BI’s Article search uses Boolean search capabilities. If you are not familiar with these principles, here are some quick tips.
To search specifically for more than one word, put the search term in quotation marks. For example, “workers compensation”. This will limit your search to that combination of words.
To search for a combination of terms, use quotations and the & symbol. For example, “hurricane” & “loss”.
A U.S. Securities and Exchange Commission report detailing cases of cyber-related fraud that stemmed from lax internal accounting controls is a warning to firms that the agency will levy fines in the future, experts say.
Some observers believe this likelihood is further enhanced by the agency’s announcement in September of a $1 million settlement in connection with an investment firm’s handling of a cyber breach.
In its latest report, the agency focused on nine unidentified public companies that had become victims of cyber fraud.
However, there are steps firms can take to avoid becoming a target of an SEC action.
The report was issued under Section 21(a) of the Securities and Exchange Act of 1934, which authorizes the commission to investigate violations of the federal securities laws.
It is a tool the SEC does not use often, “but it means to put the markets on notice about enforcement concerns,” said Jacob S. Frenkel, a member of Dickinson Wright PLLC in Washington and chair of its government investigations and securities enforcement, as well as a former senior counsel in the SEC’s enforcement division.
“Usually after the filing of a 21(a) report, we begin to see enforcement action,” he said. The agency is making clear with the report that “it expects companies to treat cyber issues and risks as a priority,” he said. It “should be required reading” for public company boards.
“It’s actually a very smart and helpful thing that the SEC has done,” said Marc A. Leaf, a partner with Drinker Biddle & Reath LLP in New York, who has served on the SEC’s executive staff. “I actually would like to see them do more of that, rather than hitting people with a fine or an enforcement action that carries serious penalties.”
He added the SEC is not issuing new rules here. The rules referred to in the report “have been on the books since 1977,” he said.
“The SEC’s been warning about this since 2011,” when it issued cyber security guidance on disclosure obligations relating to cyber security risks and cyber incidents, “so everyone who advises public companies has been waiting for something like this,” said David M. Lisi, a partner with Pillsbury Winthrop Shaw Pittman LLP in Palo Alto, California.
In the intervening years “we’ve seen a couple of huge data breaches,” some of which, in hindsight, “could have been minimized had boards of directors and management been focused on cyber,” Mr. Lisi said.
The SEC is “putting the word out that this is something companies need to be tightening up on. They probably won’t be so kind next time,” said Mark J. Fagel, a partner with Gibson, Dunn & Crutcher LLP in San Francisco.
Some experts believe the SEC’s message is further strengthened by its $1 million settlement with Des Moines, Idaho-based broker-dealer and investment adviser Voya Financial Advisors Inc.
Joseph P. Facciponti, a partner with Murphy & McGonigle P.C. in New York and a former federal prosecutor, said the Voya fine and the latest report show the SEC “is examining the cyber threat from a wide range of perspectives, and will seek to use enforcement and investigative tools at its disposal to ensure companies take the right steps” in response to cyber threats.
Rob Yellen, New York-based executive vice president of Willis Towers Watson PLC’s FINEX North America practice, said he believes the SEC’s Voya action is the more significant of its two actions. “I’m a lot less worried” about fraudsters putting out “fake president scams,” he said.
The SEC had also issued guidance in February as to when and how publicly held companies should disclose guidance on cyber security risks and procedures.
Whether there is coverage for SEC fines will depend upon the cyber policy, experts say.
“With the proper cyber policy, the cost for responding to the investigation, as well as the fines and penalties — that may be covered by insurance,” said Tim Monahan, Washington-based vice president in Lockton Cos. LLC’s claims consulting group. “I would say there is coverage available in the cyber marketplace, but it’s not in every policy.”
“Most insurers are offering this as one of the coverage parts in a cyber policy,” he said. The questions are whether companies are buying the coverage and whether “it is being offered in adequate amounts.” He added that there may also be coverage under firms’ crime policies for fraudulent payments paid in connection with cyber scams.
Meanwhile, to avoid SEC scrutiny, firms should review their cyber security practices and procedures, update them if necessary and train employees, experts say.
Thomas O. Gorman, a partner at Dorsey & Whitney LLP in Washington, said the report’s implication is that it is not enough to have a “nice set of policies and procedures. You’ve got to really train your people and create an environment where they’re actively monitoring these things all the time and updating them all the time.”
Your employees should “understand that if they follow the rules and use the controls as they were intended, they’re not going to get into trouble,” said Alan Brill, senior managing director at Kroll Associates Inc. in Secaucus, New Jersey.
The U.S. Securities and Exchange Commission report issued last month investigated whether public issuers who were cyber fraud victims violated federal securities laws because of inadequate internal accounting controls.