Toppan Vintage, a trusted financial printing and communications company, in partnership with Mergermarket, is pleased to present an excerpt from the newest edition of M&A Pulse newsletter, focused on the SEC breach and the new age of cybersecurity.
In August 2017, the Securities and Exchange Commission issued a “Risk Alert”1 on cybersecurity that described the results of a recent examination of 75 companies’ security frameworks. The findings struck a note of optimism, saying that nearly all the examined companies maintained written cybersecurity related policies and procedures.
However, the document also said the firms “did not appear to adhere to or enforce [the] policies and procedures.” In other words: the firms mostly had cybersecurity frameworks on paper only.
Just over a month after that “Risk Alert” was released, news broke that the SEC may have been guilty of this same error. Despite the SEC’s increased emphasis on cybersecurity at filers in recent years, the Commission announced that its own EDGAR system was breached in 2016. What’s more, the SEC delayed making the intrusion public until September 2017, and only in October did Chairman Jay Clayton reveal that the data in an EDGAR test filing also included the Social Security numbers of two individuals.
To be sure, most cybersecurity experts agree that data breaches are difficult to prevent altogether in the modern world – including at the SEC. But can the Commission maintain robust response procedures going forward? And should companies be concerned about the security of their filings in light of the breach?
John Reed Stark, who served as the chief of the SEC’s Office of Internet Enforcement for 11 years until 2009, said the Commission must cope with the same issues as corporations across sectors and geographies for the most part. “The challenges the SEC is facing in the area of cybersecurity are really no different than what every company doing any kind of business over the internet is facing,” he said.
Nonetheless, he said, one area in which it has a disadvantage is obtaining funding – especially for high-quality employees.
“The only way to have really good policies, practices, and procedures is to have really good people, and there's a real crisis in the country right now with respect to cybersecurity professionals,” said Mr. Stark, who now leads his own cybersecurity consulting firm. “There's such a small number of them. And major technology companies who are hiring can pay anybody working at the SEC twice or three times as much as they're receiving at the agency.”
Upgrading hardware can be a challenge for the government as well. For example, after the SEC breach came to light, it was reported that the Commission’s forensic unit had been forced to use outdated equipment that had been previously slated for disposal. “There is a lot of pressure in government contracting to just take the lowest bidder, which I think is penny wise and pound foolish,” Mr. Stark said.
In response to the breach, the SEC has taken several steps meant to bolster its data security efforts. On September 25, it announced the creation of two new divisions tasked with addressing threats: the Cyber Unit, which will have a broad remit that includes responding to cyberattacks on critical infrastructure; and a Retail Strategy Task Force, whose focus is on protecting retail investors. The Cyber Unit is a revived version of the Office of Internet Enforcement, which was shut down in 2010 as part of an agency reorganization.
In addition, SEC Chairman Jay Clayton said in late September that he plans to request a boost to the agency’s US$1.6bn budget from Congress to help cover additional security costs.
Perhaps the biggest concern of investors for the immediate future is the SEC’s planned database of investor information known as the Consolidated Audit Trail (CAT), which is designed to help the Commission monitor markets better. In the wake of the EDGAR breach, lawmakers and brokers raised the idea of delaying the November 15 deadline for stock exchange operators to start sending data to the system.
The contractor responsible for building it, however, has said security is a foremost priority, and has warned against the consequences of halting data collection altogether. “The negative of the fear around cybersecurity is that if it’s used to kill every initiative that might involve gathering more data, then society loses,” Thesys Technologies CEO Mike Beller told Bloomberg in an interview in October.
The damage done in a cyberattack can be enormous – potentially even larger than the fraud perpetrated at companies such as Enron and WorldCom, according to Mr. Stark. The CAT system, for instance, could eventually contain personal data of more than 100 million trading accounts.
But at the same time, Mr. Stark warns against vilifying the victims of breaches, and contrasts them with embezzlers and fraudsters. “Senator Charles Schumer said that the incident at Equifax was the worst case of corporate malfeasance since Enron,” Mr. Stark said. “That's not just hyperbole – that's absurdity.”
“Because at Equifax, no one has been accused of trying to steal millions of dollars from the company,” he said. “At worst, the executives just didn't take security as seriously as they should have. But that's a far cry from the crooks of Enron who schemed to steal money from shareholders and manipulate stock markets.”