SEC Steps Up Cybersecurity Requirements with Sudden Series of Settlements

September 3, 2021 Advisory

On May 20, 2021, the Securities and Exchange Commission’s (SEC) new Chair, Gary Gensler, pledged that the SEC would “stay abreast of [technological] developments” and that it “should be ready to bring cases involving issues such as crypto, cyber, and fintech.” Indeed, it has done just that.

On Aug. 30, 2021, the SEC published three new cybersecurity enforcement actions against eight companies (Cetera Advisor Networks LLC, et. al; KMS Financial Services, Inc.; and Cambridge Investment Research, Inc. and Cambridge Investment Research Advisors, Inc.), alleging they “fail[ed] to adopt written policies and procedures reasonably designed to protect customer records and information.”

All of these companies entered into settlement negotiations with the SEC. After considering remedial measures undertaken by each of them, the SEC entered into agreements requiring that they (1) cease and desist from committing or causing any further violations; (2) agree to be publicly censured by the SEC; and (3) pay fines (ranging from $200,000-300,000).

These three enforcement actions were announced on the heels of two other recent actions, one from Aug. 16 and one from June 15. In these two other actions, the SEC determined that Pearson PLC, a company that provides educational resources to schools and universities, and First American Financial Corporation, an insurance company, failed to maintain cybersecurity-related disclosure controls and procedures. The companies agreed to remediate cybersecurity deficiencies and pay fines ($487,000 and $1 million, respectively).

So what?

If you’re counting, that’s five cybersecurity enforcement actions by the SEC in two months. Before these, the SEC had only published one other action, dating all the way back to 2018. Which is to say, more enforcement actions are likely.

In mid-June, reports indicated that the SEC sent numerous information requests to a number of regulated entities. These requests for information mirror prior information requests that later led to informal investigations and enforcement actions.

In 2016, the SEC announced charges to 72 firms following an information request related to disclosure failures by municipal securities underwriters. Similarly, in 2019, the SEC charged 79 investment firms after an information sweep was performed. In other words, these recent enforcement actions may just be the beginning.

What does the SEC want?

The SEC has asked companies for particular procedural details about data governance and incident response plans—including how data is stored, transmitted or categorized, along with the incident response plan’s included communication guidelines.

But the questions are not just procedural in nature. The SEC has also been asking companies about their business continuity plans and data backup practices, and for specific information relating to ransomware events including forensic reports, root cause analyses, network configuration details and patch management program details.

In short, the SEC is looking to determine whether companies adequately protect customer information and whether they are changing their policies and procedures in light of cybersecurity incidents that have impacted their electronic systems, directly or through third parties (e.g., SolarWinds, Microsoft, Accellion and Kaseya, to name just a few that have experienced cyberattacks).

Do the basics

The SEC’s sudden series of enforcement actions highlights the challenges companies  face in understanding whether their collection, maintenance and storage of customer information complies with expanding legal obligations. But at a minimum, the following baseline requirements will help organizations keep pace:  

  • Refine your Cybersecurity Incident Response Plans (IRP)
    • An IRP should include detailed response processes that articulate communication, documentation and evaluation activities.
  • Reassess your Cybersecurity Risk Assessment (RA)
    • Certain statutes and regulations mandate RAs and provide guidance and tools to assist them.
      • For example, conduct an assessment to analyze your alignment with industry standards and ensure vulnerabilities targeted by ransomware have been addressed.
  • Refocus your Written Information Security Program (WISP)

The above measures are merely starting points and are taken into account by the SEC and other regulators when an organization’s cybersecurity practices are called into question before or after a cybersecurity incident occurs.

Our Privacy and Data Security team is actively monitoring for developments in this space and has deep experience guiding clients on their IRPs, RAs and WISPs. Contact your regular AT attorney or one of the authors listed below for proactive guidance specific to your business situation.

Contact Us
  • Worldwide
  • Boston, MA
  • Denver, CO
  • Edwardsville, IL
  • Jefferson City, MO
  • Kansas City, MO
  • Las Vegas, NV
  • London, England
  • New York, NY
  • Philadelphia, PA
  • Princeton, NJ
  • Salt Lake City, UT
  • St. Louis, MO
  • Wilmington, DE
Worldwide
abstract image of world map
Boston, MA
800 Boylston St.
30th Floor
Boston, MA 02199
Google Maps
Boston, Massachusetts
Denver, CO
4643 S. Ulster St.
Suite 800
Denver, CO 80237
Google Maps
Denver, Colorado
Edwardsville, IL
115 N. Second St.
Edwardsville, IL 62025
Google Maps
Edwardsville, Illinois
Jefferson City, MO
3405 W. Truman Boulevard
Suite 210
Jefferson City, MO 65109
Google Maps
Jefferson City, Missouri
Kansas City, MO
2345 Grand Blvd.
Suite 1500
Kansas City, MO 64108
Google Maps
Kansas City, Missouri
Las Vegas, NV
3770 Howard Hughes Parkway
Suite 200
Las Vegas, NV 89169
Google Maps
Las Vegas, Nevada
London, England
200 Strand
London, WC2R 1DJ
Google Maps
New York, NY
919 Third Ave., 37th Floor
New York, NY 10022
Google Maps
New York City
Philadelphia, PA
2005 Market Street
29th Floor, One Commerce Square
Philadelphia, PA 19103
Google Maps
Philadelphia, Pennsylvania
Princeton, NJ
100 Overlook Center
Second Floor
Princeton, NJ 08540
Google Maps
Princeton, New Jersey
Salt Lake City, UT
201 South Main Street
Suite 750
Salt Lake City, UT 84111
Google Maps
Salt Lake City, Utah
St. Louis, MO
7700 Forsyth Blvd.
Suite 1800
St. Louis, MO 63105
Google Maps
St. Louis, Missouri
Wilmington, DE
300 Delaware Avenue
Suite 210
Wilmington, DE 19801
Google Maps
Wilmington, Delaware