In what appeared to be the first such enforcement action, the Securities and Exchange Commission fined $ 1.5 million in May. The comparison included attempts by cyber criminals to use illegally obtained personal information (PII) to gain access to accounts.
In particular, the enforcement action was not due to GWFS failing to disclose or report a cyber intrusion into its networks. The SEC recognized GWFS’s strong efforts in cybersecurity. Rather, the cyber criminals obtained the customers’ electronic access data such as user names, e-mail addresses and passwords through attacks on the customers themselves and / or third parties.
Detecting and preventing most of the takeover attempts by GWFS before the malicious actors could obtain funds appeared to be insufficient to meet GWFS ‘anti-money laundering and banking secrecy (AML / BSA) commitments.
Cybersecurity is a federal priority
President Joe Biden, SEC Chairman Gary Gensler, and the SEC’s Auditing Department have all made cybersecurity a priority. The recent high-profile cyber events will no doubt increase state scrutiny, and the SEC could take a lead in ensuring that financial institutions file SARs to alert law enforcement of potential risks.
The SEC first asserted itself as the regulator for AML / BSA violations in 2007. In recent years, the SEC has increasingly reaffirmed its responsibility to enforce BSA and Police SAR filings under sections of the Securities Exchange Act of 1934 that require broker-dealers to comply with reporting, record-keeping, and retention requirements.
The SEC has also stepped up enforcement of violations of Rule 30 (a) of Regulation SP, which requires broker-dealers, investment companies, and investment advisers to use reasonably designed policies and procedures to protect against unauthorized access or use of client PII.
Although the SEC’s authority to enforce the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) regulations has been questioned, at least one of the cases identified in the GWFS Settlement Order has determined that the SEC has the authority to enforce the BSA’s SAR regulations Rule 17a-8.
Action signals intention to enforce SAR guidelines
The SEC’s GWFS enforcement move underscores that regulators intend to enforce cyber-related SAR guidelines that have flown under the radar for the past decade.
In 2011, for example, FinCEN published a recommendation on cyber-enabled account transfer. In 2016, FinCEN provided additional guidelines and FAQs on cyber incidents and cyber-assisted crime. According to the guidelines of FinCEN: âCyber ââevents that target financial institutions and could affect a transaction or a series of transactions should be reported as suspicious transactions because they are unauthorized and relevant and lead to a possible violation of laws or regulations regularly try to raise funds through illegal activities. “
The SEC’s GWFS enforcement actions and FinCEN guidelines make it clear that regulators expect companies subject to SAR reporting requirements to file detailed SARs when malicious actors even attempt to use improperly obtained PII from customers on accounts Access at least $ 5,000 regardless of whether the attempt is successful.
Additionally, the SEC stressed that pattern narratives are not enough. SAR narratives for attempting account takeover must include âthe five essential pieces of information – who? What? Where? when? and why? – the reported suspicious activity “to meet regulatory requirements. For cyber-related SARs, these essential elements can include URL addresses, IP addresses and timestamps, email addresses and other electronic identification information.
The SEC’s increasing focus on cybersecurity risks
While the GWFS Regulation is breaking new ground in terms of cyber-related SAR requirements, it is in line with the SEC’s increased focus on cybersecurity issues in recent years. In 2018, the SEC stressed that “it is vital that publicly traded companies take all necessary steps to inform investors of material cybersecurity risks.”
Recent enforcement actions on Sufficient Disclosure show the Agency’s commitment and in August 2020 the Commission updated its broader disclosure rules requiring disclosure of “material” risks and issues across a range of issues, possibly including cybersecurity.
The GWFS Enforcement Action represents a new consideration for companies as they review the adequacy of their own prior reporting and consider revising public disclosure to adequately disclose new compliance costs and enforcement risks. And, as mentioned earlier, both Gensler and the Auditing Department, as well as the SEC, have emphasized their focus on cybersecurity and ransomware issues in recent months, which has increased the likelihood of further guidance and enforcement action.
Organizations should continue to carefully review their incident response and security monitoring plans to ensure there are procedures in place to document and share information necessary to support reporting requirements. Existing procedures may not capture all of the relevant information and incidents that are now required to be reported, nor do they ensure that this information is internally shared with legal and compliance groups.
The GWFS measure shows that maintaining robust cybersecurity protection and preventing most attacks is not enough to avoid penalties – adequate reporting and disclosure are also essential. Only by carefully reviewing and expanding internal practices can a company ensure that it is collecting and reporting sufficient information to meet SEC expectations.
This column does not necessarily represent the opinion of the Bureau of National Affairs, Inc. or its owners.
Write for us: Guidelines for Authors
Information about the author
Kenneth Herzinger is a partner in Paul Hastings’ Investigations and White-Collar Practice in San Francisco, focusing on SEC investigations and enforcement actions, internal investigations and securities class actions, including matters related to cryptocurrency and money laundering. Before joining a private practice, he worked as a lawyer in the SEC’s Enforcement Division.
Sherrese Smith is vice chairman of the privacy and cybersecurity practice of Paul Hastings, where she advises and advises multinational corporations in various jurisdictions (including the US, EU and Asia) on data protection and cybersecurity issues and security breach response, including global privacy management and information security risks and compliance matters in Washington, DC
Derek Wetmore is a litigation partner who advises corporations and individuals on a variety of civil and criminal matters involving US securities laws, FCPA, banking secrecy and other laws.