New SEC guidance on Cybersecurity
Posted by Matthew Elvey under Settlement Component
The SEC has a pathetic new regulation, its first on cybersecurity. It’s another cog in a system designed to provide the appearance of Justice without actually meting it out to the very powerful or wealthy. The SEC refused to act on warnings about the TD Ameritrade breach, the Madoff scam, and is poised to … continue to do more of the same…
Securities and Exchange Commission (Division of Corporation Finance) Disclosure Guidance:
Date: October 13, 2011
Summary: This guidance provides the Division of Corporation Finance’s views regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
The SEC is clearly still not manning the guard posts.
This thing is chock full of the words ‘should’ and ‘material’ (as defined here
). It’s a start, but it’s still pathetic. I think the SEC still doesn’t give a shit about brokerage company customers except to the extent that they are shareholders. TD Ameritrade claims (and would probably be judged to have done so correctly if there was a ruling) that the damage done by my suit and the hacking that was the subject of my suit was “not material”. It’s in their 10K. So they’d read the sentence “For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.”
and say it was not material. I want to send the SEC a request for a no-action letter
to confirm or deny this.
The whole concept of “disclosure that itself would compromise a registrant’s cybersecurity” is a red herring. This is TD Ameritrade’s pathetic excuse for their failure to disclose pretty much anything about the breach.
There’s a panel discussion about this coming up soon, “Where Were the Gatekeepers?? How did so many executive frauds escape disclosure by the professionals who were supposed to guard the public against them?” Who bears the responsibility: Accountants? Lawyers? The Government? What consequences should ensue and what lessons have we learned for the future? Seems to me the system is designed to provide the appearance of Justice without actually meting it out to the powerful or wealthy.