Categories & Search

Search Results

409 results found for: sec

Cyber Lessons From the SEC?

Public companies worried about cybersecurity risk would be well served to pay attention to a recent crackdown by the U.S. Securities and Exchanges Commission on the use of automated technology to detect investment advisor fraud.

A recent settlement with Ameriprise Financial Services Inc., a registered investment adviser and broker dealer, suggests that the Commission isn’t inclined to look the other way when a technology failure goes undetected. In the world of cybersecurity, does this mean that a company’s blind faith in technology to safeguard its network and sensitive information might open it up to liability?

Go

SEC Cyber Briefing: Investigation into Wire Fraud and a Look at 2019 Regulatory Initiatives

Wire fraud committed by cybercriminals is not a new phenomenon. The FBI and other government agencies have regularly warned against wire fraud scams—called “business email compromises” or BECs—where criminals pose as vendors or company executives and use email to dupe company insiders into wiring money into bank accounts controlled by the perpetrators. And in some instances, the amounts involved are staggering.

Go

The SEC Issues Observations on Cybersecurity and Resiliency Measures

Last week, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) issued a list of recommendations for institutions to enhance their cybersecurity preparedness and operational resiliency.  These observations – based upon the examination of thousands of SEC registrants – serve as a lens into the likely subjects of future SEC examinations.

Go

Does Yahoo’s SEC Cyber Disclosure Settlement Set Enforcement Bar?

The U.S. Securities and Exchange Commission’s $35 million settlement announced this week over the Yahoo! data breach provides an object lesson in the consequences of failing to publicly disclose a major cyber-attack.

The nation’s top securities regulator imposed the fine on Altaba Inc. — formerly Yahoo! — for not disclosing in a timely manner one of the largest reported hacks in U.S. history, the first action by the Commission for a cybersecurity disclosure violation.  Yahoo! was charged with misleading investors by waiting for almost two years to disclose the fact that hackers associated with the Russian Federation stole the personal information of hundreds of millions of Yahoo! users.

Go

SEC Fines Mizuho for Failing to Protect Customer Data

It is not enough for companies to establish policies and procedures designed to prevent the misuse of material nonpublic information. Companies must also enforce those policies and procedures.

That’s the lesson from the U.S. Securities and Exchange Commission's recent settlement with Mizuho Securities USA LLC (“Mizuho”), a broker-dealer, for the firm’s failure to safeguard customer information.

Go

SEC Watch: “Observations” from SEC’s Cybersecurity 2 Initiative

Last week, the U.S. Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) released its “Observations from Cybersecurity Examinations” conducted pursuant to OCIE’s “Cybersecurity 2 Initiative.”  A copy of the summary is available here.  This is a follow-on to an earlier series of examinations (the “Cybersecurity 1 Initiative”) conducted in 2014.

Go

SEC Warns of Ransomware Attacks

The U.S. Securities and Exchange Commission is asking broker-dealers, investment advisers and funds to redouble their cybersecurity efforts in wake of the global cyber-attack of the WannaCry virus that has spread to more than 150 countries, disrupting critical sectors of the world economy – from transportations systems to healthcare.

Go

An Old Hack Comes Back to Haunt (Newly-Public) Slack

Last Thursday, Slack Technologies, Inc. (Slack) announced that it would reset passwords for a number of accounts compromised by a security breach that occurred more than four years ago, in March 2015. Slack—a fast-growing messaging service that launched in 2014 and went public last month—provided little explanation for its delay in action and minimized the scope of the incident, claiming that it only affected a small percentage of current Slack users. The narrow scope and timing of Slack’s disclosure raise interesting questions about the heightened scrutiny public companies now face when dealing with cybersecurity incidents.

Go

Texting Clients and Using Social Media? SEC Issues Compliance Reminder to Investment Advisers

Investment advisers may want to think twice before texting clients any advice in the New Year.

In a recently issued Risk Alert, the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) reminded investment advisers of their obligations under the Investment Advisers Act of 1940 (Advisers Act) when they or their personnel use electronic messaging for business-related communications.

Go

SEC’s Proposed Revisions to Regulation S-K Will Minimally Impact Cybersecurity Disclosure Requirements

It has been thirty years since the Securities and Exchange Commission (the “SEC”) significantly revised Regulation S-K, which sets forth reporting requirements for public companies. The SEC is now taking a fresh look at the rules, proposing for public comment amendments to modernize the description of business, legal proceedings, and risk factor disclosures that public companies must make. This represents a good opportunity to revisit key disclosure requirements—including Items 503(c) (now Item 105), 101, and 103—that are the subject of the revised guidance and that potentially impact reporting obligations associated with cybersecurity.

Go

SEC Steps Up Enforcement on Registered Investment Advisers

On September 22, the Securities and Exchange Commission (SEC) announced that it had entered into a settlement order with R.T. Jones Capital Equities Management, Inc., a St. Louis-based registered investment adviser, over the firm’s failure to establish cybersecurity policies and procedures.  This investigation and settlement are the latest in the Commission’s ongoing efforts to regulate cybersecurity for investment advisers.    

Go

SEC Fines Morgan Stanley For Failure to Safeguard Customer Data

Morgan Stanley Smith Barney LLC has agreed to pay $1 million to settle U.S. Securities and Exchange Commission charges that it failed to protect customer information.  In an Order issued today, Morgan Stanley agreed to settle charges – without admitting or denying them – that a former employee accessed and transferred data regarding 73,000 accounts to his personal server.  The SEC Order states that the former employee’s server was hacked by a third-party and that some of the customer information was offered for sale online. 

Go

PayPal Shareholders’ Data Breach Stock-Drop Suit Dismissed

Among other things, 2018 was the year of the shareholder data breach stock-drop lawsuit. As we’ve previously reported, it was the year that shareholders began routinely suing companies after an announcement of a data breach, seeking damages for a hit to the company’s stock price. 

Go

SEC Chair Warns: Cyber Biggest Threat to Global Financial System

The chair of the U.S. Securities and Exchange Commission warned that cybersecurity is the biggest risk facing our financial system today.  At an industry conference yesterday, SEC Chair Mary Jo White said that major exchanges, clearing houses and other players in the financial system did not have cyber defenses in place that aligned with the risks they faced.

Go

Former Equifax Exec Charged with Insider Trading: Underscores Need for Trading Halt Plans

The Equifax hack has taken another twist – one that raises questions that every public company should consider.

Last week, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before the massive Equifax breach went public. He also faces civil charges filed by the U.S. Security and Exchange Commission (SEC).

Go

Yet Another Proposal to Require Disclosure of Board’s Cyber Expertise

Before investing in a company, would you want to know whether the board of directors had cybersecurity expertise?

A bipartisan group of senators have proposed a bill, Senate Bill 592, that would require every public company to disclose the cybersecurity background of its directors, and, if none exists, explain why the company doesn’t believe it is necessary.

Go

For $80 Million, Yahoo! Settles Shareholder Class Action Claiming Stock Price Losses from Data Breaches

It’s become almost routine. A public company suffers a data breach at the hands of hackers, its stock price slides and the securities fraud class action lawsuits pile on.

As we recently reported, it’s a new trend in securities fraud class actions. Shareholders claim that public companies have improperly inflated their stock value either by failing to timely disclose data security incidents or latent vulnerabilities that rendered the company’s systems susceptible to a cyberattack.

Go

D.C. Circuit Breathes New Life into OPM Data Breach Litigation

The U.S. Office of Personnel Management (“OPM”) made headlines when several hacks of confidential data came to light in 2015, intrusions that compromised the personal data of over 20 million individuals. On July 21, 2019, in AFGE v. OPM (In re United States OPM Data Sec. Breach Litig.), Nos. 17-5217, 17-5232, 2019 U.S. App. LEXIS 18609 (D.C. Cir. June 21, 2019), a divided panel of the United States Court of Appeals for the D.C. Circuit breathed new life into litigation stemming from those breaches and injected yet another piece into the growing puzzle surrounding constitutional standing in breach litigation. The case had previously been dismissed after a district court held that the plaintiffs lacked standing based on their failure to allege concrete injuries. In a divided opinion, the D.C. Circuit panel reversed, holding that the plaintiffs’ allegations of potential future harm were sufficient for the case to move forward.

Go

New York DFS Proposals Focus on Third-Party Vendor Risk

Earlier this month, the New York State Department of Financial Services (“DFS”) announced that it will propose new cybersecurity regulations for financial institutions.  The DFS made the announcement in a letter to the Financial and Banking Information Infrastructure Committee — an eighteen member organization headed by the Treasury Department that has already begun tackling cybersecurity issues.  

Go

The CFTC Proposes Enhanced Cybersecurity Testing Rules

On February 22, 2016, the Commodity Futures Trading Commission (“CFTC”) closed the public comment period on its recently proposed enhanced cybersecurity rules for derivatives clearing house organizations, trading platforms, designated contract markets, and swap data repositories.

Go

Managing Cybersecurity Risk for Nonprofit Organizations: A Fiduciary Duty?

We live in an era of increasingly prevalent cybercrime, and nonprofits are in the crosshairs.  Harvard University, Penn State University and two BlueCross BlueShield entities are just a few nonprofit organizations that reported cyberattacks in 2015, breaches to their data security systems ultimately compromising thousands of personal, confidential and proprietary records.

Go

Bennek v. Home Depot and the future of Cybersecurity-related Derivative Suits

On September 2, 2015, a Home Depot shareholder sued Home Depot and twelve of its officers and directors, claiming that the Company and the directors and officers knowingly failed to ensure that Home Depot reasonably protected its customers’ personal and financial information.

Go

SEC’s New Cybersecurity Guidance Sets Regulatory Expectations for Investment Advisers and Broker Dealers

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently issued a Risk Alert announcing the second round of examinations under its cybersecurity examination initiative.  The Risk Alert details areas of focus for the next wave of examinations of investment advisers and registered broker-dealers.  In 2014, OCIE launched its cybersecurity exam initiative to better understand the cybersecurity practices in the securities industry.  The findings were released in February 2015 in OCIE’s Cybersecurity Examination Sweep Summary.

Go

Re-Thinking “Substantial Injury”: The FTC’s Potential New Need for Victims

Last month, the Federal Trade Commission’s Chief Administrative Law Judge dismissed the Commission’s long-running data security case against LabMD because it failed to prove that there was an actual or reasonably imminent threat of injury to consumers.  In the matter of LabMD, Dkt. No. 9357, Initial Decision (Nov. 13, 2015).  The issue of consumer “injury” has loomed large in the world of data privacy litigation since private plaintiffs began bringing class action lawsuits arising from data breaches.  Whether those cases are brought by individuals in their own name or on behalf of a putative class, courts have struggled with the question of what constitutes injury sufficient to successfully prosecute a claim. 

Go

Beeple, Top Shots, and the Blockchain of Collectibles: Securing the Value of an Original Digital Asset

A cryptocurrency entrepreneur recently paid $69.3 million for Beeple’s Everydays: The First 5,000 Days at a Christie’s auction.  That record-breaking price purchased a work of art that can be seen only on a computer and the image of which, in large part, is available for use and enjoyment by anyone with an internet connection because the work is a non-fungible token, or NFT.  NFTs have quickly caught the attention of the art world and beyond, touching the mainstream with the NBA Top Shot craze and its $250 million plus marketplace for visual highlights of NBA games.  The company behind NBA Top Shot, Dapper Labs, recently raised $250 million at a $2 billion valuation.  And the larger market for NFTs has grown from $42 million in 2017 to $338 million by the end of 2020.  But for intangible assets whose value is largely driven by the creation of an original work only in cyberspace, owners and investors need to think carefully about what they own and how to protect their digital acquisitions.

Go

Second Circuit Affirms Dismissal of Class Action Based on Claimed “Increased Risk” of Harm

Is there standing to bring a lawsuit when an employee’s personal information is mistakenly circulated to all employees at the company?  A recent decision addressed exactly this question. In McMorris v. Carlos Lopez & Assocs.LLC, No. 19-4310, 2021 WL 1603808 (2d Cir. Apr. 26, 2021), the Second Circuit affirmed the district court in finding that the harm plaintiffs alleged (an increased risk of identity theft) was too speculative and remote to satisfy the injury-in-fact requirement of Article III standing.  However, the court did not completely shut the door on this theory of harm, holding that an “increased risk” of identity theft could, under certain circumstances, qualify as an injury-in-fact for purposes of Article III standing. In doing so, the Second Circuit aligned with a number of its sister circuits which had previously recognized the potential validity of this approach.

Go

Another Hack in the Education Sector: 40 Million Records Exposed

A recent data breach at Chegg Inc., the online educational technology company, serves as the most recent reminder that the education sector remains a target for hackers.

Last month, Chegg reported, on a Form 8-K disclosure filed with the Securities Exchange Commission, that it had experienced a security breach in which an “unauthorized party gained access to a Company database that hosts user data for chegg.com.”

Go

COVID-19 Cybersecurity Threats Spiral as Businesses Implement Prophylactic Security Measures

As businesses increasingly shift to remote working environments, the COVID-19 public health pandemic presents new cybersecurity challenges each day.  As we discussed in our earlier post, hackers are actively targeting companies’ cloud-based remote connectivity, lack of multi-factor authentication, and potentially insecure digital infrastructure to exploit lax cyber-hygiene.  As companies struggle to maintain business continuity, the need for robust cyber security measures is more pressing than ever.

Go

A (Secondary) Education in Data Security

On January 18, 2018, the New York State Education Department (“NYSED”) announced that one of its vendors, Questar Assessment, experienced a data breach resulting in the unauthorized disclosure of personal information from students in five different New York schools. While the data breach reportedly affected only a small number of students that had registered for online testing in spring 2017, it nonetheless exposed sensitive personally identifiable information from those students.  And despite its narrow scope, this breach potentially threatens public (and parent) confidence in the security of sensitive student information at a time when New York schools are moving more and more of their activities online.

Go

New York DFS Announces Settlement With Insurance Company Under Cybersecurity Regulation

On April 14, 2021, the New York Department of Financial Services (“DFS”) announced a cybersecurity settlement with insurance company National Securities Corporation, which suffered four separate breaches, two of which went unreported in violation of 23 NYCRR § 500.17(a). The settlement not only includes a monetary penalty but also mandates increased training and implementation of security tools, and underscores the urgency of addressing cybersecurity threats and DFS’s increasing enforcement activity for non-compliance with its cyber regulations.

Go

Capital One to Pay $80 Million Fine for 2019 Data Security Hack

As we previously reported, Capital One Financial Corporation announced in July 2019 a major data security breach when an individual gained unauthorized access to personal information about Capital One credit card customers.  According to the Office of the Comptroller of the Currency (“OCC”), which regulates large U.S. banks, Capital One has now agreed to pay an $80 million fine to resolve claims related to the incident.

Go

Biden Administration Sets Sights on Cybersecurity with Executive Order

The Biden Administration is zeroing in on cybersecurity.  In the wake of a high-profile wave of cyberattacks, including the SolarWinds supply chain attack and the more recent Colonial Pipeline ransomware attack, President Biden has issued an Executive Order (“EO”) designed to strengthen the federal government’s cybersecurity defenses.  And for good reason.  The SolarWinds supply chain attack in particular raises significant national security concerns, as hackers were able to access several federal agencies, including the United States Departments of Homeland Security, Defense, State, Treasury, and Commerce’s National Telecommunications and Information Administration.  Issued on May 12, 2021, the EO seeks to prevent similar cyber-attacks by directing federal agencies to make a series of changes in how they approach cybersecurity.  While the EO is necessarily limited in what it can do—it cannot, for example, make more sweeping reforms such as amending the woefully outdated Computer Fraud and Abuse Act used to prosecute hackers—it is a significant step.  Here are the main highlights.

Go

LabMD Wins Long-Running Data Security Case Against FTC

In a closely watched test of the Federal Trade Commission’s authority as a data security regulator, the U.S. Court of Appeals for the Eleventh Circuit late yesterday sided with LabMD and threw out the agency’s long-running case against the defunct cancer testing lab, finding the agency’s use of a vague and broad-brush consent decree was unenforceable.

Go

Cyber Risk and COVID-19: Practical Guidance for Secure Remote Working

In recent years, cyber-attacks have continued to increase in number and scope, with businesses facing ever-growing threats from ransomware, distributed denial-of-service attacks, and phishing schemes.  Ransomware attacks alone saw a 41 percent increase in 2019 from 2018, with more than 200,000 organizations and city governments suffering attacks.  Today, all eyes are on the spread of COVID-19, both in the U.S. and globally.  Unfortunately, as the world focuses on public health and economic uncertainty, cyber criminals see opportunities for exploitation. 

Go