SEC Turning The Screws On Cybersecurity

This post from the LawFare blog looks at the history of the SEC’s involvement, going back to 2011 when it issued an early guidance. Since then, in the face of a largely ineffectual “patchwork system of federal and state laws,” the SEC has emerged as a major de facto U.S. regulator of cybersecurity. The latest iteration of that early guidance, which came out in February of this year, is the strongest statement yet. Since then there have been two major enforcement actions, one against Yahoo for failing to disclose a 500-million-account breach to anyone, including the SEC, for two years, and another against a financial firm for an egregious failure to maintain adequate cybersecurity. In October the SEC came out with a report that singled out nine public companies that had fallen victim to hackers who had impersonated either company executives or third party vendors, and then conned those companies out of a total of $100 million. Despite the fact its trajectory has been in the direction of stricter enforcement, the Commission has gotten criticism – including from two of its own commissioners – for not going far enough. It also has had to deal with its own security problems, notably a breach that occurred in 2016 but was not disclosed until months later, when it became apparent that enough company information may have been compromised to facilitate insider trading.