U.S. Securities and Exchange Commission to crack down on cyber mishaps

For many years, the SEC (Securities and Exchange Commission) has been lenient on cyber threats. But that’s changing. Last fall, the Commission issued a report discussing its investigation of nine publicly held companies that were hit with cyber fraud. It also issued a financial organization with a large fine.

The report states: “In connection with the investigation, the Commission considered whether the issuers complied with the requirements of Sections 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934 (“Exchange Act”).2 Those provisions require certain issuers to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed with, or that access to company assets is permitted only with, management’s general or specific authorization.3.”

The companies investigated were not fined, but they lost almost $100 million through cyber scams caused by spoof emails. 

SEC fines

Last September, the SEC fined broker-dealer and investment adviser VFA (Voya Financial Advisors Inc.) $1 million for failing to put in place adequate cybersecurity controls.  

“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, co-director of the SEC Enforcement Division. “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”

Both the report and VFA’s fine signal that the SEC is going to step up enforcement.

Register for our webinar

On Thursday, January 24, 2019, 1:00 – 2:00 pm EST, we are hosting “How can an ISO 27001 compliant ISMS help publicly listed firms achieve SEC regulatory compliance”. 

This free webinar will cover how ISO 27001 can help publicly listed organizations ensure regulatory compliance with SEC regulations. It will offer practical advice on how to improve overall information security in line with new regulations, explain how a robust staff awareness program supports cyber resilience and legal compliance, and detail the benefits of an ISMS (information security management system).

Register here >>