The SEC fined a large technology company $100 Million for misleading shareholders in public filings about breaches of its policies protecting user information. The firm was also fined $5 Billion by the FTC. According to the SEC, the firm knew in 2015 that a researcher had violated its policies by obtaining and transferring confidential user data to a third party research firm. Regardless, the defendant’s public filings for the next two years presented the risk of misappropriated data as hypothetical even though the researcher had already transferred the data and admitted the scheme to the defendant. The SEC charged the company with violating the securities laws by issuing several misleading public filings.
Last February the SEC issued cybersecurity guidance to public companies about their obligations to fully disclose cybersecurity risks and incidents. If public companies didn’t take the SEC seriously then, we expect that the combined $5.1 Billion in fines will garner attention. For asset managers and broker-dealers, in addition to implementing required customer data protections, they must also consider their disclosures in Form ADV and Form BD as well as any relevant offering documents.