SEC Cyber Briefing: Enforcement Expectations for 2019
In our second installment of a three-part series, we look at the U.S. Securities and Exchange Commission’s cyber-related enforcement actions in 2018.
It’s been a busy year for the Cyber Unit at the Securities and Exchange Commission. During 2018, the SEC brought 20 stand-alone cases related to cybersecurity, and has 225 cyber-related investigations that it deems “ongoing.” That’s according to the enforcement division’s 2018 Annual Report.
In several cases, the enforcement actions were first-of-their-kind. In April 2018, the agency filed its first enforcement action against a public company for failing to promptly tell investors of a major cyber-attack. And in another first, the agency used a long dormant identity theft regulation and enforced it against an investment adviser when a cyber-attack compromised investment information for thousands of customers. The agency pursued other cases as well – from insider trading based on impending news of a major cyber-attack to the flawed use of automated technology to guard against fraud.
Here is a brief look at the agency’s more notable enforcement actions during the past year.
Yahoo!’s Tardy Disclosure
The SEC’s $35 million settlement over the Yahoo! data breach provides an object lesson in the consequences of failing to promptly disclose a major cyber-attack.
In its first action based on a cybersecurity disclosure violation, the SEC fined Altaba Inc. – formerly Yahoo! – for not disclosing in a timely manner one of the largest reported hacks in U.S. history. Yahoo! was charged with misleading investors by waiting for almost two years to disclose the fact that hackers associated with the Russian Federation stole the personal information of hundreds of millions of Yahoo! users.
Yahoo has acknowledged that the 2014 hacking and a separate incident in 2013 affected 3 billion user accounts.
The complaint charges the company with acting “negligently” in not informing investors earlier of the hack and for filing materially misleading reports with the Commission. The settlement does not rule out further enforcement proceedings.
Yahoo’s senior managers and internal legal team were told about the breach but they failed to fully investigate it, the SEC alleged.
“By December 2014, Yahoo’s information security team had determined that hackers had stolen copies of Yahoo’s user data base files … and likely even Yahoo’s entire user database of billions of users…Yahoo’s information security team,” said the SEC complaint. “Within days after Yahoo’s information security team reached these conclusions, members of Yahoo’s senior management and legal teams received various internal reports…stating that the theft of hundreds of millions of Yahoo users’ personal information had occurred.”
“Yahoo’s senior management and legal teams did not share the information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings,” according to the SEC complaint.
It was not until September 2016 that Yahoo publicly disclosed the breach, shortly before closing the sale of its Internet operating unit to Verizon Communications Inc. The day the hack was announced, Yahoo’s stock fell 3 percent. The tardy disclosure also reduced Verizon’s acquisition cost by $350 million or 7.25 percent.
Identity Theft Rule
In another first, the SEC dusted off its “Identity Theft Red Flags Rule” to censure Voya Financial Advisors, an Iowa-based investment adviser, for allowing hackers to access Social Security Numbers, account balances and even details of client investment accounts.
The SEC adopted the red flags rule five years ago but until this year, has not enforced it, nor has it punished firms for ignoring the rule.
The Identity Theft Red Flags Rule – called “Regulation S-ID” – requires designated financial firms to develop and implement a written identity theft prevention program “designed to detect, prevent, and mitigate identity theft” for investment accounts. The rule also requires board oversight of the identity theft program.
During a six-day period in 2016, the SEC charged, cybercriminals called Voya’s helpline impersonating the firm’s independent investment representatives – who make up the largest segment of its workforce. Even though some of the telephone numbers used by the hackers had been flagged in Voya’s system for possible fraud, the callers were able to convince Voya’s helpline to reset their passwords and provide new passwords over the phone.
The intruders used the new passwords to gain access to customer information and to create new online customer profiles and identities, according to the agency.
The hackers were also able to change customer phone numbers and addresses, which meant account statements and confirmations would be re-routed to the hackers, without as much as triggering a fraud alert. In several instances, the SEC said, hackers used “@yopmail.com,” a disposable email service that allows users create an email address, to review incoming emails and then destroy everything.
In all, the SEC charged, 5,600 client accounts were compromised.
Voya had an identity theft program in place for nearly a decade but it has languished in recent years. The program fell far below the requirements of the rule. It also was not approved by the firm’s board or senior leaders, as is required and was ignored by Voya’s security team. “VFA’s [Voya Financial Advisors] board of directors or a designated member of VFA’s management did not administer and oversee the Identity Theft Prevention Program, as required by the Identity Theft Red Flags Rule,”charged the SEC. The agency deemed Voya’s violation of the Red Flags Rule to be “willful.”
Voya neither admitted nor denied the SEC’s charges.
In the settlement, Voya agreed to pay a $1 million penalty and to make a series of improvements to its data security environment including the retention of an independent consultant to review its policies and procedures for compliance with the Identity Theft Red Flags Rule.
Equifax & Insider Trading
The interplay between insider trading and data security was underscored by two cases brought in the aftermath of the Equifax Inc. data breach, which exposed the personal information for 150 million Americans.
In the first case, federal prosecutors charged Equifax’s former Chief Information Officer, Jun Ying, with insider trading for allegedly dumping nearly $1 million in stock before news of the Equifax breach went public. The government’s charges against Ying allege that he sent a text message to a colleague, saying that the hack “sounds bad.” Ying then allegedly searched the web to research how Experian’s 2015 breach impacted its stock price. Ying – it is alleged – exercised all of his available employee stock options and then sold his shares, netting nearly a million dollars in proceeds before the breach was disclosed in September 2017. The trade avoided more than $100,000 in losses, according to the SEC.
And in the second case, the agency charged a former Equifax manager with buying put options – a bet that the stock price would go down – before the breach was disclosed. The complaint alleged that Sudhakar Reddy Bonthu, an Equifax software engineer, used confidential information he learned while creating a website for consumers affected by the breach. The SEC charged that Bonthu’s purchase of put options netted him more than $75,000 in profits.
These two cases are not connected to concerns that surfaced shortly after the Equifax breach was disclosed that top executives had sold $1.8 million in shares soon after suspicious activity was detected in late July 2017. Those executives were cleared by an internal investigation.
Mizuho’s Buy-Back Debacle
The SEC fined the U.S.-based securities trading unit of Mizuho Bank $1.25 million for its mishandling of confidential client information related to stock buyback programs. The agency charged that the bank shared confidential information with traders and hedge funds, in violation of the firm’s own policies.
Stock share buybacks occur when a publicly traded company buys its shares back from its shareholders. While companies may publicly disclose some information about their buyback programs, they typically do not reveal the specific dates on which they intend to execute the buyback trades. Traders privy to this information can use it to take advantage of the buyback order by front-running trades or putting on a hedge position prior to the buyback date.
Mizuho, however, failed to safeguard this material nonpublic information in buyback programs it executed. According to the SEC, Mizuho traders at the desk overseeing the buyback program, the International Sales Trading Desk, “routinely” passed buyback order information to traders at the separate U.S. Equity Trading Desk, which had no role in executing the buyback program. Also, on several occasions traders at the U.S. Equity Trading Desk shared the buyback order information with other external Mizuho clients, said the SEC.
As a result of these missteps, the SEC found that Mizuho had violated Section 15(g) of the Exchange Act, which requires registered broker-dealers to establish, maintain and enforce written policies and procedures to prevent the misuse of material nonpublic information. As punishment, the SEC imposed a cease-and-desist order prohibiting Mizuho from committing future violations of Section 15(g), issued the $1.25 million fine, and censured the company.
Mizuho did not admit to or deny any of the SEC’s findings.
Trusting Automated Technology
Public companies worried about cybersecurity risk would be well served to pay attention to a recent crackdown on the use of automated technology to detect investment advisor fraud.
A recent settlement with Ameriprise Financial Services Inc., a registered investment adviser and broker dealer, suggests that the Commission isn’t inclined to look the other way when a technology failure goes undetected.
In the Ameriprise case, the company used automated surveillance tools to prevent and detect employee fraud – much like internal monitoring is used to detect unusual activity within a company’s data security environment. But the technology was limited. Ameriprise’s fraud detection system suffered from a technical error that went undetected for several years. Because of the shortcoming, the SEC charged, insiders were able to “perpetrate a fraud” and siphon more than $1 million from client accounts.
And a second system – used to monitor cash disbursements from client accounts – suffered from design limitations and was unable to detect bogus fund transfers. “On multiple occasions,” according to the SEC, “Ameriprise did not detect the fraudulent transfer of funds from client accounts ….”
The SEC found that Ameriprise “lacked a reasonable mechanism to prevent and detect situations where a representative sought to misappropriate money from a client account” and imposed a $4.5 million civil penalty on the company for violations of the Investment Advisers Act of 1940. In the consent order, Amerprise did not admit or deny wrongdoing.
In our third installment, we’ll discuss the SEC’s investigative report that warns public companies about the importance of effective internal controls to mitigate against the risk of wire fraud. And, we’ll wrap up our series by considering what these cases might foreshadow for the coming year.