Last week, the U.S. Securities and Exchange Commission announced a consent cease and desist order and sanctions against Mizuho Securities USA LLC for its failure to enforce policies and procedures designed to protect against the disclosure of material non-public information between “execution and sales traders” to other traders and externally to customers. Specifically, the consent order, in which Mizuho does not admit and, to the contrary, denies the SEC’s findings, states that due to the lack of “effective information barriers between Mizuho equity trading desks and measures to protect confidential Mizuho customers order information, including the identities of buyback customers that had placed trade orders with Mizuho…, created a risk that Mizuho execution and sales traders could misuse material nonpublic customer buyback order information, including by disclosing the order information to Mizuho customers. According to the SEC, the risk that nonpublic buyback order information could be shared with Mizuho’s customers became a reality on several occasions where such material nonpublic information was disclosed to its customers, allowing them to financially benefit from knowledge of the buybacks. Due to the foregoing, Mizhuo agreed to pay a $1.25 million penalty, censure and an order to cease and desist from committing or causing any violation and any future violation of Section 15(g) of the Exchange Act, which, generally, requires registered broker-dealers to establish, maintain and enforce written policies and procedures to prevent the misuse of material nonpublic information by these entities. (The consent cease and desist order can be found here.)
Here, it appears that Mizuho had in place established written policies and procedures to protect against the disclosure of material nonpublic information, but its alleged failure to maintain and enforce those policies and procedures led to the SEC enforcement action and eventual consent order. In that regard, whether the issue relates to the failure to safeguard material nonpublic information through effective controls or sensitive personal identifying information that may be disclosed as the result of a cybersecurity breach, the SEC is reminding organizations that merely designing written policies and procedures without effectively implementing them will not immunize organizations from enforcement actions and the imposition of heavy penalties.
For example, with respect to the imposition of fines for failure to appropriately safeguard, investigate, remediate and timely disclose cybersecurity breaches relating to protected customer information, earlier this year, in April 2018, pursuant to an agreed consent order, Yahoo! (now known as Altaba, Inc., following its acquisition by Verizon) agreed to pay a $35 million penalty associated with the mega breach in 2014. According to the press release issued by the SEC, the penalty was imposed, in part, because “Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors. The fact of the breach was not disclosed to the investing public until more than two years later, when in 2016 Yahoo was in the process of closing the acquisition of its operating business by Verizon Communications, Inc.” was also a concern as was the fact that “it failed to disclose the breach or its potential business impact and legal implications.” Instead, the press release noted that in SEC filings Yahoo! seemed to minimize the threat to its business (and to investors) by stating that if faced only the risk and negative effects that might result from a data breach. The press release also found fault with Yahoo! in that “did not share information regarding the breach with its auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Finally, the SEC’s order finds that Yahoo failed to maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team concerning cyber breaches, or the risk of such breaches, were properly and timely assessed for potential disclosure.” The press release can be found here and the order here.
Recent enforcement actions taken by the SEC, coupled with a cybersecurity disclosure guidance it issued in February 2018, make plain that the SEC is prepared to intercede where it believes companies have failed to take appropriate measures to inform investors regarding cybersecurity risks and incidents. As such, companies should ensure that they have sufficient policies and controls in place to detect, mitigate, remediate and disclose cybersecurity events that might affect investors, separate and apart from any duties that might govern disclosure in general to those individuals whose protected information might have been compromised. The SEC Statement and Guidance on Public Company Cybersecurity Disclosures can be found here.