ARTICLE
6 September 2024

SEC Continues Its Cybersecurity Focus, Settles With Company Over Lax Security Measures

SM
Sheppard, Mullin, Richter & Hampton LLP

Contributor

Sheppard, Mullin, Richter & Hampton LLP logo
Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.
Explore Firm Details
The SEC recently issued an order and settlement against a company from a pair of cyberattacks in which millions of dollars of client funds were stolen. While the company was able to recover a portion of the funds and...
United States Technology
Julia K. Kadish and Samantha K. Davis
Your Author LinkedIn Connections
Sheppard, Mullin, Richter & Hampton LLP are most popular:
  • within Insolvency/Bankruptcy/Re-Structuring and Cannabis & Hemp topic(s)

The SEC recently issued an order and settlement against a company from a pair of cyberattacks in which millions of dollars of client funds were stolen. While the company was able to recover a portion of the funds and ultimately reimbursed clients for the money lost, the SEC still fined the company $850,000 for failure to provide the necessary safeguards to protect its clients' funds.

In both attacks, cyber criminals were able to transfer of large sums of money to external bank accounts. The first incident stemmed from a threat actor hijacking an existing email chain and pretending to be a client. The attacker then requested the issuance and liquidation of new shares to an external account. In the second incident, an attacker used stolen Social Security Numbers from an unknown source to create fake accounts and link to legitimate accounts even though other personal information attached to the accounts didn't match. In both instances, the attacker transferred funds out to external accounts.

The order highlights what the SEC expects when it comes to employee training and security protocols. Although the company had sent employees alerts about fraud and guidance on the importance of call-backs to verify requests and to pay attention to requesters' email addresses, the SEC found this to be insufficient. The SEC said that the company should've taken additional steps such as confirming that the warning email was read by employees, that training was provided, and to otherwise confirm that call-backs were in-fact being performed.

Putting it Into Practice: This case servers as a reminder of the types of monitoring and measuring criteria regulators may expect when it comes to demonstrating that employees have been adequately trained. Copies of training materials or warning newsletters may no longer be enough. Regulators are more and more interested in how a company evaluates whether its cyber training is effective and how they are monitoring employee compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Julia K. Kadish
Julia K. Kadish
Person photo placeholder
Samantha K. Davis
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More