In a recent development, the Securities and Exchange Commission (SEC) has imposed a $10 million penalty on a New York based firm for violating the Regulation Systems Compliance and Integrity (Regulation SCI) rule. The violation stems from said firm’s failure to promptly inform the SEC and its subsidiaries about a cyber intrusion that occurred in April 2021.
The cyber incident came to light when a third party notified the firm about a potential system intrusion due to a previously unknown vulnerability in its virtual private network (VPN). Upon investigation, the company discovered that malicious code had been inserted into a VPN device used to access its corporate network. However, the firm did not immediately inform its subsidiaries’ legal and compliance officials of the breach, going against its internal cyber incident reporting procedures.
Regulation SCI mandates entities to promptly notify the SEC of cyber intrusions and provide an update within 24 hours, unless they determine the intrusion had a minimal impact on operations or market participants. The company and its subsidiaries took four days to assess the impact of the intrusion before internally concluding it was a minor event. The SEC’s enforcement division director, Gurbir Grewal, emphasized the importance of timely reporting, stating, “When it comes to cybersecurity, especially events at critical market intermediaries, every second counts and four days can be an eternity.”
The SEC’s order revealed that it was SEC staff, who were already assessing reports of similar cyber vulnerabilities, who ended up contacting the exchange group about the incident. The firm and its subsidiaries consented to the SEC’s order without admitting or denying the findings, agreeing to pay the $10 million penalty and a cease-and-desist order for violating the notification provisions of Regulation SCI.
In a statement, a spokesperson for the New York based company noted that the vulnerability discovered in 2021 ultimately resulted in “a failed incursion [that] had zero impact on market operations.” The spokesperson further clarified that the settlement involves an unsuccessful attempt to access their network more than three years ago and that the issue was the timeframe for reporting this type of event under Regulation SCI.
This enforcement action comes on the heels of the SEC’s recent update to Regulation SP, which requires covered institutions, including RIAs and broker-dealers, to notify affected individuals no later than 30 days after discovering a data breach. SEC Chair Gary Gensler emphasized the importance of this update, stating, “The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”
This case serves as a reminder of the critical importance of timely disclosure and compliance with cybersecurity regulations in the financial sector. As cyber threats continue to evolve, it is crucial for companies to have robust incident response plans in place and to promptly report any breaches to the relevant authorities and affected parties.