SEC won’t be heavy-handed cybersecurity regulator, officials say

20 April 2017. By Amy Miller.

The US Securities and Exchange Commission will not become a heavy-handed cybersecurity regulator, agency officials reassured an audience of privacy and cybersecurity professionals at a conference Thursday.

The SEC will bring enforcement actions against companies that don't take any steps to assess their cybersecurity risks and protect consumers and investors, said Stephanie Avakian, the SEC's acting enforcement director. She pointed to recent fines paid by Morgan Stanley and R.T. Jones investment advisors for inadequate cybersecurity safeguards as examples.

The SEC is going after hackers who are increasingly trying to steal nonpublic information they can use for insider trading or to manipulate stock markets, among many nefarious purposes, Avakian said.

But it's up to companies, not the SEC, to decide what their best cybersecurity strategy should be, said Shamoil Shipchandler, director of the SEC's Fort Worth regional office. when there's a breach, the agency won't go after companies for minor misteps, he said.

"We try to look at everything on a case-by-case basis," Shipchandler said. "The regulations apply to everyone equally. How you implement them depends on the entity itself."

Some have called on the SEC to create bright-line, prescriptive cybersecurity rules, arguing that would provide clearer guidance. But the agency has resisted doing that because each company and its cybersecurity needs are different, Avakian said.

If the agency wrote requirements for big firms and companies, and said all companies of any size had to follow them, it would be impossible to do so and probably wouldn't make any business sense, she said.

"We've gone to great lengths not to be [prescriptive]," Avakian said. "We really do rely on business to identify risks and how they are going to deal with them."

The SEC does require that companies disclose when a data breach has occured, and looks carefully at disclosures before and after a data breach, she said. For example, the agency is currently investigating whether Yahoo's disclosures about two massive hacks should have been reported to investors sooner.

So far, though, the agency hasn't brought any enforcement actions for inadequate disclosures. The agency recognizes how difficult disclosures can be after an incident and is well aware that facts can change quickly, she said.

The agency's enforcement focus could evolve, Avakian said.

"But I want to be clear, we are not looking to second-guess good-faith decisions," she said. "We're not looking for a slip on the banana peel."

Privacy report