Sign up to save your podcasts
Or
Share Ken Herzinger and Eric Sibbitt | A more aggressive SEC takes aim at tech and financial innovation
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Ken Herzinger and Eric Sibbitt | A more aggressive SEC takes aim at tech and financial innovation
Is the SEC trying to regulate cybersecurity and innovative financial products through easy enforcements? And is a leanly-staffed SEC prepared for robust pushback from defendants?
More on Ken Herzinger and Eric Sibbitt.
SPEAKERS
Wayne Stacy, Ken Herzinger, Eric Sibbitt
Wayne Stacy 0:00 Welcome, everyone to today's expert series podcast from the Berkeley Center for Law and Technology. I'm your host, Wayne Stacey. And today we're going to talk about federal regulators and their activity in the tech space, in particular, how our federal regulators addressing technology issues, and is there an increased appetite for enforcement. To help guide this discussion today, we have two of the nation's leading experts from Paul Hastings. Well, first we have Ken Herzinger and Eric Sibbtt. So welcome to both of you. And thank you for joining us
Ken Herzinger 0:41 Thanks a lot, Wayne.
Eric Sibbitt 0:42 Thanks for having us.
Wayne Stacy 0:44 So let me just kick off with the first piece of this. And we're going to focus really on the the SEC. So on August 30, the SEC announced actions against eight firms for violation of the safeguards rule related to cyber security. What are the main findings of those actions that attorneys need to know about?
Ken Herzinger 1:06 Yeah, so these cases, were actually the last three of a string of cases that have been charged since May 2021. And a real uptick. And these cases were interesting, because the SEC, charged these firms under the safeguards rule, which applies to broker dealers, and requires them to protect investor data by putting in controls and policies and procedures. And well, the SEC found, for example, is with respect to sutera. That the the entities cloud based email accounts of over 60 personnel had been taken over by unauthorized third parties, and resulted in exposure of their personal information PII of roughly 4388 customers and clients. And what the SEC said both in in the various orders they charged as well as the press release is, it's not enough to have policies and procedures to protect identifying information held by investors on your platforms. But you need to actually go out and put teeth to those policies and procedures and enforce them. And when you see red flags, you need to go out and, and stop the activity. The kind of the high level takeaway that I thought was most interesting is one, it showed that there's a real tight working relationship right now between the OC formerly OC now the examination staff and the enforcement staff. So this one bubbled up out of a, all of these actually bubbled up out of examinations. And then the other piece is that this shows the staff is getting more aggressive, not just about SEC regulation, but about protested protecting customer data itself, which is a little bit of an extension, really beyond the rule and overall securities laws, if you think about it, sort of starting to sway a little bit into the dotnet data privacy area. But that's kind of my overall take on these cases.
Wayne Stacy 3:19 Well, I mean, I think that's a that's a great point that when people think about the SEC, data privacy doesn't automatically pop to mind is something that they're interested in. I mean, are they just trying to get people in line? Or do you see this as a long term enforcement mechanism for them?
Ken Herzinger 3:37 Well, I think under the current new administration, so at least for the next three or so years, I think this is a longer term extension. I think it's a signal more to come. We'll see, you know, what the next administration has to hold, but I do see them. And this is just one area of where the staff seems to be push
View all episodes
By Kelly TorresIs the SEC trying to regulate cybersecurity and innovative financial products through easy enforcements? And is a leanly-staffed SEC prepared for robust pushback from defendants?
More on Ken Herzinger and Eric Sibbitt.
SPEAKERS
Wayne Stacy, Ken Herzinger, Eric Sibbitt
Wayne Stacy 0:00 Welcome, everyone to today's expert series podcast from the Berkeley Center for Law and Technology. I'm your host, Wayne Stacey. And today we're going to talk about federal regulators and their activity in the tech space, in particular, how our federal regulators addressing technology issues, and is there an increased appetite for enforcement. To help guide this discussion today, we have two of the nation's leading experts from Paul Hastings. Well, first we have Ken Herzinger and Eric Sibbtt. So welcome to both of you. And thank you for joining us
Ken Herzinger 0:41 Thanks a lot, Wayne.
Eric Sibbitt 0:42 Thanks for having us.
Wayne Stacy 0:44 So let me just kick off with the first piece of this. And we're going to focus really on the the SEC. So on August 30, the SEC announced actions against eight firms for violation of the safeguards rule related to cyber security. What are the main findings of those actions that attorneys need to know about?
Ken Herzinger 1:06 Yeah, so these cases, were actually the last three of a string of cases that have been charged since May 2021. And a real uptick. And these cases were interesting, because the SEC, charged these firms under the safeguards rule, which applies to broker dealers, and requires them to protect investor data by putting in controls and policies and procedures. And well, the SEC found, for example, is with respect to sutera. That the the entities cloud based email accounts of over 60 personnel had been taken over by unauthorized third parties, and resulted in exposure of their personal information PII of roughly 4388 customers and clients. And what the SEC said both in in the various orders they charged as well as the press release is, it's not enough to have policies and procedures to protect identifying information held by investors on your platforms. But you need to actually go out and put teeth to those policies and procedures and enforce them. And when you see red flags, you need to go out and, and stop the activity. The kind of the high level takeaway that I thought was most interesting is one, it showed that there's a real tight working relationship right now between the OC formerly OC now the examination staff and the enforcement staff. So this one bubbled up out of a, all of these actually bubbled up out of examinations. And then the other piece is that this shows the staff is getting more aggressive, not just about SEC regulation, but about protested protecting customer data itself, which is a little bit of an extension, really beyond the rule and overall securities laws, if you think about it, sort of starting to sway a little bit into the dotnet data privacy area. But that's kind of my overall take on these cases.
Wayne Stacy 3:19 Well, I mean, I think that's a that's a great point that when people think about the SEC, data privacy doesn't automatically pop to mind is something that they're interested in. I mean, are they just trying to get people in line? Or do you see this as a long term enforcement mechanism for them?
Ken Herzinger 3:37 Well, I think under the current new administration, so at least for the next three or so years, I think this is a longer term extension. I think it's a signal more to come. We'll see, you know, what the next administration has to hold, but I do see them. And this is just one area of where the staff seems to be push