There haven’t been a lot of large fines handed down by the U.S. Securities and Exchange Commission because of hacking yet but more may be on their way in the wake of recent public comments coming out of the SEC. In May, SEC Chair Mary Jo White called cyber security the biggest risk to the financial system.
This statement alone should be sufficient to convince financial whistleblowers that the SEC is interested in information about violations of federal securities laws related to hackers and cybersecurity, but there have also been a number of other news and public comments coming out of the SEC recently in this area that bolster this conclusion:
Christopher Hetner has been named senior adviser on cybersecurity to SEC Chair White. Hetner has 20 years of experience in information security and technology. He has been working in the Office of Compliance Inspections and Examinations. One of the areas of focus for the OCIE has been examining the cybersecurity controls of investment advisers and broker-dealers. The creation of this agency-wide position no doubt signals its increasing importance across the SEC.
Bloomberg BNA reported that SEC officials predict more cyber enforcement cases after statements by the head of the SEC Chicago Regional Office, David Glockner, at a June conference in New York organized by the Practicing Law Institute. Glockner indicated that the SEC is trying to be “measured” in pursuing enforcement actions involving cybersecurity because of the changing landscape but that cases will be brought in the future.
Following White’s statement, the SEC also brought and resolved an enforcement action against Morgan Stanley for violations of the Safeguards Rule involving hacked client data. News reports indicated that a Morgan Stanley employee copied customer data to his own storage device and this device was subsequently hacked and the contents posted online. Morgan Stanley agreed to pay $1 million to resolve the government’s investigation, without admitting or denying the allegations. Cybersecurity whistleblowers can expect the Safeguards Rule to be the center of an enforcement action when financial institution customer data is hacked and the company had insufficient written policies and procedures to reasonably protect the client data.
The SEC Whistleblower Program and Cyber Security
Individuals reporting violations of federal securities laws related to cybersecurity are eligible for rewards under the Dodd-Frank Act and the SEC whistleblower program. The SEC offers financial incentives of between 10 and 30 percent to individuals that provide information about securities law violations which results in monetary sanctions of more than $1 million. For professionals who may encounter potential violations of securities law related to cybersecurity, here are the three areas where these cases are expected to arise:
The one place where we have already seen a large fine is for insider trading based on confidential, non-public information acquired by hacking. Last year, the SEC brought an enforcement action against the perpetrators of a ring hacking corporate news release sites. Two of the thirty-four defendants agreed to pay $30 million to settle the SEC charges. The SEC estimates that the defendants in total received over $100 million in illegal profits over five years.
The Morgan Stanley example is the second – insufficient protections by professionals in the securities industry. The Safeguards Rule is set forth in Rule 30(a) of Regulation S-P. It requires registered investment advisers to adopt written policies and procedures to insure the security and confidentiality of client records, protect against any anticipated threats to the security of the customer records, and protect against unauthorized access that could result in substantial harm or inconvenience to any customer.
The only area where we still haven’t seen an enforcement action yet is for insufficient disclosures to investors by a publicly traded company. These disclosures might be required either before a data breach by a hacker (if it can be anticipated that a breach would have a material impact on the company and thus important to an investment decision) or after a data breach if it has a material impact on the company. The current guidance by the SEC for these disclosures was issued by the Division of Corporation Finance in 2011. We wouldn’t be surprised if these guidelines are updated over the next few years.
Whistleblower actions are generally complex and should only rarely be attempted without counsel. Here are a few of the potential pitfalls that may need to be navigated in this area:
For those employees that find themselves at a financial firm engaged in insider trading, you may be concerned about your potential liability from criminal charges. In this case, we recommend that you also seek the counsel of a white collar criminal attorney in addition to our services as whistleblower attorneys. So long as you did not direct, plan or initiate the illegal conduct, you may be entitled to an award for information about and evidence of the illegal scheme.
Because the area is still “new”, the SEC may exercise discretion when determining whether an enforcement action is warranted against a financial institution based on cybersecurity issues. For cases where a company put clients at risk but there is no actual breach of customer data, the fines may not get high enough to result in a whistleblower reward. For the SEC to issue an award, the Commission must obtain monetary sanctions of more than $1,000,000. In the case against Morgan Stanley, a whistleblower could have been entitled to an award because the sum total of monetary sanctions when including the former Morgan Stanley employee exceeded $1 million.
Technology professionals with information about insufficient cybersecurity protections and disclosures should be cognizant of the fact that this is still a developing area before blowing the whistle internally in anticipation of anti-retaliation protections. In a recent opinion, the Eighth Circuit in Beacom v. Oracle America determined that an employee was not protected from retaliation after reporting discrepancies in sales projections because the employee’s belief that a securities violation occurred was not objectively reasonable. The possibility that a court concludes there is no objective belief in a securities law violation due to the lack of enforcement actions in this area is in addition to the remaining uncertainty in the status of Dodd-Frank whistleblower retaliation protections for internal whistleblowers.
If you discover a potential violation of the federal securities laws related to cyber security or hacking, our SEC whistleblower attorneys offer a free, initial legal consultation to help guide you through the start of this process. Please call 1-800-590-4116 to speak to one of our lawyers about reporting the suspected illegal activity to the U.S. Government.