SEC to re-work cyber-guidelines

Chris Hamblin

13 November 2017

The Wall Street Journal has commented: "Although these guidelines don’t carry the full force of regulations, companies can’t ignore them because of the SEC’s authority to lead enforcement actions against those firms that mislead investors about the nature of cybersecurity risks or hacks."

The SEC itself is no stranger to hacking. Edgar, its Electronic Data Gathering, Analysis and Retrieval unit, was hacked last year. Like Equifax, the SEC sat on the revelation for an inordinate amount of time before disclosing it to the regulated community

The Equifax hack, in which intruders filched the details of more than 145 million Americans, has also brought the issue to the fore in recent months. The credit-rating giant was aware of the hack in July but told nobody until September, laying itself open to much criticism.

At the end of September the regulator embarked on two new initiatives to deal with cyber-based threats and protect retail investors: the setting-up of a cyber unit and the establishment of a retail strategy task force. The former will tackle cyber-related misconduct such as:

market-manipulation through the spread of false information on electronic and social media;
hacking to obtain vital information;
misconduct involving distributed ledger technology and initial coin offerings;
misuse of the dark web;
intrusions into retail brokerage accounts; and
any threats to trading platforms.

The latter will try to snuff out misconduct that affects retail investors. Data analytics and IT will be its main weapons and it will concentrate on large-scale misconduct.