SEC security measures, or cyber enforcement actions, are powerful incentives for financial institutions to protect investments and data from theft and fraud.
If there oughta be a law but there isn’t, there can still be a regulation. Which so far seems to be the U.S. government’s philosophy on cyber security.
There are numerous federal laws regulating things like quality and safety of just about every industry’s products and services. But at least so far, Congress hasn’t passed any central, nationwide mandate to regulate industries regarding their cyber security, collection of data, or protection of consumer privacy.
So, as a post in Practical Law noted in October, what exists now is a “patchwork system of federal and state laws and regulations that can sometimes overlap, dovetail and contradict one another.”
And that means most oversight and enforcement is getting done by agencies. The Federal Trade Commission (FTC) has been at it for a number of years, and as a recent post in Lawfare noted, the Securities and Exchange Commission (SEC) intends to get more aggressive about it in the financial sector.
The Lawfare post cited a declaration from SEC Chairman Jay Clayton in September 2017 that “the Commission is focused on identifying and managing cybersecurity risks and ensuring that market participants—including issuers, intermediaries, investors and government authorities—are actively and effectively engaged in this effort and are appropriately informing investors and other market participants of these risks.”
Yes, there are legislative efforts in the works. Sen. Ron Wyden, D-Ore., released a “discussion draft” last month of what he titled the Consumer Data Protection Act (CDPA) of 2018 that, at least in its present form, would impose harsh financial penalties and possibly even jail sentences on executives of firms that fail to protect their customers’ privacy and data.
But a final draft won’t appear for months, and who knows what form will ever come to a vote? So, again, any sanctions for cyber failures are coming from federal agencies. For years, the FTC has brought dozens of suits against hotel chains, router vendors, the makers of Internet of Things (IoT) devices, and others, citing failures to provide consumers a reasonable level of security as “unfair and deceptive acts.”
While most of those suits have been resolved with consent agreements that didn’t involve fines or liability, they have established FTC authority and oversight.
Gary McGraw, vice president of security technology at Synopsys, wrote in 2015 that the FTC’s 170 settlement agreements since 1997 “are functionally equivalent to a body of common law … [and] about as close to ‘rules’ as you might want.”
That looks to be the direction the SEC is headed as well. On its website, the agency lists 60 cyber enforcement actions it has taken going back to 2012. They include 27 involving digital assets or ICOs (initial coin offerings), 3 for account intrusions, 4 for hacking or insider trading, 5 for market manipulation, 3 for failure to safeguard customer information, 2 involving public company disclosure and controls, and 17 involving trading suspensions.
As Lawfare noted, the SEC has brought several actions since 2015 for violations of its Regulation S-P, which requires firms to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”
In one of those cases, in 2016 against Morgan Stanley Smith Barney, the company agreed to a $1 million penalty for a hack that led to the exposure of 730,000 accounts.
Of course, that hardly counts as a rounding error for a company with revenue of $38 billion and net income of $6.22 billion in 2017. Even using net income for comparison, that’s like somebody making $100,000 paying a $15 fine—not nearly enough to prompt any major behavior change.
More recently, on Nov. 16, the agency announced “settled charges against two companies that sold digital tokens in initial coin offerings (ICOs).” The two companies—CarrierEQ, Inc. (Airfox) and Paragon Coin, Inc.—were charged with registration violations.
An SEC press release said the companies agreed to “return funds to harmed investors, register the tokens as securities, file periodic reports with the Commission, and pay penalties” of $250,000 each.
Airfox had raised $15 million and Paragon $12 million. So those fines, while proportionately more severe, still amount to a range of 1.6%–2% of the money raised.
And then, driving home the point that SEC cyber enforcement is serious business, there was the Nov. 29 announcement that the agency had ensnared a couple of celebrities—pro boxer Floyd Mayweather Jr. and music producer Khaled Khaled (better known as DJ Khaled)—for failing to disclose payments they received for promoting investments in ICOs.
Mayweather agreed to pay $300,000 in “disgorgement” (forfeiting profits obtained by illegal or unethical acts), plus a $300,000 penalty and $14,775 in prejudgment interest. Khaled agreed to pay $50,000 in disgorgement, a $100,000 penalty, and $2,725 in prejudgment interest.
That’s a lot of money for most people. But with Mayweather worth an estimated $700 million to $1 billion and Khaled at least $35 million, it’s once again barely a rounding error on their bank accounts.
As Morey Haber, CTO of BeyondTrust, observed, “The U.S. government is far too lenient in holding organizations accountable for a cyber security breach.”
But he also noted the reality that even when a company does invest in rigorous security, “if threat actors want to find a way into an organization physically or electronically, with time, patience, money, and knowledge, they will eventually be successful.”
The persistence of threat actors creates what Haber called a “conundrum” to craft laws or regulations that strike the right balance between holding companies accountable and showing some restraint for those that make “best efforts” to prevent breaches.
There are multiple standards and best practices available to serve as models for legislation. Haber cited NIST (National Institute of Standards and Technology) SP 800-53 as one that “could apply to anyone”—but added that it is not financially feasible for any organization to implement it 100%.
Besides that, different companies and industries have different risk profiles, infrastructure, and threat levels, so the definition of “best effort” in cyber security can vary widely.
“This is where the federal government has fallen short itself,” Haber said. “A simple reconciliation of best practices, guidance, and ramifications is obtainable by the federal government. This would solve the leniency problem and provide prescriptive guidance, with associated penalties, for anything not in compliance.”
And while it is impossible to be bulletproof, it is possible to practice what most experts call basic security hygiene.
One example, Haber said, is the IoT cyber security law recently passed in California that restricts the sale of devices that have poor password management. He added that “having legal warranties for the life expectancy of a device, service level agreements for security updates, etc. would mitigate many of the incidents seen worldwide based on basic hygiene that many vendors fail to do on a regular basis.”
For now, SEC cyber enforcement actions are at least getting noticed in the financial industry. The agency issued a report in October calling for better security for internal accounting controls, citing nine public companies that collectively lost $100 million to cyber fraud, wiring money to hackers impersonating executives or third-party vendors. One firm made 14 payments that totaled more than $45 million.
The SEC didn’t name the firms, nor did it take any action against them. But the report prompted a warning memo from the global law firm Davis Polk that a company that fell victim to a cyber attack “could later find itself in the SEC’s crosshairs.”