ARTICLE
6 September 2024

SEC Continues Its Cybersecurity Focus, Settles With Company Over Lax Security Measures

SM
Sheppard Mullin Richter & Hampton

Contributor

Sheppard Mullin is a full service Global 100 firm with over 1,000 attorneys in 16 offices located in the United States, Europe and Asia. Since 1927, companies have turned to Sheppard Mullin to handle corporate and technology matters, high stakes litigation and complex financial transactions. In the US, the firm’s clients include more than half of the Fortune 100.
The SEC recently issued an order and settlement against a company from a pair of cyberattacks in which millions of dollars of client funds were stolen. While the company was able to recover a portion of the funds and...
United States Technology

The SEC recently issued an order and settlement against a company from a pair of cyberattacks in which millions of dollars of client funds were stolen. While the company was able to recover a portion of the funds and ultimately reimbursed clients for the money lost, the SEC still fined the company $850,000 for failure to provide the necessary safeguards to protect its clients' funds.

In both attacks, cyber criminals were able to transfer of large sums of money to external bank accounts. The first incident stemmed from a threat actor hijacking an existing email chain and pretending to be a client. The attacker then requested the issuance and liquidation of new shares to an external account. In the second incident, an attacker used stolen Social Security Numbers from an unknown source to create fake accounts and link to legitimate accounts even though other personal information attached to the accounts didn't match. In both instances, the attacker transferred funds out to external accounts.

The order highlights what the SEC expects when it comes to employee training and security protocols. Although the company had sent employees alerts about fraud and guidance on the importance of call-backs to verify requests and to pay attention to requesters' email addresses, the SEC found this to be insufficient. The SEC said that the company should've taken additional steps such as confirming that the warning email was read by employees, that training was provided, and to otherwise confirm that call-backs were in-fact being performed.

Putting it Into Practice: This case servers as a reminder of the types of monitoring and measuring criteria regulators may expect when it comes to demonstrating that employees have been adequately trained. Copies of training materials or warning newsletters may no longer be enough. Regulators are more and more interested in how a company evaluates whether its cyber training is effective and how they are monitoring employee compliance.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More