Companies and their CISOs could face fines and other penalties ranging from hundreds of thousands to millions of dollars from the U.S. Securities and Exchange Commission (SEC) if they fail to comply with cybersecurity and data breach disclosure processes . with the new rules that have come into force.
For those who may find themselves on the wrong end of an investigation, it is important to know that there are a variety of tools available to the SEC to use for enforcement purposes. These range from a permanent injunction ordering the defendant to cease the conduct at the center of the case, to disgorgement of ill-gotten gains, to three levels of escalating sanctions that can result in astronomical fines.
Additionally, the SEC could bar an individual from certain roles, such as a seat on the board of directors of other companies, while such cases could also result in mounting legal fees, reputational damage to the company and executives, and monetary damages resulting from lawsuits by the shareholders.
The SEC’s infringement rules have teeth
There are no enforcement actions yet, but in many ways the obligation imposed on companies reveal any “material” IT security incidents fits into the SEC’s existing framework of investigations and sanctions. All in all, companies should be ready for the SEC to investigate.
That means empowering your CISOs to comply with the rules, says Jena Valdetero, shareholder and co-chair of the US Data Privacy and Cybersecurity Practice at law firm Greenberg Traurig, LLP.
“The SEC has made it very clear that this is an enforcement priority, so there’s really no conflict with city hall on this point,” he says, adding, “I think CISOs are right to be very concerned, because the SEC clearly said: “we will deal with the CISO” [because they are] the best person to know what cybersecurity compliance measures are in place and what risks they are facing.”
That “dollar” might be more like a lot of dollars. The SEC traditionally has four main types of sanctions, all of which can be applied to the cyber world. The first is a permanent injunction, which prevents a company and an individual from continuing a certain type of activity. Second, disgorgement of ill-gotten gains carries penalties equal to the amount of profit allegedly made through fraud or failure to disclose. Third, they can seek an order barring an individual from serving as an officer or director, according to Steve Malina, a Greenberg Traurig shareholder and former senior attorney in the SEC’s enforcement department.
However, these three forms of relief are quite small compared to the potential financial penalties, he says. Fines start at $5,000 per violation for any violation of SEC rules and quickly rise to $100,000 per violation – or $50,000 and $500,000 for organizations – depending on whether fraud was involved and whether investors were harmed. The SEC can also “collapse any time it believes you have violated the law and call it an independent violation,” she says.
“The permanent injunction — putting aside the reputational damage — doesn’t have much force; it’s just an order that you won’t break the law again,” Malina says. “But disgorgement, civil monetary penalties, have real effects and can really hurt someone’s future in the industry.”
Those penalties do not include reputational damage, shareholder lawsuits and the cost of defending against any investigation or lawsuit, it says.
Fear and loathing in the C-Suite
In addition to traditional enforcement penalties, there are other costs to be incurred from SEC enforcement actions.
The SEC’s enforcement actions against SolarWinds and its CISO Timothy Brown caught executives by surprise, perhaps more than the SEC regulations themselves. Both the agency wins his case, OR SolarWinds and Brown successfully defend themselvesthe cost of litigation and its effect on the company’s reputation highlight the damage that any SEC enforcement action can cause.
Perhaps most concerning for CISOs is the personal responsibility they are facing many areas of business operations for which they have historically had no responsibility. Only half of CISOs (54%) are confident in their ability to comply with the SEC ruling two-thirds of CISOs (68%) feel overwhelmed in dealing with the new rules, second a survey of 300 executives conducted by AuditBoarda cloud-based risk and compliance platform.
“There has always been accountability within the C-suite, but now CISOs have a level of personal accountability they never had before,” says Richard Marcus, the company’s vice president of cybersecurity. “If you don’t have a clear process to handle this situation, and you make the wrong decision, and you didn’t disclose when you should have, you can be held personally liable—many CISOs we talk to are concerned about this.”
All of this is leading to broad rethinking of the role of the CISOsays Ken Fishkin, senior manager of cybersecurity – essentially the interim CISO – for law firm Lowenstein Sandler LLP.
“A lot of people are very nervous about being in a position like mine now because of this responsibility,” he says. “It’s a business issue, definitely not just a CISO issue. Everyone is going to be very wary of checking statements – why would I say that? – without their lawyers giving them the go-ahead… because they’re so worried about being accused of committing a crime? declaration.”
The concerns will add up to additional costs for businesses. Because of the added liability, companies will need to have more comprehensive measures Directors and Officers (D&O) Liability Insurance. which not only covers legal fees for a CISO to defend himself, but also his expenses during an investigation.
Companies that won’t pay to support and protect their CISO may find themselves unable to hire for the position, while, conversely, CISOs may struggle to find supporting companies, says Josh Salmanson, senior vice president of technology solutions at Telos Corp., an information technology risk management company.
“We’ll see fewer people wanting to be CISOs, or people asking for much higher salaries because they think it might be a very short-term role until they get publicly ‘caught’,” he says. “The number of people who will enjoy a truly ideal environment with the corporate support and financing they need will likely remain small.”
Established policies, good faith, record keeping
Yet, there is a silver lining. The SEC’s breach disclosure rule has cautioned companies that they must pay attention to security and have a process in place, including evidence from discussions about the relevance of a security incident to investors, but this will likely lead to more security-conscious organizationssays Kathleen McGee, partner at Lowenstein Sandler LLP.
“Make sure you have a policy in place before the incident occurs, that you know who the affected parties are, who will be making those decisions, and that you document the process, so that if the SEC were to call and want to understand what is happening. The thinking it was that you had a good explanation ready,” he says.
Companies and CISOs that have a policy and follow it probably won’t have to worry as much about enforcement actions, even if subsequent evidence may show that the initial decision was wrong, he says.
“Self [companies and their CISOs] establish, initially, that an accident is not material, and then [they] come across new information that leads me to believe it was relevant,” they will have time – even if four days – to correct the record, McGee says.