- May 1, 2014
- Labaton Sucharow
In recent months, the Heartbleed bug and massive data breaches like those experienced by Target have drawn increased attention to cybersecurity, and the need to better protect the almost unfathomable amount of sensitive data stored electronically in the U.S.
Although the securities laws may not always immediately come to mind when considering such high-tech threats, cybersecurity has emerged as an important issue for investors and, in turn, the SEC. How does cybersecurity become an SEC issue? The convergence between cybersecurity and securities fraud can happen in a number of ways. First, as SEC Chair Mary Jo White indicated in a recent speech, public companies have an obligation to disclose material risks to their business – including risks related to data security like hacking and identity theft. This disclosure obligation is critical, not only because it helps investors make informed decisions about whether to invest in companies that face cyber threats, but also because it can compel companies to improve their cybersecurity, so that they can reassure and attract investors. Public companies that sweep technology-related risks under the rug, on the other hand, might well face SEC enforcement actions.
Second, SEC rules require certain participants in the securities markets to establish data safeguards. For example, SEC Regulation S-ID “require(s) financial institutions and creditors to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts.” This regulation recognizes that lax data controls on the part of financial institutions and other businesses are often partially responsible for identity theft and similar crimes: these entities can no longer simply blame the hackers and absolve themselves of any accountability.
These are just a few of the ways that the SEC can and will play a role in protecting investors from technology-related dangers. The lesson for SEC-regulated companies is that it’s time to get serious about protecting customer data, and being forthright about potential risks. The lesson for potential whistleblowers is that if they observe wrongdoing related to cybersecurity, such as insufficient data controls, the reckless use of customer information or unreported hacking, they should not assume that these issues fall outside the scope of the SEC’s authority. Instead, cybersecurity is likely to become an increasing focus of SEC enforcement activity as technology continues to evolve in ways both good and bad.
By Jordan Thomas and Vanessa De Simone
