United States: SEC, Shareholders Take On A Growing Cybersecurity Oversight Role

Protecting against data breaches, hacks and cyber threats is an unwelcome but necessary reality for businesses today. In addition to vigilantly guarding against attacks, companies must consider the possibilities of litigation and investigations that can stem as a result of such events. State attorneys general, the Federal Trade Commission, the Department of Health and Human Services Office of Civil Rights, and other federal and state agencies have each investigated companies that have been the victim of a cyberattack. Now, businesses must also take into account whether failing to prepare for cyber threats exposes them to investigations or enforcement actions undertaken by the Securities and Exchange Commission or to litigation brought by shareholders.

On October 16, 2018, the SEC's Division of Enforcement, in consultation with the Division of Corporation Finance and the Office of the Chief Accountant, issued a Section 21(a) report on investigations into nine unnamed publicly traded companies from various industries, each of which fell victim to a "business email compromise" scheme.

Employees at each of these companies received fraudulent emails that purported to come from a company executive or vendor. The emails from "fake" executives asked company finance employees to work with purported outside counsel, identified in the email, to wire transfer money to a foreign bank account for a time-sensitive transaction. The emails spoofed email domains and addresses to make them appear to come from a company executive. The emails also contained real law firm and attorney names for added "authenticity."

The emails from the "fake" vendors consisted of perpetrators hacking a vendor's email account. These perpetrators then sent company employees falsified invoices from the hacked account with a request that the company send payment for services to a specific foreign bank account controlled by the perpetrators.

In total, the nine companies investigated by the SEC lost nearly $100 million to the schemes. The money has not been recovered. According to the FBI, these type of "business email compromises" have caused more than $5 billion in losses since 2013.

Although the SEC decided not to pursue enforcement actions against any of the nine companies, it issued a Section 21(a) report "to make issuers and other market participants aware that these cyber-related threats of spoofed or manipulated electronic communications exist and should be considered when devising and maintaining a system of internal accounting controls as required by the federal securities laws." The Commission's report thus makes clear that companies that fail to have the proper internal controls to limit such threats may be in violation of their obligations under Section 13(b)(2)(B).

This report from the SEC follows on the heels of other recent actions taken by the Commission and shareholders. In February 2018, the SEC issued guidance on public company cybersecurity disclosures. The guidance emphasizes the SEC's belief "that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion, including those companies that are subject to material cybersecurity risks but may not yet have been the target of a cyber-attack." To that end, the guidance stresses that companies must develop effective disclosure controls and procedures. It also emphasizes that "directors, officers and other corporate insiders must not trade a company's securities while in possession of material nonpublic information, which may include knowledge regarding a significant cybersecurity incident experienced by the company."

The guidance was not mere rhetoric. In April 2018, the SEC fined Yahoo (now trading as Altaba Inc.) $35 million for failing to disclose a 2014 data breach until March 2016. And, in March and June 2018, the SEC charged former employees of Equifax for insider trading in connection with the announcement of the company's September 2017 data breach.

The SEC is not solely concerned with how publicly traded companies address cybersecurity. In September, the SEC charged Voya Financial Advisors with violating the Safeguards Rule and the Identity Theft Red Flags Rule. The Safeguards Rule requires that broker-dealers, investment companies and investment advisers "adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information." The Identity Theft Red Flags Rule requires the same types of entities to adopt written policies and procedures that are meant, among other things, to detect, prevent and mitigate identity theft.

The enforcement action stemmed from events that occurred in 2016, when individuals called Voya's support line pretending to be contractors for the company. These individuals requested that Voya reset their contractors' passwords. They then used the new passwords to gain access to the personal information belonging to thousands of Voya customers to create new online profiles, and to obtain access to account documents of three Voya customers. According to the SEC, Voya's policies and procedures to protect customer information were outdated and "not reasonably designed" to provide such protection. In addition to a $1 million penalty, Voya agreed (without admitting or denying the Commission's findings) to be censured and to retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and the Identity Red Flags Rule.

In addition to the actions taken by the SEC, shareholders in recent years have also brought an increasing number of both cybersecurity-based class actions alleging violations of the federal securities laws and shareholder derivative suits alleging companies' boards of directors failed to take adequate steps to prevent cyber incidents. A few examples include the following matters:

  • Yahoo settled for $80 million a suit brought by shareholder alleging that it traded stock at artificially high prices while it failed to disclose data breaches that had occurred.
  • After Equifax announced that it had been the victim of a cyberattack, shareholders brought suit against the company and certain directors and officers for alleged false or misleading statements about Equifax's data security measures.
  • Shareholders brought a suit against PayPal alleging that the company downplayed the extent of a security breach experienced by its payment processor, which plaintiffs alleged caused artificially high stock prices.

To limit the risk of falling victim to a cyber threat and exposure to an SEC enforcement action or a shareholder suit, businesses subject to SEC oversight should consider the following steps, among others:

  • Devise and maintain internal accounting controls that focus on the evolving cybersecurity threats companies face. This includes implementing (1) policies and training to ensure employees are aware of "business email compromise" schemes and (2) safeguards that make the transfers of funds in response to similar requests impossible without further internal review.
  • For those businesses subject to the SEC's periodic reporting requirements, disclose as part of the discussion of risk factors the probability of the occurrence and potential magnitude of cybersecurity incidents; the adequacy of preventative actions taken to reduce cybersecurity risks; and the aspects of the business and its operations that give rise to material cybersecurity risks.
  • Disclose material cybersecurity incidents that have occurred accurately and in a timely manner.
  • Ensure there are policies and procedures in place so that key information that might otherwise be known only to those charged with day-to-day responsibility for cybersecurity—such as the chief technology officer or information technology team—is shared with those involved in the company's financial statement disclosures.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Similar Articles
Relevancy Powered by MondaqAI
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Sign Up
Gain free access to lawyers expertise from more than 250 countries.
Email Address
Company Name
Confirm Password
Mondaq Newsalert
Select Topics
Select Regions
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions