SEC Action: $2.1 Million Fine for Insufficient Cybersecurity Controls

Publish Date

Type

Cyber Alert

Topics
  • Cybersecurity

On June 18th, 2024, the U.S. Securities and Exchange Commission (SEC) published a settlement report of their findings regarding violations to the 1934 Securities Exchange Act by a Chicago business communication and marketing solutions firm. In what some view as a novel application of the Exchange Act, the SEC established that between November 2021 and January 2022, the firm's cybersecurity practices violated the Exchange Act’s disclosure controls and procedures and internal accounting control provisions.

According to the SEC, during this period, the firm failed to design effective disclosure of cybersecurity-related risks and incidents, and failed to maintain a system of cybersecurity-related internal accounting controls that would only permit access to its information technology systems and networks with management authorization. As a result of these internal accounting control deficiencies, the firm failed to respond to a ransomware attack which occurred between November 29, 2021, and December 23, 2021 in a timely manner.

There are many lessons that can be learned from this case to help you ensure your firm's cybersecurity program meets SEC expectations.

SEC findings

The SEC’s summary of the cybersecurity practices enacted by the firm during the established period was as follows:

  • Between November 29, 2021, and December 23, 2021, the firm’s internal intrusion system issued a significant number of alerts which were reviewed by a third-party managed security services provider (the MSSP), though alerts were also available to the firm's internal personnel for review.
  • After initial review and analysis, the MSSP escalated several alerts to the firm’s internal cybersecurity personnel.
  • Response and remediation for incidents of unauthorized activity were meant to be executed by both the firm’s internal personnel and the MSSP.
  • However, despite the escalation of alerts, the firm did not take infected instances off the network, and failed to perform its own investigation of the activity or take any additional steps to prevent further compromise until December 23, 2021. It is likely that the firm’s internal security personnel were overly reliant on the MSSP and failed to act in a timely manner.
  • Only after another company with shared access to the firm’s network alerted the firm’s Chief Information Security Officer was a rapid response operation effectuated, with the firm’s internal security personnel shutting down servers and notifying clients and federal state agencies.
  • Attackers were able to exfiltrate 70 Gigabytes of data, including data belonging to 29 of firm’s clients containing personal identification and financial information. There was no evidence that the attackers accessed the firm’s financial systems or corporate financial and accounting data.

The SEC defined the following issues with firm’s oversight of their MSSP:

  • In its contract and communications with the MSSP, the firm did not set out a sufficient prioritization scheme and workflow for review and escalation of cybersecurity alerts. It also did not have procedures in place to audit the MSSP to confirm their review and escalation was aligned with the firm’s expectations and instructions.
  • The firm's staff members assigned to review alerts escalated by the MSSP had other significant responsibilities, leaving insufficient time to dedicate to these escalated alerts.

Our guidance

The settlement highlights the SEC’s increased interest in ensuring that proper cybersecurity policies, procedures, and controls are in place and that firms work effectively with MSSPs to manage a firm’s cybersecurity defenses. There are a number of takeaways from this case that firms should take note of, including: 

  • Firms Shouldn’t Wait for Cybersecurity Rulemaking - The published settlement effectively indicates that the SEC is fully willing to push forward novel applications of existing regulations to ensure greater cybersecurity regulation. Firms do not have the luxury to wait for new cybersecurity rules to be finalized, or to take a "wait and see" approach to exams when it comes to building and maintaining a robust cybersecurity program. 
  • Proactively Manage Your MSSPs - Firms should reexamine their relationships with MSSPs to ensure they have regular touchpoints and communication. They should also ensure they are able to provide adequate oversight for the services provided with their own dedicated personnel. Without proper oversight and review of an MSSP’s work, the firm may miss opportunities to quickly remediate cybersecurity incidents.
  • Establish Clear Processes for Reviewing and Escalating MSSP Findings – For firms that outsource cybersecurity work to MSSPs, it is critical that the firm establish clear roles and responsibilities for the review and escalation of alerts that the MSSP provides. This can help reduce the likelihood of items being missed or not receiving the proper level of attention they deserve.
  • Firms Can’t Outsource Cybersecurity Accountability - The use of an MSSP will not be sufficient for firms to escape responsibility for a delayed or insufficient response to a cybersecurity incident, and it has become imperative that firms assess and review how they work with service providers during an incident. Firms should engage in penetration testing, training sessions, and scenario exercises to evaluate and improve how the firm and MSSP(s) respond to cybersecurity incidents.

Firms should work with their cybersecurity MSSPs to identify gaps consistent with this case, and work to address any issues before a cybersecurity incident occurs.

How we help

ACA Aponix® can help your firm build your cybersecurity program in-line with SEC regulations and expectations and strengthen your line of defense against cyberattacks. Our services include:

Reach out to your ACA consultant, or contact us to find out how ACA can help secure your firm against cyber threats and comply with regulatory expectations. 

Contact us