SEC Cybersecurity Rules Require Major Compliance Efforts

New cybersecurity rules adopted by the Securities and Exchange Commission last month will require investments in additional training and resources, according to compliance experts who have studied the rule.

Under the new rules, public companies need to disclose significant cybersecurity events within four business days of their discovery and maintain policies and procedures to ensure compliance. The first step for businesses to meet these regulations will be determining if a digital risk is “significant” or not, according to Richard Cooper, the global head of financial services at Fusion Risk Management. To do that, he says, firms must first understand what their business is and what security breaches would be a concern.

“This isn’t an IT problem; it’s a business problem,” he explains.

Different firms have different priorities, and a regulator such as the SEC does not have insight into the nuances of every business, Cooper notes. The word “significant” is ambiguous, but “it’s ambiguous for your own good,” because the alternative would be the SEC deciding how to run and protect individual businesses.

For more stories like this, sign up for the CIO Alert newsletter. 

Cooper gives the example of a bank’s access to cash, loans or key information on their clients and the market being breached or compromised as a “significant event.” But leaks of internal training material, preliminary data or publicly available information probably would not be considered “significant.”

Cooper adds that, for all relevant companies, employee training will be essential. If one department is compromised, then the entire firm only has four days to report it. This means employees will need to be able to recognize an event and know how to report it and to whom. Cooper asks, “Are you confident they will tell you quickly enough?” Companies should therefore focus training efforts on all departments rather than just the IT and legal divisions, he says.

If there is a significant digital event, a firm can request two 30-day extensions, followed by a final 60-day extension, by appealing to the U.S. Attorney General’s office to determine that disclosing the event would compromise national security or public safety, according to the rule.

Helen Christakos, a partner in Allen & Overy LLP, says, “It’s going to be a challenge to get in touch with the AG in that short a window.” She adds that, “there will be something of an art to writing these disclosures” to ensure compliance with the SEC’s rule while not complicating investigations taking place at the state or local level, since those officials do not have the authority to request a postponement of the disclosure.

Speaking of state law enforcement, Christakos recommends that companies “make sure everyone is in the loop and comfortable with what is disclosed,” but that, ultimately, a firm must still comply with the SEC rule.

There is no additional postponement for a significant cybersecurity event after 120 days, according to the rule.

Michael Borgia, a partner in Davis Wright Tremaine LLP, quips that, “after 120 days, it no longer matters what the AG thinks about national security; you have to disclose it.”

Tags: Allen & Overy LLP, Cybersecurity, Davis Wright Tremaine LLP, Disclosure, Fusion Risk Management, Helen Christakos, Michael Borgia, Richard Cooper, Securities and Exchange Commission

A U.K. tribunal has upheld The Pensions Regulator’s issuance of a contribution notice for almost 1.9 million pounds ($2.43 million) to be paid into the Meghraj Group Pension Scheme by Anant Shah, the former owner of the plan’s sponsor.

The case was related to the Meghraj Group of companies, an international investment and banking advisory and fiduciary services firm. Subsidiary Meghraj Financial Services Ltd., the plan’s former sponsor, entered into a creditors’ voluntary liquidation in 2014 that left the plan with a deficit of approximately 5.85 million pounds.

According to TPR, it investigated a series of payments made from Meghraj Financial Services to its parent company, Meghraj Property Ltd., and found the payments followed the firm’s disposal of its shares in a joint venture company with most of the sums paid out as dividends. However, the payments should have been used to fund the plan, and failing to do so was materially detrimental to the plan’s participants, TPR determined.

During a previous hearing before TPR’s Determinations Panel in February 2020, the regulator argued that it was reasonable to issue a contribution notice against Anant Shah, a director of MFSL, and his nephew, Rohin Shah. The panel agreed and issued a determination notice in June 2020 confirming a contribution notice of almost 3.7 million pounds against Anant Shah and Rohin Shah. Both referred the decision to the Upper Tribunal, but Rohin Shah settled with TPR before the hearing.

Never miss a story — sign up for CIO newsletters to stay up-to-date on the latest institutional investment industry news. 

The Upper Tribunal, responsible for hearing challenges against certain regulators, including TPR, upheld the regulator’s decision to issue a contribution notice against Anant Shah.

The tribunal agreed with TPR that it was reasonable Anant Shah pay a contribution notice, which included 50% of the sum that should have been paid into the plan, in addition to an uplift to account for the passage of time.

The tribunal also agreed with TPR that when it considers how much to order a target of a contribution notice to pay, it should not be limited to considering the loss to a plan resulting from the acts or inactions. In its ruling, the tribunal stated that when considering the reasonableness of a contribution notice, the amount “is not limited to the target’s current financial worth but also includes consideration of how the target has ended up in the financial position in which he currently finds himself. This includes taking into account the target’s receipt of monies and how they have been used.”

According to TPR, it is the first substantive case the Upper Tribunal has heard regarding the regulator’s contribution notice power.

“We welcome this clear and helpful judgment, which supports our long-held views about how the legislation should be interpreted,” Erica Carroll, TPR’s director of enforcement, said in a release. “It provides clarity on how CN sums should be calculated by confirming they are not limited by the loss to the scheme. This ends the speculation caused by past cases over whether these sums should be purely compensatory.”