SEC Statements On Cybersecurity – Part 2

On September 20, 2017, SEC Chair Jay Clayton issued a statement on cybersecurity that included the astonishing revelation that the SEC Edgar system had been hacked in 2016. Since the original statement, the SEC has confirmed that personal information on at least two individuals was obtained in the incident. Following Jay Clayton’s initial statement, on September 25, 2017, the SEC announced two new cyber-based enforcement initiatives targeting the protection of retail investors, including protection related to distributed ledger technology (DLT) and initial coin or cryptocurrency offerings (ICO’s).

The issue of cybersecurity is at the forefront for the SEC, and Jay Clayton is asking the House Committee on Financial Services to increase the SEC’s budget by $100 million to enhance the SEC’s cybersecurity efforts.

This is the second in a two-part blog series summarizing Jay Clayton’s statement, the SEC EDGAR hackingand the new initiatives. Part I of this blog, which outlined Chair Clayton’s statement on cybersecurity and the EDGAR hacking, can be read HERE . This second part in the series discusses the new cyber-based enforcement initiatives.

Previously I issued a blog outlining SEC guidance on the disclosure of cybersecurity matters, which can be read HERE.

Enforcement Initiatives

The SEC has established two new cybersecurity-related enforcement initiatives to address cyber-based threats and protect retail investors. The first is a creation of a Cyber Unit that will focus on targeting cyber-related misconduct. The second is the formation of a retail strategy task force that will focus on issues that directly affect retail investors.

Cyber Unit

The Cyber Unit will focus on:

  • Market manipulation schemes involving false information spread through electronic and social media
  • Hacking to obtain material nonpublic information in order to trade in advance of some announcement or event, or to manipulate the market for a particular security or group of securities
  • Violations involving distributed ledger technology (blockchain) and initial coin offerings (ICO’s)
  • Misconduct perpetrated using the dark web
  • Intrusions into retail brokerage accounts to conduct manipulative trading
  • Cyber-related threats to trading platforms and other critical market infrastructure

Chair Clayton formed the group with the goal of creating a cybersecurity working group to coordinate information sharing, risk monitoring, and incident response efforts throughout the agency. The Enforcement Division of the SEC has had to fast-track its expertise on matters related to cybersecurity including the advanced technologies that can be utilized.  It is thought that this focused enforcement initiative will further the SEC’s abilities to detect, respond to, and pursue misconduct.

On October 26, 2017, Stephanie Avakian, Co-Director of the Division of Enforcement gave a speech where she addressed both initiatives.   She addressed the obvious need for the Cyber Unit in today’s world of ever increasing cyber-related misconduct affecting the securities markets.

Expanding on the SEC’s list of areas of attention, Ms. Avakian indicates that the Cyber-Unit will also focus on cases involving failures by registered entities to take appropriate steps to safeguard information or ensure system integrity. The Cyber-Unit will work closely with the Office of Compliance, Inspections and Examinations (OCIE) in this area.

Further, the Cyber-Unit will review cases involving the failure by publicly reporting entities to properly report and disclose cyber related issues. The SEC has not yet brought a case in this space, but is expected to do so. The SEC expects companies’ to report cyber issues in risk factors and management discussion and analysis where appropriate and believes that the failure to do so could rise to a fraud issue under Rule 10b-5.

Retail Strategy Task Force

The Retail Strategy Task Force is planning to develop targeted initiatives to identify and pursue misconduct impacting retail investors.  The retail investor arena is a broad playing field including everything from the sales of unsuitable structured products to micro-cap pump-and-dump schemes. The Task Force will rely heavily on technology and analytics to identify problems. The Task Force includes enforcement personnel from around the country.

In her October 26, 2017 speech, Enforcement Co-Director, Stephanie Avakian stated, “this group will look at the many ways that retail investors intersect with the securities markets and look for widespread misconduct.” In a time of tight budgets, the SEC is focused on thinking strategically to identify problems and find the most efficient way to pursue enforcement actions including, as mentioned, with technology. Data analytics can be used to identify data by groups such as by product, by investor type, by location, by sales or trading practice, or by fee.  The SEC is even figuring out ways to use technology and data analytics to analyze the more than 16,000 tips it receives each year and integrate that data with other data points to identify issues.

Ms. Avakian gave specific examples of areas that the Retail Strategy Task Force will examine beyond the obvious Ponzi schemes and offering fraud, including:

  • Investment professionals steering customers to mutual fund share classes with higher fees, when lower-fee share classes of the same fund are available.
  • Abuses in wrap-fee accounts, including failing to disclose the additional costs of “trading away” or trading through unaffiliated brokers, and purchasing alternative products that generate additional fees.
  • Investors buying and holding products like inverse exchange-traded funds (ETFs) for long-term investment. These can be highly volatile products that are generally intended as a hedge against exposure to downward moving markets, and that face a long-term high risk of losing their principal. The SEC is increasingly seeing retail investors holding these products long-term, including in retirement accounts.
  • Problems in the sale of structured products to retail investors, including a failure to fully and clearly disclose fees, mark-ups, and other factors that can negatively impact returns; and
  • Abusive practices like churning and excessive trading that generate large commissions at the expense of the investor.

In addition to enforcement, the Retail Strategy Task Force will have an investor outreach and education component. In that regard, we can expect to see Investor Bulletins and other SEC investor communications generated from the Task Force’s findings and efforts.