NCLA Site Search

Regulator, Regulate Thyself!

Margaret A. Little
Senior Litigation Counsel

April 6, 2023

Approximately 111.7 million Americans are cyber-attacked each year. More than 80% of all American firms report that they have been successfully hacked, with 43% of those cyber attacks targeting smaller businesses. Those breaches of security grow in frequency, penetration and industry reach with every year that we become more and more dependent upon electronic ways of doing business—from which there is no turning back. Anyone who has been hacked knows the substantial economic, reputational, psychological and opportunity costs extracted by this pernicious not-so-new kind of crime.

Into this breach, now comes the Securities and Exchange Commission (SEC), which has just released Proposed Cybersecurity Rule 10, a 500-page rule and its companion Form SCIR. Companies that suffer a cybersecurity incident must provide SEC with an immediate detailed Form SCIR report within 48 hours of the incident: “Failure to file [Form SCIR as required] would violate the Federal securities laws and may result in disciplinary, administrative, injunctive or criminal action” and “INTENTIONAL MISSTATEMENTS OR OMISSIONS OF FACTS MAY CONSTITUTE FEDERAL CRIMINAL VIOLATIONS.”

Companies that have suffered a cyberattack are victims of a crime. Yet the proposed rule and filing obligations pile more legal peril on companies, distracting them from the important business of taking immediate steps to address the situation. Their regulator should be there to provide information and assistance, not “a cudgel to wield if the firm fails to comply with a complicated reporting regime” as Commissioner Hester Peirce stated when dissenting from the SEC’s publication of the proposed rule. Commissioner Mark Uyeda also dissented pointing out that the proposal overlaps existing—and sometimes inconsistent—regulatory burdens already imposed on besieged companies in this dire situation. Commissioner Peirce bluntly states “this rule is easier to understand as a tool to enhance our year-end enforcement statistics than a serious proposal to make the securities markets more secure.”

It is disturbing to see that our government is piling on corporate victims of a cybersecurity sack, at a time they must also address the problem. Comm’r Peirce’s statement bullet points at least six ways in which the scheme is a “set-up” for new enforcement actions, criminalizes conduct that isn’t criminal, requires a public filing that provides a roadmap for cybercriminals while at the same time forcing companies to blacklist themselves, is vague and unworkable and thus is preordained to fall short of compliance and thus expose the firm to enforcement actions, pulls 25% of smaller companies into this regulatory quicksand and is another barrier to entry for others.

But the real kicker comes at the end of Commissioner Peirce’s dissent. Since early 2020, I have been blogging and publishing about the SEC’s dangerous Consolidated Audit Trail (CAT) program which intends to seize upon every datum of every trade made on the American securities markets—without any law of Congress empowering them to do so! Commissioner Peirce calls out the SEC for demanding that a firm dealing with a cybersecurity attack “first and repeatedly attend to the Commission’s voracious hunger for data” noting:

I could not help but wonder, as I read through the more than 500 pages that make up this proposal, whether we at the Commission are living up to the proposed standards. At a minimum, should we not first attend to the severe cyber-risks associated with the Consolidated Audit Trail by excluding retail investor information from the CAT, or, at a minimum, adopting the CAT Data Security amendments before we consider adopting this rule?

SEC itself—and many other government agencies—have suffered significant cyberattacks where the risk to citizen privacy and security is many times greater than in any single company attack. Yet those government vulnerabilities are quickly hushed up and not subject to any onerous public reporting such as this.

The single most effective and cost-free method of curtailing the calamitous effects of cyber attacks is not to assemble sensitive personal, banking and financial information into an electronic database in the first place. Yet the SEC persists in its lawless plan under the CAT to invade the Fourth Amendment, civil and privacy rights of all Americans who trade on the securities exchanges. Without the SEC having a shred of authority from Congress to do so. Just as bad, the CAT program costs billions of dollars, which SEC forces the self-regulatory organizations to finance—because there cannot be lawful appropriations for lawless programs. That unlegislated tax upon the financial services industry drains resources from and raises the costs of doing business on American exchanges taxing Americans’ retirement accounts without any electoral accountability for this taxation without representation. The regulatory overreach and hypocrisy of these proposed rules are palpable.