SEC's Cyber Breach Report Too Little, Too Late, Experts Say
The hacking of company information at the U.S. Securities and Exchange Commission is a matter of significant concern to financial markets, was…
September 22, 2017 at 03:40 PM
5 minute read
The original version of this story was published on Law.com
The hacking of company information at the U.S. Securities and Exchange Commission is a matter of significant concern to financial markets, was badly underplayed in the SEC's announcement, and has been inadequately explained to companies and investors, several experts told Corporate Counsel Thursday.
“What a doozy! And they buried it in their statement,” complained Amar Sarwal, vice president and chief legal strategist of the Association of Corporate Counsel in Washington, D.C. The SEC issued a statement in the format of an overview of the agency's policies and procedures, with the hacking disclosure buried deep inside it, failing to give it “the attention that it deserves,” he said.
The SEC also issued a press release Wednesday that discussed various aspects of the statement, including, in the second paragraph, the hacking incident.
Sarwal also criticized the lack of information the SEC made available. He said general counsel and their companies “deserve to have a better understanding of what kind of information was put at risk, and how it can affect their share price and liabilities.”
So far the SEC has said only that nonpublic information in its electronic EDGAR system, where companies file both public and non-public data, was hacked and possibly used for illegal stock trading purposes.
The announcement from chairman Jay Clayton explained that the agency collects and stores nonpublic information “related to our supervisory and enforcement functions.” He added that this data “relates to the operations of issuers, broker-dealers, investment advisers, investment companies, self-regulatory organizations (SROs), alternative trading systems (ATSs), clearing agencies, credit rating agencies, municipal advisers and other market participants.”
The hack was discovered in 2016, and the possible illegal trades were detected in August of this year, according to Clayton. The SEC is coordinating “with appropriate authorities” as the investigation continues, he added.
“We recognize that cybersecurity is an evolving landscape, and we are constantly learning,” Clayton said. “To aid in this effort, and notwithstanding limitations on our hiring generally, we expect to hire additional expertise in this area.”
But that didn't mollify Sarwal. In the private sector, he said, “you feel the regulatory and prosecutorial pressure intensely on cyber issues, with people not only being held liable but also losing their jobs, like the general counsel at Yahoo and the chief security officer at Equifax [both companies recently dealt with major breaches]. The regulators need to take a little bit less of a punitive approach over cyber breaches. We're all in this together.”
Matthew Rossi, a former assistant chief litigation counsel at the SEC and now co-leader of Mayer Brown's securities litigation and enforcement practice, said some of the criticisms are valid. “It was hardly a disclosure that was given a high profile on the SEC website, and you had to read into a lengthy statement from the chairman to get to it,” Rossi said.
On the plus side, Rossi noted, the agency did detect the breach, patched the problem and made a disclosure, as it would demand of any company. But many questions remain for the SEC.
Rossi asked: Why did they take so long to disclose a breach discovered in 2016? How long did it exist before they discovered it? And with all their investigative resources, why didn't they detect the illegal trading much earlier?
“They [SEC] have been pushing investment advisers and broker-dealers to adopt and implement more stringent cybersecurity procedures and to make more disclosures,” Rossi said. He suggested the SEC regulation might be seen as “do as we say and not as we do.”
And more questions arose Thursday after Reuters reported that the U.S. Department of Homeland Security detected five “critical” cybersecurity weaknesses on the SEC's computers as of Jan. 23. Reuters got this information from a confidential weekly report reviewed by journalists.
Sarwal at the ACC was more blunt in his evaluation of the commission, saying: “They need to practice what they preach.”
Marcus Christian, a colleague of Rossi's at Mayer Brown, said the SEC may later release information to show whether or not it practices what it preaches. Christian, a former federal prosecutor, is a partner in the law firm's cybersecurity and data privacy and national security practices.
Both he and Rossi urged general counsel to use the incident to underscore the vulnerabilities and cyber risks that exist throughout the global financial system.
“Seeing an attack that hits at the mother ship, so to speak, of financial information, should make us look at how widespread this is,” Christian said. “Our greatest concern should be for systemic risk on the markets.”
For general counsel, he said, “It boils down to being less important to find out how this incident is affecting them than to use this example to make sure their own systems and procedures are in order.”
Sue Reisinger can be contacted at [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Beyond the Title: Developing a Personal Brand as General Counsel
Step 1 for Successful Negotiators: Believe in Yourself
Trending Stories
- 1Motions for Summary Judgment and Discovery: The 2021 Rule Changes Continue to Emerge
- 2Clark Hill Promotes a Record 29 Lawyers to Member
- 3People in the News—Jan. 3, 2025—Eckert Seamans, Kessler Topaz
- 4How I Made Office Managing Partner: 'Stay True to Yourself, and Things Will Work Out to Your Benefit,' Says Stuart Sostmann of Marshall Dennehey
- 5Murder for Any Purpose Cannot be Condoned
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
