1) CLIENT ALERT
April 4, 2016
Recent Developments in Cybersecurity: The SEC is
Preparing Cases against Firms for Lack of
Cybersecurity Preparedness and Phishing Attacks
to Obtain Employee W2s
SPEED READ
Two recent developments warrant reevaluating and enhancing security measures against cyber hacking. First, the SEC recently
announced that it was preparing more enforcement actions against regulated firms for failing to establish proper cybersecurity to
defend against cyberattacks. Second, with the pending tax deadline approaching, cybercriminals have launched numerous
successful phishing attacks, obtaining thousands of employee W­2s to use them to seek fraudulent refunds from the IRS.
SEC Enforcement
Andrew Ceresney, head of the SEC’s Division of Enforcement confirmed during a panel discussion at the Investment Company Institute’s
Mutual Funds and Investment Management Conference in Orlando, Fla., that the SEC has other cybersecurity enforcement actions “in the
pipeline.”[i]
The pending enforcement actions are the next logical step following the SEC’s increased focus on cybersecurity. On February 3, 2015, the
agency published cybersecurity guidance for broker and advisory firms, summarizing the results of its annual examination program. The
examinations focused on how these firms:
l
Identify cybersecurity risks
l
Establish cybersecurity policies, procedures and oversight processes
l
Protect their networks and information
l
Identify and address risks associated with remote access to client information, funds transfer requests and third­party vendors
l
Detect unauthorized activity
This followed the SEC’s first cybersecurity case against R.T. Jones Capital Equities Management on September 22, 2015, for failing to have
the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of
approximately 100,000 individuals, including thousands of the firm’s clients.
SEC regulations require that investment advisers have in place policies and procedures to secure clients’ personal information and
address the risk of cyberattacks. While cybersecurity will be the focus of increased compliance scrutiny, the SEC recognizes that many
companies are striving to maintain safeguards on their customer data. “The issue is whether you’ve done enough,” Ceresney added.
Ceresney further advised firms to report any potential regulatory violations to the SEC. Ceresney said that firms have “every incentive” to self­
report, noting that they may get a reduced fine as a result.
Phishing Attacks Expose Employee W2s
As the April 18 tax deadline draws closer, companies are seeing a significant increase in phishing attacks designed to obtain employee W­
2 data, including Social Security numbers. A number of companies have fallen victim to this type of attack where cybercriminals purport to be
company executives and request personal information from the payroll or human resources employees, often through requests for W­2s.
The Internal Revenue Service recently issued an alert warning companies to be vigilant to the “spoofed” emails. The spoofed emails will
contain the actual name of the company CEO and contain some form of request for employee 2015 W­2 and earnings summary for
company staff. The email may also request that the forms be sent via PDF attachment. The recent spike in these attacks caused the IRS to
renew a wider consumer alert for e­mail scams. According to the IRS, there has been an approximate 400% surge in phishing and
malware incidents so far this tax season.
What Can Your Organization Do? Organizations, particularly those regulated by the SEC or other government agencies, should prepare to
respond to the increase in regulatory scrutiny around cybersecurity practices. For example, organizations should examine their policies and
procedures around:
l
Employee Training and Security Awareness. In addition to having in place written policies and procedures governing the
safeguarding of personal information, firms should train their employees to be aware of threats to the security of personal
information. This training should include phishing awareness training to guard against inadvertent disclosure of personal
information.
l
Service Provider Due Diligence. Firms that rely on service providers to process and store personal information on their behalf should
ensure that they have conducted thorough due diligence to ensure that the service providers are maintaining adequate levels of
security for personal information. For key service providers, it is important not only to confirm that the service provider has robust
protections in place, but also test to independently verify those protections.
l
Phishing Diligence. Employees should be made aware of the spike in phishing attempts and be trained to detect and spot such
“spoofed” emails. For example, employees should independently verify any request for personal information that appears to be made
from an executive via email. In addition, companies should consider implementing formal phishing training.
In addition to strengthening internal procedures and policies, firms that have suffered a cyberattack may wish to evaluate, with counsel, their
state and federal reporting obligations, whether to report the attack to law enforcement and, if subject to regulatory oversight, whether to self­
report the breach to their governing agency.
[i]
Beagan Wilcoz Volz, SEC Preparing To Whack Firms With Weak Cyber Defenses, Ignites, March 17, 2016 (reporting Mr. Ceresney’ s
comments).
2) Authors: Grant P. Fondo, Lauren McDermott
GET IN TOUCH
For more information about the contents of this alert,
please contact:
Grant Fondo
Partner
+1 650 752 3236
gfondo@goodwinprocter.com
Lynne Barr
Partner
+1 617 570 1610
lbarr@goodwinprocter.com
Brenda Sharton
Partner
+1 617 570 1214
bsharton@goodwinprocter.com
Lauren McDermott
Associate
+1 202 346 4125
lmcdermott@goodwinprocter.com
© 2016 Goodwin Procter LLP. All rights reserved. This informational piece, which may be considered advertising under the ethical rules of
certain jurisdictions, is provided with the understanding that it does not constitute the rendering of legal advice or other professional advice
by Goodwin Procter LLP, Goodwin Procter (UK) LLP or their attorneys. Prior results do not guarantee similar outcome.
Goodwin Procter LLP is a limited liability partnership which operates in the United States and has a principal law office located at 53 State
Street, Boston, MA 02109. Goodwin Procter (UK) LLP is a separate limited liability partnership registered in England and Wales with
registered number OC362294. Its registered office is at Tower 42, 25 Old Broad Street, London EC2N 1HQ. A list of the names of the
members of Goodwin Procter (UK) LLP is available for inspection at the registered office. Goodwin Procter (UK) LLP is authorized and
regulated by the Solicitors Regulation Authority.
2