Cyber Lessons From The SEC?

Public companies worried about cybersecurity risk would be well served to pay attention to a recent crackdown by the U.S. Securities and Exchanges Commission on the use of automated technology to detect investment advisor fraud.

A recent settlement with Ameriprise Financial Services Inc., a registered investment adviser and broker dealer, suggests that the Commission isn’t inclined to look the other way when a technology failure goes undetected. In the world of cybersecurity, does this mean that a company’s blind faith in technology to safeguard its network and sensitive information might open it up to liability?

It’s a question worth considering.

In the Ameriprise case, the company used automated surveillance tools to prevent and detect employee fraud – much like internal monitoring is used to detect unusual activity within a company’s data security environment. But the technology was limited. Ameriprise’s fraud detection system suffered from a technical error that went undetected for several years. Because of the shortcoming, the SEC charged, insiders were able to “perpetrate a fraud” and siphon more than $1 million from client accounts.

And a second system – used to monitor cash disbursements from client accounts – suffered from design limitations and was unable to detect bogus fund transfers. “On multiple occasions,” according to the SEC, “Ameriprise did not detect the fraudulent transfer of funds from client accounts ….”

The SEC found that Ameriprise “lacked a reasonable mechanism to prevent and detect situations where a representative sought to misappropriate money from a client account” and imposed a $4.5 million civil penalty on the company for violations of the Investment Advisers Act of 1940. In the consent order, Amerprise did not admit or deny wrongdoing.

To be sure, there’s a big difference between an investment adviser’s obligations to safeguard investor assets and a public company’s disclosure obligations with respect to its cybersecurity safeguards, risk factors, and data security incidents. But the SEC’s position in the Ameriprise case may well be something companies ought to take to heart when looking at their cyber defenses and risks.

Over the past year, the SEC has ramped up its interest in cyber. In February 2018, the SEC issued its long-awaited guidance to public companies on disclosures about cybersecurity risks and incidents. The guidance urged public companies to be more transparent in disclosing cybersecurity risks in their public filings; to disclose material data security incidents in a timely fashion; and to implement safeguards such as trading bans to prevent insiders from selling securities after a breach is detected but before it is publicly disclosed. The guidance also underscored the responsibilities of senior management and boards in cyber risk oversight. See our alert here for more details on the Commission’s updated guidance.

Since then,  the Commission has been active in issuing comment letters to public companies and going back-and-forth about cybersecurity risk factor disclosures. But only one public company has been on the receiving end of an enforcement action. In April 2018, the SEC imposed a $35 million fine on Altaba Inc. – formerly Yahoo! – for not promptly disclosing one of the largest reported hacks in U.S. history. For more on the settlement, see our blog post here.

Measuring risk – especially in the world of cyber – is almost always a subjective issue. But the SEC’s position in the Ameriprise case may be worth remembering. If there’s a lesson, it’s that uncritical acceptance and belief in technology to safeguard an organization from cyber risk is a losing proposition. More than that, we’ll see.

Craig A. Newman is from Patterson Belknap Webb & Tyler LLP, a law firm in New York that has a Privacy and Data Security Practice. Read more Patterson Belknap blogs here.