preparation for increased scrutiny with respect to the treatment of customer data, firms should review their policies and procedures around cybersecurity to ensure compliance with the expectations of the governing bodies. If you’d like to know how Hearsay can help you meet these expectations, let us know.
