Greater Security Enforcement is Leading to New SEC Fines –
What You Need to Know Now…
– Stel Valavanis, CEO of onShore Security
Notable Ransomware Attacks are Prompting Increased Accountability
Announcements this past summer have made it clear that the US Government, and particularly the executive branch, is taking ransomware seriously. This move is unsurprising, as attacks such as SolarWinds and the Colonial Pipeline attack demonstrated the risk that hackers pose to our national security and infrastructure. Supply chain attacks proved that high profile targets mean high levels of risk and greater amounts of collateral damage upon attack. Executive orders issued by President Biden and announcements by the SEC should be inspiring corporate cybersecurity stakeholders to make real changes and additions to their security operation, especially as the SEC is expected to make important proposals in Q4, creating legal precedent for disclosure issues that are already proving to be a legal vulnerability to companies and their leaders.
The disclosure issues that companies are currently having are, most notably, ill-advised intentional non-disclosure. In August of 2021, the SEC announced 8 brokerage firms and business entities that would be subject to large fines for failure to disclose breaches. Specifically, the SEC found that the firms violated “ Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information.” Two of the firms were also found to be in violation of Rule 206(4)-7, a rule relating to notifying clients about a breach. Essentially, they were fined for doing what many companies have gotten away with in the past: failing to stop a breach and then trying to hide that fact from their clients (and investors). The firms were censured, ordered to pay fines, and warned to cease and desist from future violations. These enforcement measures will likely be only the opening salvo of enforcement action by the SEC and other new precedents will be set as violations are announced and prosecuted.
Corporate Leaders Being Held Responsible
Not only does this new enforcement put companies and their ability to do business at risk (of being noncompliant and facing enforcement), but also puts at personal risk the cybersecurity leaders responsible for making security decisions at the highest level. In the case I’ve referred to, fines are being levied specifically for failure to follow the companies’ own cybersecurity policies surrounding multi-factor authentication. Public record and information for investors included this policy, requiring MFA whenever possible, but it was found that MFA was not in place before or after the undisclosed breaches. As the information regarding cybersecurity policies in place at the firms are part of the information investors use to make their choices regarding the company, it frames the coverup and further inaction as either negligent or intentional fraud.
As a company faces actual enforcement, it will be in its interest to prove that the company itself is not at fault and to use its CISO as a scapegoat, whether or not they actually were negligent in the operation. CIOs and CISOs will have to protect themselves from their own organizations as well as from potential civil cases to be brought against them personally.
It will become clearer in Q4 and the future what the SEC will do to enforce transparency for public companies and accountability for the leaders of those companies. A distinction will be made between security that actually protects information and customers and security operations that merely give the impression of effort.