SEC Holds Publicly Traded Companies Accountable for Weak Cyber Defenses and Data Breaches in Age of Increasing Cybersecurity Attacks

On September 14, 2021, Gary Gensler testified before the U.S. Senate Committee on Banking, Housing, and Urban Affairs for the first time as Chair of the Securities and Exchange Commission. After noting that “[t]oday’s investors are looking for consistent, comparable, and decision-useful disclosures around climate risk, human capital, and cybersecurity”, the SEC Chair testified that “staff are developing a proposal for the Commission’s consideration on cybersecurity risk governance, which could address issues such as cyber hygiene and incident reporting.” This welcomed focus on cybersecurity comes at a time where ransomware attacks are on the rise: According to the cybersecurity firm SonicWall’s 2021 report, ransomware attacks rose by 62% worldwide between 2019 and 2020 (ransomware refers to a form of malware which encrypts files on a device in a way that renders them unusable, and a ransom is demanded for the decryption). 2021, meanwhile, has seen such notable cyberattacks as the ones perpetrated on the software company Kaseya, JBS (meat-processing company), the American financial services company Robinhood, and, of course, Colonial Pipeline. Also of note this year, the United States Senate has introduced bipartisan legislation to combat cybercrime – S.2139 – International Cybercrime Prevention Act – which has been referred to the Committee on the Judiciary.

It is within this climate of cyber-insecurity, where we have seen data breaches of critical services and an overall rise in cyberattacks, that the SEC has investigated companies in connection with their data breaches. Inheriting an SEC Cyber Unit that was created under the previous administration, Chair Gensler has overseen a Commission which has ordered investment advisory firm KMS Financial Services to pay $200,000 over its failure to adopt written policies and procedures to safeguard customer information and records against cyberattacks (Order here), settled charges against Pearson plc because of its misleading of investors over a cyberattack in 2018 that led to millions of student records being stolen, and a settlement with Cetera entities over their failure to have reasonable policies and procedures in place to prevent unauthorized access to customers’ personally identifiable information. 

The message from the SEC, through the testimony of their Chair and their actions in recent months, is clear: They are taking cybersecurity and data breaches very seriously, and are willing to investigate companies that do not have adequate cyber defenses.