Cybersecurity Front and Center in SEC’s Recent $100M Insider-Trading Enforcement Action
By Alexis H. Ronickher On August 13, 2015, the Securities and Exchange Commission (SEC) announced its first enforcement action involving cybersecurity. In SEC v. Dubovoy et al., the SEC charged 32 defendants for taking part in an insider-trading scheme. Over a five-year period of time, the hacker defendants hacked into at least two newswire services and stole hundreds of corporate earnings announcements before the newswires released them publicly. The hacker defendants then transferred that information to the trader defendants who used this nonpublic information to place trades prior to the newswires releasing the information publicly. The SEC alleges that the insider-trading scheme generated more than $100 million in illegal profits. The U.S. government is also pursuing criminal charges against the defendants. SEC v. Dubovoy demonstrates concretely the connection between cybersecurity and securities law. For at least the last four years, the SEC has made clear that cybersecurity is within its jurisdiction. In 2011, the SEC’s Office of Corporation Finance issued guidance emphasizing that public companies must disclose material cybersecurity risks and incidents in their SEC filings. Acting on this guidance, by 2013, the SEC had sent out 50 comment letters to public companies questioning the sufficiency of their disclosures regarding cybersecurity risks and incidents. In 2014, the SEC also hosted a cybersecurity roundtable that facilitated discussion regarding cybersecurity and the issues and challenges it raises for market participants and public companies. The SEC’s focus on cybersecurity has continued in 2015. In February 2015, the SEC Office of Compliance Inspections and Examinations issued a “Cybersecurity Examination Sweep Summary” that examined 57 registered broker-dealers and 49 registered investment advisers in an effort to better understand the measures that these market participants used to protect investors from a cyberattack or incident. Then in April 2015, the SEC Division of Investment Management issued a “Cybersecurity Guidance” reiterating that the cybersecurity of registered investment companies and registered investment advisors is an important issue to the SEC. The guidance included recommendations that they periodically review the sensitivity and location of information they collect, their security controls, and their management of cybersecurity risks. While the SEC has yet to take an enforcement action against a company or market participant because of its failures related to cybersecurity, SEC enforcement staff have indicated that cybersecurity is a top priority. Specifically, in late February 2015 at the annual “SEC Speaks” conference, David Glockner, the Director of the SEC’s Chicago Regional Office, said that cybersecurity is “high on [the SEC’s] radar.” Given the SEC’s prior guidance and other indications by the agency, it is likely that such an enforcement action would involve fraud or disclosure or internal controls violations. If you are aware of a public company or market participant that has engaged in securities violation because of its actions related to cybersecurity, you may have a viable whistleblower tip under the SEC’s whistleblower reward program. The SEC Whistleblower Office provides awards of 10 to 30 percent of the amount of sanctions and penalties the SEC imposes on wrongdoers as a result of whistleblower’s information. If you work for a public company and have faced retaliation because you reported cybersecurity vulnerabilities or failures that are significant enough to be potentially material to a reasonable investor, you may be protected by the anti-retaliation provisions of the Sarbanes-Oxley Act and the Dodd-Frank Act. At Katz Banks Kumin, we specialize in the representation of employees in whistleblower-retaliation cases and in representing individuals in the submission of “tips” to whistleblower reward programs such as those administered by the SEC.