In 2021, the U.S. Security and Exchange Commission (SEC) continued to stake its claim as a lead regulator for cybersecurity. Going into 2022, we expect the SEC will continue to aggressively scrutinize and pursue enforcement actions related to cybersecurity disclosures by public companies and cybersecurity practices of SEC-regulated entities like broker-dealers and investment advisers.  Moreover, Chair Gensler has announced that the SEC is currently working on a proposal for clearer cybersecurity governance rules, including topics such as “cyber hygiene and incident reporting.”

In many cases, the alleged faults that the SEC has found in the cybersecurity disclosures and practices of these entities go beyond the requirements of any other state or federal cybersecurity regulations. By making itself a leader in its expectations from regulated businesses, the SEC may become the agency that sets industry standard guidance for cybersecurity risk through the SEC mandates formed during its investigations and enforcement actions.

Continuing a trend it started in with fines against Yahoo! in April 2018 and Facebook in July 2019, the SEC pursued enforcement actions and fines against public companies related to their disclosures of cybersecurity risks and events. In June 2021, the SEC settled with First American Financial Corporation for $487,616 over allegedly deficient disclosure controls. In August 2021, the SEC finalized a $1 million settlement with Pearson plc for allegations of misleading statements and omissions in public filings and media statements. The SEC also engaged in wide-spread probe following the SolarWinds incident, sending “voluntary requests” to public issuers to seek for victims of the breach that were not disclosed.

In the past year, the SEC also increased its regulation of entities that are directly subject to its regulatory remit—such as broker-dealers and investment advisers. In August 2021, the SEC announced settlements with eight registered brokers or advisers related to alleged failures in cybersecurity safeguards that resulted in the exposure of customer information. The SEC stated that “it is not enough to write a policy requiring security measures if those requirements are not implemented or are only partially implemented,” and reflected in the settlement orders a particular focus on the deployment of specific technical controls, including multi-factor authentication. The settlements alleged that each of the firms violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information. While Regulation S-P does not list explicitly list required security measures, the SEC published cybersecurity and resiliency examination observations in January 2020, which provide insights into what the SEC believes are “best practices” for cybersecurity, including data mapping, vulnerability scans, log retention, data encryption, and multi-factor authentication.

In the final weeks of 2021, on December 17, the SEC also signaled its interest in stricter regulation of broader data and recordkeeping practices by levying a $200 million regulatory fine against JPMorgan Chase & Co for alleged failure to preserve business communications that employees were having on their personal devices. As part of the announcement of these fines, the SEC also announced that it will be launching investigations of record preservation practices at other financial firms and encouraged any firms that did not think that their record preservation practices were in compliance to contact them directly. We expect these investigations to continue into 2022 as part of the SEC’s expanded focus on data practices.

Earlier this year, Ropes and Gray partner Eva Carman sat down with Pete Driscoll, who was formerly the Director of the SEC’s Office of Compliance Inspections and Examinations (OCIE) and is currently a partner at PwC, to discuss what else we can expect from the SEC in the coming year. They noted that the current SEC administration will increasingly engage in more aggressive data and cybersecurity programming and highlighted the importance of internal policies and gatekeepers.

Ms. Carman and Mr. Driscoll explained what companies should be aware of during a SEC cybersecurity examination. The exam looks at technical controls, such as multi-factor authentication and password complexity, to ensure resiliency and protection against ransomware events. The SEC is particularly concerned about the contagion potential of ransomware, which may cause widespread shutdowns in the financial industry as financial service firms often share data and files. In conducting their examinations, OCIE will look for five main types of controls—(i) safeguards for customer accounts, (ii) oversight of vendors and service providers, (iii) procedures to address malicious email activities, (iv) management of operational risks, and (v) disclosures of cyber incidents.

Every exam has a question on security breaches. If no breach has occurred, the exam moves on quickly. If the company has experienced a data breach, however, OCIE will have significant follow-up questions, and may even schedule an additional cyber exam. Organization that had mitigating policies in place before a breach, promptly discovered the attack, and issued the required disclosures will likely be viewed with more leniency during an exam.

The SEC exam will have new questions in 2022. Because of the COVID-19 pandemic, the exam now includes questions pertaining to how communications processes will evolve with greater numbers of employees working remotely. The SEC is also looking at how organizations are protecting their own information and business continuity plans. The SEC has increased its analysis of vendors and wire transfer service providers due to the uptick in fraudulent wire attacks. Ms. Carman and Mr. Driscoll believe the SEC may bring lawsuits against the individuals involved in such attacks to incentivize accountability.

Finally, Ms. Carman pointed out that companies should be on the look out for SEC regulations against alternative data in 2022. Alternative data is any data that does not come from traditional sources, such as data scraped from the web or derived from novel sources. This type of data becomes problematic when material non-public information is scraped for investment purposes. Regulating alternative data under SEC Rule 10b-5 is difficult because individuals who trade on material non-public information obtained through scraping often do not qualify as insiders. For the past few years, the SEC set the stage to support a case for outsider trading, which supplants the concept of a duty that is incurred when information is obtained through deception, including intentional scraping or unintentional purchasing of material non-public information form a third-party vendor. We will continue to monitor for these developments.

As the SEC takes an increasingly forceful approach towards cybersecurity, companies should ensure that their executives and their board are informed about cybersecurity issues, ensure governance of cyber risk through assignment of responsibility, reporting and accountability, and establish robust internal technical control and policies.