Key Takeaways From a Second Summer Blitzkrieg of SEC Cybersecurity Enforcement

[Shorter version also published on Law360]

The SEC just fired its second summer cybersecurity enforcement salvo in the span of two weeks, turning its enforcement torrent from cyber-related disclosure failures at public companies, to cybersecurity failures at SEC-registered financial firms.

In its first salvo, fired on August 16, 2021, the SEC?went ballistic. Without alleging fraud, without charging any individuals and, in one instance without even alleging materiality, the SEC filed two administrative enforcement actions against two public companies for cyber-related disclosure failures.?

But in its second salvo, fired on August 30, 2021, the SEC?went plaid. Once again, without alleging fraud, without charging any individuals and, this time, without alleging harm to any customer or other stakeholder, the SEC filed three more administrative enforcement actions, all relating to the failure of SEC-registered entities to safeguard customer information.?

SEC Chair Gary Gensler has signaled in recent speeches and congressional testimony that cybersecurity would become a top priority during his tenure – and he has clearly begun making good on his promise. These three new SEC enforcement actions, charging eight separate financial firms with violations of Regulation S-P (the?Safeguard’s Rule), indicate a seismic shift in SEC focus and provide a dozen critical takeaways for any SEC-registered entity.

The SEC Enforcement Actions

On August 30, 2021, the?U.S. Securities and Exchange Commission (SEC) filed administrative actions against eight firms in three actions for failures in their cybersecurity policies and procedures?that resulted in email account takeovers, exposing the personal information of thousands of customers and clients at each firm.

An email account takeover?occurs when?an unauthorized third party gains access to a customer’s email account and, in addition to being able to view its contents, is also able to take actions of a legitimate user, such as sending and deleting emails or setting up forwarding rules.?

The eight firms, which have agreed to settle the SEC charges, are: Cetera Advisor Networks LLC, Cetera Investment Services LLC, Cetera Financial Specialists LLC, Cetera Advisors LLC, and Cetera Investment Advisers LLC (collectively, the Cetera Entities); Cambridge Investment Research Inc. and Cambridge Investment Research Advisors Inc. (collectively, Cambridge); and KMS Financial Services Inc. (KMS). All were SEC-registered as broker dealers, investment advisory firms, or both.

Cetera. According to the SEC's order against the Cetera Entities, between November 2017 and June 2020, cloud-based email accounts of over 60 Cetera Entities' personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information (PII) of at least 4,388 customers and clients. None of the taken over accounts were protected in a manner consistent with the Cetera Entities' policies. The SEC's order also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC sent breach notifications to the firms' clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.

Cambridge. According to the SEC's order against Cambridge, between January 2018 and July 2021, cloud-based email accounts of over 121 Cambridge representatives were taken over by unauthorized third parties, resulting in the PII exposure of at least 2,177 Cambridge customers and clients. The SEC's order finds that although Cambridge discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.

KMS. According to the SEC's order against KMS, between September 2018 and December 2019, cloud-based email accounts of 15 KMS financial advisers or their assistants were taken over by unauthorized third parties, resulting in the PII exposure of approximately 4,900 KMS customers and clients. The SEC's order further finds that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until August 2020, placing additional customer and client records and information at risk.

The SEC's orders against each of the firms finds that they violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information. The SEC's order against the Cetera Entities also finds that Cetera Advisors LLC and Cetera Investment Advisers LLC violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients. Without admitting or denying the SEC's findings, each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty. The Cetera Entities will pay a $300,000 penalty, Cambridge will pay a $250,000 penalty, and KMS will pay a $200,000 penalty.

These enforcement actions are not only a harbinger of future SEC enforcement actions but also, as set forth below, provide a slew of critical takeaways for any SEC-registered firm.?

The Safeguards Rule Remains the Cornerstone of the SEC’s Cybersecurity Regulatory Framework

The Cambridge, Cetera and KMS actions demonstrate that the SEC staff has no need for any new rules or regulations regarding cybersecurity requirements at SEC-registered entities. The Safeguards Rule, a broad and powerful sample of SEC statutory weaponry, already on the books, provides the ideal prosecutorial tool.

Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”)?requires every broker-dealer and every investment adviser registered with the Commission to adopt written policies and procedures reasonably designed?to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Historically, the SEC enforcement division (and the Financial Industry Regulatory Authority (FINRA)) have used the Safeguards Rule as the basis for cybersecurity failures at SEC-registered firms ten times before, as recently as 2018 and dating back to 2007, in various administrative actions charging (in reverse-chronological order):?Voya Financial Advisors, Inc.;?Morgan Stanley Smith Barney LLC;?Craig Scott Capital, LLC, Craig S. Taddonio, and Brent M. Porges;?R.T. Jones Capital Equities Management, Inc.;?Marc Ellis, Frederick Kraus and David C. Levine (from Gunn-Allen Financial Inc.);?Dante J. DeFrancesco (a FINRA enforcement action);?Commonwealth Equity Services, LLP d/b/a Commonwealth Financial Network;?NEXT Financial Group; and?Sidney Mondschein and UNCI, Inc.

Violation of the SEC’s?non-scienter?based Safeguards Rule has become the standard minimum charge in cybersecurity-related enforcement actions against financial firms, just like violation of the SEC’s?non-scienter?based SEC internal controls rules has become the standard minimum SEC charge in accounting-related enforcement actions against public companies.?

Independent Contractors?

Whether a violation occurs at the mothership of a broker-dealer or within the storefront of its independent contract representatives, the mothership will remain responsible, despite the sacrosanct sensitivity of the so-called?independent model?of the financial services industry.?

The Cetera and Cambridge matters in particular make clear that cybersecurity policies should be written, implemented and updated on a firmwide basis, including to any independent contractors who have access to personal or other sensitive information. After all, investors trust the name of a financial firm, and whether that firm’s name is etched in stone on its headquarters or painted on the shingle of its independent contractors, its customers expect to experience the same high ethical, operational and cybersecurity standards.?

Hence, SEC-registered entities must ensure that the cybersecurity decrees and policies from the home office are equally enforced at the offices of its independent contractors. And when cybersecurity failures occur at the independent contractor of an SEC-registered firm, the home office can find itself entangled in any SEC enforcement action pertaining to those cybersecurity failures.?

Independent contractor status has long been an integral part of the financial services industry. According to SIFMA, the leading trade association for broker-dealers, investment banks and asset managers operating in the U.S.,?independent broker-dealers and the nearly 150,000 individuals that affiliate with them as independent financial advisors serve millions of clients across the U.S., reaching underserved communities and serving clients of various needs.?

For financial advisors that choose this route instead of being an employee of a broker-dealer, independent contractor status allows them to own and operate their own business (formed as sole proprietorships, professional corporations, partnerships, LLCs, or other legal entities) and control the manner and means of its operation while operating in a highly regulated industry.?

For example, Cambridge was a registered broker-dealer and a registered investment adviser with approximately 4,750 registered representatives and investment adviser representatives (collectively, “representatives”). Approximately 420 of the representatives were based in Cambridge’s home offices in Fairfield, Iowa, Atlanta, Georgia, and Phoenix, Arizona. Approximately 4,330 individuals were registered with FINRA as independent contractors and associated with independent branch offices providing brokerage and investment advisory services throughout the United States (“independent representatives”).

The independent contractor representatives were investment adviser representatives of Cambridge or were associated persons of Cambridge who were licensed as registered representatives or otherwise qualified to effect transactions in securities on behalf of Cambridge.?

As noted in?Books and Records Requirements for Brokers and Dealers Under the Securities Exchange Act of 1934, Exchange Act Release No. 44992, “[t]he SEC has consistently taken the position that independent contractors (who are not themselves registered as broker-dealers) involved in the sale of securities on behalf of a broker-dealer are ‘controlled by’ the broker-dealer, and, therefore, are associated persons of the broker-dealer.”

Meticulous Breach Notification

Breach notifications are not an instrument of public relations, marketing and spin but rather legal and binding communications to stakeholders. Above all else, an effective breach notification process begins with the establishment of front-end administrative and technical safeguards and concludes with a meticulously drafted notice that is 100% true and accurate.?

Successful breach notification processes entail a comprehensive information security plan that includes: the proper risk assessment of the data security incident involved;?a reasonably clear understanding of the threats and vulnerabilities exposed; the implementation of a system to monitor for future security breach events; and a mitigation and remediation plan. A breach notification plan must also encompass proper review by senior technical and legal personnel to ensure precise, candid and fulsome disclosure of investigative findings and conclusions.?Cetera seems to have (albeit unintentionally) ignored this last notion in particular.?

For each email account takeover where Cetera identified potential customer PII exposure, Cetera issued breach notifications to impacted customers, notifying them that their PII may have been accessed without authorization. Cetera generally engaged outside counsel to prepare and deliver these notifications. While most breach notifications sent by Cetera’s outside counsel were accurate, the SEC determined that letters sent in 2018 and 2019 to approximately 220 advisory clients regarding takeovers of three Cetera Advisors and Cetera Investment Advisers representatives’ email accounts included language regarding the timing of the incidents that was misleading in light of the circumstances.?

In particular, the breach notifications referred to the incidents as “recent” and stated that the representatives had “learned that an unauthorized individual gained access” to the recipient’s PII two months before the breach notification. Each entity, however, had learned of the underlying breach at least six months earlier. The SEC determined that language in the breach notifications created a misleading impression that the incidents had occurred much more recently than they had and that each firm had learned of the incidents and promptly notified its customers.?

At the time these letters were sent, Cetera Advisors’ and Cetera Investment Advisers’ policies and procedures for responding to cybersecurity incidents required the firms’ personnel to review client communications regarding these incidents before the communications were sent to clients. Cetera Advisors and Cetera Investment Advisers failed to implement reasonably designed policies and procedures because that review was conducted in a manner that failed to correct the misleading language.

Bespoke Incident Response Policies and Plans

It is now a cliché, well founded in reality, that data breaches are inevitable.?Along those lines, just like a fire evacuation plan for a building, a company should have a plan in place to respond to data breaches.?In the absence of a strong incident response plan, what could have been a relatively contained incident can become a major corporate catastrophe because a company neither thought through all of the elements necessary for an effective response nor put the necessary mechanisms in place to ensure these elements were addressed in their plans.

In the KMS matter, the SEC discovered that KMS, a subsidiary at the time of Ladenburg Thalmann Financial Services, Inc. (“Ladenburg”) lacked its own Incident Response Policy and used an Incident Response Policy tailored to a different Ladenburg subsidiary. KMS’s mistake, a typical one for smaller firms, is that they failed to custom design their own incident response plan and policies and failed to annually review and update their plan to insure its efficacy and efficiency.?

All companies, especially financial firms should strive to develop meaningful and effective incident response policies and plans and ask themselves the following questions:?

Is there a current incident response plan??If so, when was the plan last updated??Who prepared the plan??Who approved the plan??What is the general approach and what are the general principles of the plan??Has the company ever run any mock or tabletop exercises to test the plan??Is there an accurate and current network topology diagram that is adequately documented, and if so, is it periodically re-assessed and revised as internal systems and external factors change?

Properly Modulate and Calibrate Remediation Recommendations

The KMS action?reinforces the notion that?companies should avoid engaging digital forensic consultants who are too quick to present a written laundry list of a company’s serious potential weaknesses together with a recommended list of exigent solutions.?The reason??Because the reality is that given cost concerns, logistical impossibilities, practical barriers, etc., most companies will not be able to cure all cybersecurity weaknesses or implement all recommendations.?Thus, though intended for a company’s benefit, recommendation lists can also provide regulators, law enforcement, class action lawyers and other disgruntled parties with a useful roadmap for liability.

In the KMS matter, KMS hired two forensic firms to investigate its email account takeovers, including whether customer records and information had been exposed, notified affected customers, and offered credit monitoring services to affected customers. The forensic firms issued an incident report for each email account takeover that summarized the incidents and remedial measures taken, including resetting passwords and enabling MFA on the affected?accounts.?Several of the incident reports recommended the expedited enabling of MFA for all KMS independent contractor email addresses.?

Despite the recommendations for expedited implementation of MFA, the SEC determined that KMS failed to adopt written policies and procedures requiring additional firm-wide security measures for all KMS email users, such as MFA, until May 2020, when it issued new policies and procedures. By then, KMS had begun implementing additional security measures, such as MFA, but KMS did not fully implement those measures firm-wide until August 2020. The SEC determined that this timeline placed at risk the security of additional customer records and information.?

In addition, in July 2018, KMS received an audit report from a third party that recommended a review of remote access systems and consideration of stronger access controls, such as two-factor authentication. The SEC therefore determined that by the time of the first email account takeover in September 2018, KMS had known for several months that remote access to its systems needed stronger security controls. Of course, MFA made sense after the KMS data security incident, but implementation and execution of firm-wide data security changes can take time and sometimes, despite the best of intentions, become delayed.??

When a third party digital forensic firm barrels into a situation and recommends a laundry list of urgent cybersecurity changes to the victim-firm, that laundry list can unfortunately create more problems than it solves.?

While forensic firms should certainly identify potential weaknesses and propose possible solutions, they should also qualify, calibrate and properly modulate their advice, and ensure that all suggestions remain reasonable, practical and not overly costly. This means working closely with management to plan a sensible procurement timeline; to enable proper testing, assessment and training during any cyber-related product or procedure rollout; to ensure executive engagement with the project; and to apply the proper budgetary constraints, monitoring and cost considerations to the decision-making process.

Registered firms should also scour their files for prior laundry lists of recommendations and so-called heat-maps (i.e. graphical representations of cyber risk data that consulting firms often use where the individual values contained in a matrix are represented as colors that connote different levels of risk). Once identified, firms should ensure that there exists proper documentation with respect to any failure to implement recommendations or act on heat-map risk alerts.

Good Faith is Not a Defense

The Cambridge, Cetera and KMS matters all serve as a stark reminder that willful violations of the Safeguards Rule means “willful” as to the act, not the violation i.e. the SEC did not require any level of scienter when making their allegations.?

Specifically, “willfully,” for purposes of imposing relief under Section 15(b) of the Exchange Act and Section 203(e) of the Advisers Act “‘means no more than that the person charged with the duty knows what he is doing.’” There is no requirement that the actor “also be aware that he is violating one of the Rules or Acts.”?

This renders violations of the Safeguard Rule akin to strict liability violations, which can severely limit a firms’ possible legal defenses to cybersecurity failures, even when committed in good faith, and without a hint of fraud, deceit or chicanery.?

Multi-Factor Authentication

None of the eight firms charged appear to have mandated MFA for all customers. While the SEC has never specifically proscribed MFA as a requirement for SEC-registered entities, these actions make it clear that the SEC expects firms to implement MFA, especially once a firm is on notice of email account takeovers.

Clearly, the SEC views MFA as a critical tool for safeguarding customer data and firm systems. SEC-registered firms should review their cybersecurity policies and consider making MFA a firmwide default setting for customers and engage in testing firmwide to insure proper MFA implementation.

The SEC’s Administrative Forum Remains the Preferred Venue for Cybersecurity Failures

As expected, the SEC selected an administrative courtroom in its own backyard as its forum for the Cambridge, Cetera and KMS matters, rather than a federal courtroom.?

The SEC’s opting to level charges in an administrative court makes sense because the SEC has historically charged technical securities law violations committed by SEC regulated entities in its own specialized and uniquely capable administrative forum (as opposed to more generic fraud violations, which the SEC historically charged in federal court).

In future SEC enforcement matters involving cybersecurity failures, the SEC will likely continue to file their charges administratively, especially if the alleged violations pertain to an SEC regulated entity violating an arguably vague and subjective regulation like as the Safeguards Rule.

Victims are Presumed, Not Required

Not surprisingly, breached investors (i.e. customers whose data may have been exfiltrated or otherwise compromised) need not suffer any damages in order for the SEC to?charge a firm for with a violation of the Safeguards Rule.?Just like any of the recent data breaches making headlines, in the SEC Cambridge, Cetera and KMS orders: 1) the SEC does not identify the actual perpetrator of the cyber-attacks; 2) the SEC alleges no specific harm to any investor; and 3) actual harm to customers, while never even mentioned, is presumed (which is always a bit of a logical leap, but that is a subject for another article).

For instance,?in the KMS matter, the SEC specifically alleges that: “The fifteen email account takeovers do not appear to have resulted in any unauthorized trades or fund transfers to unauthorized parties for any KMS customer accounts.”?In the Cambridge matters, the SEC alleges that:??“The email account takeovers do not appear to have resulted in any unauthorized trades or fund transfers to unauthorized parties from any Cambridge customer accounts.”?In the Cetera matters, the SEC alleges that: “As used in this Order, the phrase “exposure of PII” [personally identifiable information] means that an unauthorized third party has the ability to view, but has not necessarily viewed, the PII.”

The SEC, like every other regulator and law enforcement agency, relies on the ethereal axiom that some victim exists somewhere who has experienced some sort of damage -- perhaps an identity theft, a business email compromise or some other related computer crime.?

Control, Monitor and Limit Employee and Administrative Access to Data and Systems

Phishing and credential stuffing continue to be the most common modes through which threat actors breach systems. Threat actors apparently employed phishing techniques to gain unauthorized access in the Cambridge, Cetera and KMS matters and credential stuffing in the Cambridge and Cetera matters.

Phishing?is a means of gaining unauthorized access to a computer system or service by using a fraudulent or “spoofed” email to trick a victim into downloading malicious software or entering his or her log-in credentials on a fake website purporting to be the legitimate log-in website for the system or service.?Credential stuffing?is a means of gaining unauthorized access to accounts by automatically entering large numbers of pairs of log-in credentials, typically a username or email address together with a password, that were obtained elsewhere.

Along these lines, the Cambridge, Cetera and KMS SEC enforcement actions should remind companies of the need to control, monitor and limit?administrative?access to systems and?employee?access to data.?

An administrator account is a user account that allows the administrator (or “admin”) to make changes that will affect other users. Admins can change security settings, install software and hardware, and access all files on a computer, mobile device, tablet or network. Admins can also make changes to other user accounts. Cyber-attackers prey in particular on admin passwords (to attain command and control of a system), especially those rarely used, which can fly under the radar. Inadvertently keeping old admin passwords or assigning too many admin passwords can lead to massive data breaches and is an easily avoidable vulnerability.

Yet so many firms fail to have policies, procedures and technologies in place for admin activities – even as simple as to confirm and audit the shutdown of stale admin accounts (e.g. held by departed employees) or enforce continual and powerful password requirements. The use of admin passwords and admin rights should be tightly controlled, monitored and documented.

With respect to employee’s access to data and systems, unlimited or loosely regulated access to firm-wide systems creates opportunities for internal misbehavior or external threat exploitation (like an APT attack or SQL Injection). Corralling, restricting and surveilling universal access to systems and data requires constant vigilance. Segregating data access by job classification is important, requiring strict policies, vigilant enforcement of those policies and meticulous attention to turnover and promotions.?

When data is not restricted by technological implemented authorization modules, there will always exist a danger of inappropriate, unlawful or nefarious access, especially access achieved via phishing and credential stuffing.

Passwords

The Cambridge, Cetera and KMS matters also serve as a reminder that companies should have written and technologically enforced policies mandating that passwords are changed at certain intervals throughout the year with specified configurations and characteristics.

Passwords are the first line of defense in any company and should be regularly audited for compliance with the password policy. Weak or predictable passwords make it very easy for an attacker to access external email portals or VPNs, and can also raise the ire of regulators like the SEC.?

The Importance of Remediation???

While the SEC’s administrative orders do not detail the specific remedial steps taken by the Cambridge, Cetera and KMS entities, the orders note that because of their remedial actions, the penalties for each entity were reduced.?

The best approach to managing any data security incident is to undertake a careful, objective, transparent and independent internal investigation concerning the attack, expeditiously report findings to the SEC and to law enforcement – and work diligently to remediate any problems.?

By undertaking a sophisticated, responsible, understandable, dogged and impartial approach to incident response and remediation, the SEC’s willingness to offer some form of “remediation” credit seems increasingly likely.

Cybersecurity Remains an Oxymoron

Remember Jeff Goldblum’s character in the film Jurassic Park, where he portrayed Dr. Ian Malcolm and?discusses Chaos Theory and the so-called Butterfly Effect?by showing how water drops will stream differently every time a drop is released on a finger. Dr. Malcolm specializes in?‘Chaos Theory’?and predicts that the Jurassic Park Island will quickly proceed to behave in “unpredictable fashion” and that it was “an accident waiting to happen.”

The same goes for cybersecurity – no matter how skilled and talented an information security team, there will always be flaws, mistakes and mishaps. Given the nature of external threats, internal threats and an ever-changing IT infrastructure, there are too many variables (especially variables involving people) to believe?otherwise.?

The threat actors who attacked the Cambridge, Cetera and KMS entities represented an “external” threat, which could have been state sponsored — perpetrated by terrorists, military or other companies.?Given the total weight of resources at the disposal of external threats (such as legions of soldiers), external threats can outgun any company, even large, complex and sophisticated financial firms.

Every company can experience a data breach — and probably already has. That is why companies need to shift cybersecurity practices away from prevention and detection and into a paradigm of incident response. Traditional data breach protections do not detect quickly enough, or act nimbly enough, to counter today’s sophisticated and clandestine data breaches.

Yet, so many companies remain unwilling to recalibrate cybersecurity into a more effective archetype of response. Because cybersecurity threats have suddenly become so complex, sophisticated, and transnational, companies are struggling to stay current. When a cyber-attack hits the headlines, there is an instinctive reaction that somebody screwed up and left a door unlocked. This only further fuels the fire that breached companies must redouble fortification and detection. That might be true, but the reality is that companies, above all else, should pivot their attention and focus to data breach response.

When companies trying to prevent data breaches rely too much upon customary protections of intrusion detection and fire walls, they are just as misguided as parents trying to prevent their kids from catching colds by relying upon hand-washing and multiple clothing layers. The smarter method for combating data breaches (like colds) is to focus efforts and preparation on how to contain, treat, and cure the problem, as fast and as painlessly as possible. Company executives should preach this realism, rather than the fantasy of ironclad security.

The Cambridge, Cetera and KMS actions reinforce the new paradigm of cybersecurity: where technological infrastructure has expanded dramatically; where data-points reside on multiple platforms (including employee devices, vendor networks, and the cloud); and where data breaches don’t define victim companies; how companies respond to them does.

Looking Ahead?

The Cambridge, Cetera and KMS entities clearly made mistakes with regards to their systems and their procedures, which left customer data vulnerable to external threats. Whether their mistakes should have cost them fines and the scarlet letter of an SEC enforcement action is debatable. But under any circumstance, the matters send three important messages:

First, no firm enjoys perfect cybersecurity, no matter how sophisticated and careful. Mistakes will happen and when they do, the SEC will pounce, wielding its broad and sweeping Safeguards Rule in an SEC administrative courtroom located in the basement of its headquarters.?

Second, the SEC’s press release announcing all eight actions concludes with a long list of SEC examinations staff who helped uncover the alleged violations, demonstrating that the agency's exam and enforcement units are working in tandem to identify and prosecute cybersecurity failures at SEC-registered entities. Whenever SEC enforcement and examination divisions combine forces, the synergy is exponential and the result will typically send shockwaves throughout the financial services industry.?

Finally, by responding with speed, transparency, independency and vigor, some firms might escape SEC enforcement, but others might get penalized regardless. Indeed, when a data security incident occurs at an SEC-registered financial firm, whether that firm gets sued by the SEC enforcement division seems, for lack of a better word, a?crapshoot.?

The ambiguity of the Safeguard Rule’s vast and abstract catch-all leaves a wide open window for interpretation, and what is “reasonable” in terms of cybersecurity is a question that will continue to plague financial firms for many years to come.

There exists no explicit standard of care for cyber, and experts will almost always disagree about the reasonableness of a firm’s cybersecurity. In fact, listening to cybersecurity experts discuss best practices is like listening to a morning sports show debate their weekend picks. Cybersecurity experts rarely agree on anything, from the best endpoint detection response system to the use of Windows versus Macs. Everyone has their own passionate opinion of the latest technologies, innovations and supposed silver bullets, but in the end, no one ever knows for sure what cybersecurity tools and practices work best.??

Will the SEC ever mandate specific technologies and cyber-related policies, practices and procedures? Probably not. Innovative, steadfast and always unpredictable, threat actors can transform their modus operandi overnight. Thus, any SEC-mandated cyber-edicts would quickly become obsolete or ineffective, or ironically, create an unintended safe harbor for those who opted to follow those cyber-edicts.

My take is that what constitutes?"reasonable" cybersecurity?will always be equivocal, opaque and muddled. However, just like Justice Potter and pornography, the SEC apparently knows what’s "unreasonable" when they see it, and revels in its role as judge, jury and executioner in a painful but necessary regulatory guessing game played by financial firms.

*John Reed Stark?is president of?John?Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last?11 of which?as Chief of its Office of Internet Enforcement. He currently teaches a?cyber-law course?as a Senior Lecturing Fellow at Duke University Law School.?Mr. Stark also worked?for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of "The Cybersecurity Due Diligence Handbook."