Reg SCI Failures | $10 Million SEC Charge
SEC RELEASES
Introduction
On May 22nd, the SEC announced a $10 million penalty against a business for failing to notify the SEC of a cybersecurity incident as required by Regulation SCI.
Regulation SCI was designed to provide prompt reporting of potentially devastating cybersecurity incidents to regulators so that market-impacting events can potentially be prevented.
This enforcement highlights the SEC’s commitment to ensuring that cybersecurity is taken seriously by market participants.
What Happened?
- The Firm first recognized a possible vulnerability in its VPN on April 16th, 2021.
- It was at this time that Reg SCI required an immediate notification to the SEC along with a written notification within 24 hours.
- The only exception would have been if the Firm also immediately discovered that the intrusion would have no or a de minimis impact on their operations or other market participants.
- After finding the malicious code that exploited the vulnerability in their VPN, the company conducted both an internal evaluation of their systems and an external review by a third-party cybersecurity Firm.
- On April 20th, the legal and compliance teams for the Firm were finally notified of the event and all parties determined that it was a de minimis event.
- The policies and procedures of the Firm labeled cybersecurity events on a 1 to 5 scale, based on severity, with only a 1 or 2 (critical and high) activating an alert to the compliance and legal departments. Level 3 events were considered potentially de minimis and did not cause immediate notification of compliance and legal.
Vigilant’s Conclusion
It is important that Firms understand that Regulation SCI requires immediate notification to the SEC unless an immediate determination can be made that the event is de minimis.
Policies and procedures must be designed in such a way that shows compliance with cybersecurity regulations.
Director of Enforcement, Gurbir Grewal, emphasized that this order and penalty reflects the seriousness of this compliance issue.
To help minimize regulatory burdens for your Firm, consider a Gap Analysis of your policies and policies or on-going support from Vigilant.