There May Be ‘No Do-Overs,’ but SEC Hack Provides Important Security Lessons
Cybersecurity attorneys agree, the SEC hack provides a lesson to pay close attention to third-party partners and high-risk targets.Even the Securities…
September 25, 2017 at 06:47 PM
6 minute read
The original version of this story was published on Law.com
Cybersecurity attorneys agree, the SEC hack provides a lesson to pay close attention to third-party partners and high-risk targets.
Even the Securities and Exchange Commission (SEC) can get hacked – and the recently announced cyber-attack against the SEC is providing an important wake-up call for U.S. companies regulated by the powerful agency and the attorneys they work with.
|What We've Learned
Mauro Wolfe, a former federal prosecutor now working as an attorney at Duane Morris, noted there were some initial media reports suggesting that the SEC's impacted electronic system – known as EDGAR – the Electronic Data Gathering, Analysis, and Retrieval test filing system was perhaps “an old system.”
If that's true, it sends a reminder to companies that they need to check the cybersecurity on their own legacy systems, Wolfe said. The same is true of more up-to-date systems found in companies.
“I certainly think that every company should spend some time … analyzing their cybersecurity risk,” Wolfe said. “It should be done on a routine basis.”
Wolfe said special emphasis should be given to the “high-risk targets”—in another words, “the jewels.” Look at where these targets are stored and is the best method in place to protect them.
Similarly, Timothy Blank, an attorney at Dechert, sees the SEC incident as a reminder to businesses to “pay close attention to all software vendor or industry notices regarding vulnerabilities, and install patches immediately across [the] entire network. Criminals count on delayed implementation.”
“Also, assume that all or any of your stored data has value in the dark market—even data that is destined to become public in a matter of a few seconds or minutes,” he advised.
David Axelrod, a former SEC attorney now working at Ballard Spahr, said there are two important takeaways from the SEC hack. “First, no company or agency is hack-proof,” he said. “This incident shows that if a company does not think it's been hacked, they either don't know that they have been or it's only a matter of time.”
Second, this incident also shows that hackers are attacking “the gate-keepers,” he added. “They've attacked law firms and business wire firms, and now they have attacked the ultimate gate-keeper, the SEC. This incident shows that companies that are in the business of working with publicly-traded companies, such as law firms, accounting firms, consultant groups, must know they have a target on their backs.”
“Every public company has to assume that cyber criminals want their material non-public information,” Axelrod warned. “This means two things. First, it means that companies need to devote resources to sufficiently protect their data. Second, it means that companies need to be very careful about choosing third-parties to work with and share their data with.”
Marcus Christian, a former federal prosecutor who now is an attorney at Mayer Brown, added that when dealing with cybersecurity incidents, there are no do-overs.
“However, there is the ability to learn and improve from this incident and from others,” he explained. “Also, to the extent this incident exposes areas where the SEC and other governmental entities must improve their cybersecurity practices, some companies will be looking into ways that they can help bring about such changes.”
He identified “critical lessons” from this latest headline-grabbing breach. “First, cybersecurity is never finished. Yesterday's and today's improvements often become tomorrow's vulnerabilities,” Christian said. “Second, cybersecurity requires ongoing vigilance and vigor. Attackers don't take timeouts, and potential victims cannot afford to either. And third, America needs its government agencies that collect, store, and transfer sensitive information to exceed the standards they set for businesses and other nongovernmental organizations.”
|The SEC's Response
It was just a few days ago that SEC Chairman Jay Clayton announced the 2016 intrusion of EDGAR. Last month, the SEC learned that the 2016 incident may have provided the basis for illicit gain through trading, Clayton said.
“A software vulnerability in the test filing component of the … EDGAR system, which was patched promptly after discovery, was exploited and resulted in access to nonpublic information,” a statement from Clayton revealed. “It is believed the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the Commission, or result in systemic risk.”
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” Clayton said in the statement. “We must be vigilant. We also must recognize—in both the public and private sectors, including the SEC—that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
However, the SEC's response to the incident was seen by many as a double-standard for regulators versus when companies have breaches. “It goes without saying that many view the SEC's incident as evidence of a 'do as I say, not as I do' regulatory approach,” Christian said. “In the end, corporations will need to make sure that they incorporate cybersecurity … to their enterprise risk management programs and maintain the appropriate administrative, physical, and technical controls to meet their business needs as well as government requirements.”
But do not expect the government to take cybersecurity less seriously just because the SEC was hacked. “This hasn't changed—nor should it—commitment to robust cybersecurity programs tailored to the particular risks your company faces,” Blank said. “I don't think it would be prudent to expect the SEC or any other regulatory body to lighten up.”
Based on initial information, the SEC revealed that nonpublic information in its EDGAR system, where companies file both public and non-public data, was hacked and possibly used for illegal stock trading purposes, according to Corporate Counsel.
The SEC breach follows a 2015 breach at the Office of Personnel Management (OPM). That breach into the OPM impacted more than 21 million people.
“Other government agencies have been hacked, such as the Department of Justice and the Social Security Administration, so it's not as if this is the first time that this has occurred,” Axelrod noted. “What makes this incident so important is that the SEC has been leading the charge in emphasizing cybersecurity and recently announced that it was an agency priority. I think this incident will rightly cause the SEC to invest even more resources from a technological and human standpoint to ensure that public companies and the markets themselves are taking appropriate steps to protect their data.”
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Gibson Dunn Sued By Crypto Client After Lateral Hire Causes Conflict of Interest
- 2Trump's Solicitor General Expected to 'Flip' Prelogar's Positions at Supreme Court
- 3Pharmacy Lawyers See Promise in NY Regulator's Curbs on PBM Industry
- 4Outgoing USPTO Director Kathi Vidal: ‘We All Want the Country to Be in a Better Place’
- 5Supreme Court Will Review Constitutionality Of FCC's Universal Service Fund
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250