SECURITIES CORNER

The SEC recently filed an enforcement action against a large IT Service Provider (the “Company”) and its Chief Information Security Officer (“CISO”), charging “fraud and internal control failures relating to allegedly known cybersecurity risks and vulnerabilities.” In the complaint, the SEC alleged that the company’s public statements about its cybersecurity practices and risks blatantly contradicted internal discussions and assessments about the Company’s cybersecurity policy violations, vulnerabilities, and cyberattacks.

The Company provides network monitoring software to businesses throughout the world. In 2020, the Company provided a software update to its customers for its network management software. Hackers were able to insert malicious code into the update, resulting in a massive cyberattack that affected approximately 18,000 customers, including many national government agencies.

The SEC Complaint charges the Company and its CISO with fraud and internal control failures. Specifically, the allegations suggest that the Company’s public disclosures were widely inconsistent with internal knowledge of known cybersecurity policy violations, vulnerabilities, and cyberattacks. It is alleged that these known risks should have been addressed by both the Company and its CISO individually. According to the SEC, the specific cybersecurity issues highlighted were pervasive and “reflected a culture that did not take cybersecurity issues with sufficient seriousness, and a scheme to conceal these issues from investors and customers.” The complaint alleges that the Company trumpeted its safe and secure cybersecurity practices through misleading statements in three contexts: cybersecurity statements posted to the Company’s website (including statements posted just prior to its second IPO after going private), its S-1 and S-8 registration statements, and the Form 8-K disclosing the cybersecurity breach. The complaint seeks injunctions, disgorgement, and civil monetary penalties, as well as an “officer and director bar” against the CISO. 

In its annual report on examination priorities, the SEC stated that information security and operational resiliency, emerging fintech, and anti-money laundering protocols will be areas of risk for market participants. To combat these risks, the SEC will focus on companies' policies and procedures, internal controls, governance practices, oversight of third-party vendors, and responses to cyber-related incidents by reviewing how companies train their staff on issues like identity theft prevention, customer records, and information protection.

The SEC will continue to focus on services, including automated investment tools, artificial intelligence, and trading algorithms, and the risks associated with the use of emerging technologies and alternative sources of data. Among other things, the report also highlights Regulation Best Interest as a focus area for broker-dealers. Exams in that area will focus on complex products, including derivatives and leveraged exchange-traded funds; high-cost products, such as variable annuities; and products that are illiquid, proprietary, or microcap securities.

Additionally, the SEC stated that it will have a specific focus on cybersecurity, cryptocurrency assets, and firms' anti-money laundering programs in the upcoming year. Regarding cryptocurrency — which has been a major focus of the SEC for several years — the latest report indicates that exams will focus on a range of activities surrounding crypto assets and related products, including offering, selling, recommending, trading, and providing advice on such assets. The SEC said it will keep monitoring firms and conduct exams given "the continued volatility of, and activity around, the crypto asset markets."