Categories & Search

Search Results

384 results found for: sec

Cyber Lessons From the SEC?

Public companies worried about cybersecurity risk would be well served to pay attention to a recent crackdown by the U.S. Securities and Exchanges Commission on the use of automated technology to detect investment advisor fraud.

A recent settlement with Ameriprise Financial Services Inc., a registered investment adviser and broker dealer, suggests that the Commission isn’t inclined to look the other way when a technology failure goes undetected. In the world of cybersecurity, does this mean that a company’s blind faith in technology to safeguard its network and sensitive information might open it up to liability?


SEC Cyber Briefing: Investigation into Wire Fraud and a Look at 2019 Regulatory Initiatives

Wire fraud committed by cybercriminals is not a new phenomenon. The FBI and other government agencies have regularly warned against wire fraud scams—called “business email compromises” or BECs—where criminals pose as vendors or company executives and use email to dupe company insiders into wiring money into bank accounts controlled by the perpetrators. And in some instances, the amounts involved are staggering.


The SEC Issues Observations on Cybersecurity and Resiliency Measures

Last week, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a list of recommendations for institutions to enhance their cybersecurity preparedness and operational resiliency.  These observations – based upon the examination of thousands of SEC registrants – serve as a lens into the likely subjects of future SEC examinations.


Does Yahoo’s SEC Cyber Disclosure Settlement Set Enforcement Bar?

The U.S. Securities and Exchange Commission’s $35 million settlement announced this week over the Yahoo! data breach provides an object lesson in the consequences of failing to publicly disclose a major cyber-attack.

The nation’s top securities regulator imposed the fine on Altaba Inc. — formerly Yahoo! — for not disclosing in a timely manner one of the largest reported hacks in U.S. history, the first action by the Commission for a cybersecurity disclosure violation.  Yahoo! was charged with misleading investors by waiting for almost two years to disclose the fact that hackers associated with the Russian Federation stole the personal information of hundreds of millions of Yahoo! users.


SEC Fines Mizuho for Failing to Protect Customer Data

It is not enough for companies to establish policies and procedures designed to prevent the misuse of material nonpublic information. Companies must also enforce those policies and procedures.

That’s the lesson from the U.S. Securities and Exchange Commission's recent settlement with Mizuho Securities USA LLC (“Mizuho”), a broker-dealer, for the firm’s failure to safeguard customer information.


SEC Watch: “Observations” from SEC’s Cybersecurity 2 Initiative

Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its “Observations from Cybersecurity Examinations” conducted pursuant to OCIE’s “Cybersecurity 2 Initiative.”  A copy of the summary is available here.  This is a follow-on to an earlier series of examinations (the “Cybersecurity 1 Initiative”) conducted in 2014.


SEC Warns of Ransomware Attacks

The U.S. Securities and Exchange Commission is asking broker-dealers, investment advisers and funds to redouble their cybersecurity efforts in wake of the global cyber-attack of the WannaCry virus that has spread to more than 150 countries, disrupting critical sectors of the world economy – from transportations systems to healthcare.


An Old Hack Comes Back to Haunt (Newly-Public) Slack

Last Thursday, Slack Technologies, Inc. (Slack) announced that it would reset passwords for a number of accounts compromised by a security breach that occurred more than four years ago, in March 2015. Slack—a fast-growing messaging service that launched in 2014 and went public last month—provided little explanation for its delay in action and minimized the scope of the incident, claiming that it only affected a small percentage of current Slack users. The narrow scope and timing of Slack’s disclosure raise interesting questions about the heightened scrutiny public companies now face when dealing with cybersecurity incidents.


Texting Clients and Using Social Media? SEC Issues Compliance Reminder to Investment Advisers

Investment advisers may want to think twice before texting clients any advice in the New Year.

In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.


SEC’s Proposed Revisions to Regulation S-K Will Minimally Impact Cybersecurity Disclosure Requirements

It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.


SEC Steps Up Enforcement on Registered Investment Advisers

On September 22, the Securities and Exchange Commission (SEC) announced that it had entered into a settlement order with R.T. Jones Capital Equities Management, Inc., a St. Louis-based registered investment adviser, over the firm’s failure to establish cybersecurity policies and procedures.  This investigation and settlement are the latest in the Commission’s ongoing efforts to regulate cybersecurity for investment advisers.    


PayPal Shareholders’ Data Breach Stock-Drop Suit Dismissed

Among other things, 2018 was the year of the shareholder data breach stock-drop lawsuit. As we’ve previously reported, it was the year that shareholders began routinely suing companies after an announcement of a data breach, seeking damages for a hit to the company’s stock price. 


SEC Fines Morgan Stanley For Failure to Safeguard Customer Data

Morgan Stanley Smith Barney LLC has agreed to pay $1 million to settle U.S. Securities and Exchange Commission charges that it failed to protect customer information.  In an Order issued today, Morgan Stanley agreed to settle charges – without admitting or denying them – that a former employee accessed and transferred data regarding 73,000 accounts to his personal server.  The SEC Order states that the former employee’s server was hacked by a third-party and that some of the customer information was offered for sale online. 


SEC Chair Warns: Cyber Biggest Threat to Global Financial System

The chair of the U.S. Securities and Exchange Commission warned that cybersecurity is the biggest risk facing our financial system today.  At an industry conference yesterday, SEC Chair Mary Jo White said that major exchanges, clearing houses and other players in the financial system did not have cyber defenses in place that aligned with the risks they faced.


Former Equifax Exec Charged with Insider Trading: Underscores Need for Trading Halt Plans

The Equifax hack has taken another twist – one that raises questions that every public company should consider.

Last week, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before the massive Equifax breach went public. He also faces civil charges filed by the U.S. Security and Exchange Commission (SEC).


Yet Another Proposal to Require Disclosure of Board’s Cyber Expertise

Before investing in a company, would you want to know whether the board of directors had cybersecurity expertise?

A bipartisan group of senators have proposed a bill, Senate Bill 592, that would require every public company to disclose the cybersecurity background of its directors, and, if none exists, explain why the company doesn’t believe it is necessary.


For $80 Million, Yahoo! Settles Shareholder Class Action Claiming Stock Price Losses from Data Breaches

It’s become almost routine. A public company suffers a data breach at the hands of hackers, its stock price slides and the securities fraud class action lawsuits pile on.

As we recently reported, it’s a new trend in securities fraud class actions. Shareholders claim that public companies have improperly inflated their stock value either by failing to timely disclose data security incidents or latent vulnerabilities that rendered the company’s systems susceptible to a cyberattack.


D.C. Circuit Breathes New Life into OPM Data Breach Litigation

The U.S. Office of Personnel Management (“OPM”) made headlines when several hacks of confidential data came to light in 2015, intrusions that compromised the personal data of over 20 million individuals. On July 21, 2019, in AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), Nos. 17-5217, 17-5232, 2019 U.S. App. LEXIS 18609 (D.C. Cir. June 21, 2019), a divided panel of the United States Court of Appeals for the D.C. Circuit breathed new life into litigation stemming from those breaches and injected yet another piece into the growing puzzle surrounding constitutional standing in breach litigation. The case had previously been dismissed after a district court held that the plaintiffs lacked standing based on their failure to allege concrete injuries. In a divided opinion, the D.C. Circuit panel reversed, holding that the plaintiffs’ allegations of potential future harm were sufficient for the case to move forward.


New York DFS Proposals Focus on Third-Party Vendor Risk

Earlier this month, the New York State Department of Financial Services (“DFS”) announced that it will propose new cybersecurity regulations for financial institutions.  The DFS made the announcement in a letter to the Financial and Banking Information Infrastructure Committee — an eighteen member organization headed by the Treasury Department that has already begun tackling cybersecurity issues.  


The CFTC Proposes Enhanced Cybersecurity Testing Rules

On February 22, 2016, the Commodity Futures Trading Commission (“CFTC”) closed the public comment period on its recently proposed enhanced cybersecurity rules for derivatives clearing house organizations, trading platforms, designated contract markets, and swap data repositories.


Managing Cybersecurity Risk for Nonprofit Organizations: A Fiduciary Duty?

We live in an era of increasingly prevalent cybercrime, and nonprofits are in the crosshairs.  Harvard University, Penn State University and two BlueCross BlueShield entities are just a few nonprofit organizations that reported cyberattacks in 2015, breaches to their data security systems ultimately compromising thousands of personal, confidential and proprietary records.


Bennek v. Home Depot and the future of Cybersecurity-related Derivative Suits

On September 2, 2015, a Home Depot shareholder sued Home Depot and twelve of its officers and directors, claiming that the Company and the directors and officers knowingly failed to ensure that Home Depot reasonably protected its customers’ personal and financial information.


SEC’s New Cybersecurity Guidance Sets Regulatory Expectations for Investment Advisers and Broker Dealers

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert announcing the second round of examinations under its cybersecurity examination initiative.  The Risk Alert details areas of focus for the next wave of examinations of investment advisers and registered broker-dealers.  In 2014, OCIE launched its cybersecurity exam initiative to better understand the cybersecurity practices in the securities industry.  The findings were released in February 2015 in OCIE’s Cybersecurity Examination Sweep Summary.


Re-Thinking “Substantial Injury”: The FTC’s Potential New Need for Victims

Last month, the Federal Trade Commission’s Chief Administrative Law Judge dismissed the Commission’s long-running data security case against LabMD because it failed to prove that there was an actual or reasonably imminent threat of injury to consumers.  In the matter of LabMD, Dkt. No. 9357, Initial Decision (Nov. 13, 2015).  The issue of consumer “injury” has loomed large in the world of data privacy litigation since private plaintiffs began bringing class action lawsuits arising from data breaches.  Whether those cases are brought by individuals in their own name or on behalf of a putative class, courts have struggled with the question of what constitutes injury sufficient to successfully prosecute a claim. 


Another Hack in the Education Sector: 40 Million Records Exposed

A recent data breach at Chegg Inc., the online educational technology company, serves as the most recent reminder that the education sector remains a target for hackers.

Last month, Chegg reported, on a Form 8-K disclosure filed with the Securities Exchange Commission, that it had experienced a security breach in which an “unauthorized party gained access to a Company database that hosts user data for”


COVID-19 Cybersecurity Threats Spiral as Businesses Implement Prophylactic Security Measures

As businesses increasingly shift to remote working environments, the COVID-19 public health pandemic presents new cybersecurity challenges each day.  As we discussed in our earlier post, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit lax cyber-hygiene.  As companies struggle to maintain business continuity, the need for robust cyber security measures is more pressing than ever.


A (Secondary) Education in Data Security

On January 18, 2018, the New York State Education Department (“NYSED”) announced that one of its vendors, Questar Assessment, experienced a data breach resulting in the unauthorized disclosure of personal information from students in five different New York schools. While the data breach reportedly affected only a small number of students that had registered for online testing in spring 2017, it nonetheless exposed sensitive personally identifiable information from those students.  And despite its narrow scope, this breach potentially threatens public (and parent) confidence in the security of sensitive student information at a time when New York schools are moving more and more of their activities online.


LabMD Wins Long-Running Data Security Case Against FTC

In a closely watched test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit late yesterday sided with LabMD and threw out the agency’s long-running case against the defunct cancer testing lab, finding the agency’s use of a vague and broad-brush consent decree was unenforceable.


Cyber Risk and COVID-19: Practical Guidance for Secure Remote Working

In recent years, cyber-attacks have continued to increase in number and scope, with businesses facing ever-growing threats from ransomware, distributed denial-of-service attacks, and phishing schemes.  Ransomware attacks alone saw a 41 percent increase in 2019 from 2018, with more than 200,000 organizations and city governments suffering attacks.  Today, all eyes are on the spread of COVID-19, both in the U.S. and globally.  Unfortunately, as the world focuses on public health and economic uncertainty, cyber criminals see opportunities for exploitation. 


FTC Slaps Down ALJ’s Data Security Ruling in LabMD, Sets Broad Mandate for Protection of “Sensitive” Consumer Data

In a sweeping statement of its data security expectations for organizations that maintain consumer information, the Federal Trade Commission on Friday found that LabMD, the defunct medical testing lab, failed to employ adequate data security safeguards in violation of Section 5 of the FTC Act, even though there was no indication that any information had been misused or compromised.


Another State Data Security Law: Ohio Gets in on the Action

Starting today, Ohio businesses with written cybersecurity programs will be looking for a free pass if they are sued under state law over a data breach.

Ohio’s Data Protection Act (Senate Bill 220, Ohio Rev. Code § 1354.01, et seq.) goes into effect today, creating a safe harbor from tort liability for businesses that meet specific cybersecurity standards. The law won’t prevent litigation over a data breach, but provides an affirmative defense to companies hit with such claims if they have met the requirements of the new law. This includes adopting data security policies that conform to a number of existing industry standards including the NIST Cybersecurity Framework.


Long and Wyndham Road: The Federal Trade Commission Extends Section 5 Unfairness to Regulate Data Security

In a surprising development, Wyndham Worldwide Corporation settled a long running dispute last week with the Federal Trade Commission that arose from three data breaches Wyndham suffered between 2008-2010.  After an investigation that required Wyndham to produce more than one million pages of information, the FTC filed suit against Wyndham in the District Court of New Jersey under, among other legal basis, the unfairness prong of Section 5 of the FTC Act.