SEC Continues Preparations for a Black Swan Event
One common definition of a "black swan event" is an event that (1) "lies outside the realm of regular expectations"; (2) "carries an extreme impact"; and (3) has "retrospective (though not prospective) predictability." On July 28, 2020, the Securities and Exchange Commission (SEC) announced the creation of the Event and Emerging Risks Examination Team (EERT)—a team that appears poised to identify, mitigate, and overcome black-swan-event risk in the financial markets.
The EERT is housed within the Office of Compliance Inspection and Examinations (OCIE), and its stated mission is to "proactively engage with financial firms about emerging threats and current market events . . . that could have systemic impact or that place investor assets at risk, such as exchange outages, liquidity events, and cyber-security or operational resiliency concerns." The establishment of the EERT is yet another example of SEC Chairman Jay Clayton's emphasis on "identifying and managing cybersecurity risks and ensuring market participants—including issuers, intermediaries, investors and government authorities—are actively and effectively engaged in this effort."
The ultimate role that the EERT will play is unclear, but its structural location within OCIE suggests that it will focus on examinations and compliance protocols in place at financial firms to deter and defeat asymmetrical cyber threats to the US securities market. For example, the OCIE's 2020 Examination Priorities highlighted that financial firms' "use of third-party service providers and other vendors . . . continues to increase, which can bring . . . additional challenges and risks to organizations." That document also affirmed that OCIE will "continue to focus on third-party risk management in FY 2020" so it can "closely track and evaluate the impact of several major risk themes affecting its registrant population, including information security and resiliency risks."
The EERT's creation reflects the SEC's continued and increased emphasis on cybersecurity. For instance, since its 2017 creation, the SEC's Cyber Unit has brought enforcement actions for failing to safeguard information, as well as for failing to disclose cyber-related risks in public disclosures. The EERT statement's express reference to cyber likely means continued enforcement and examinations, including those related to "resiliency," which suggest a possible focus on ransomware and similar threats. As always, companies should ensure that they have robust cybersecurity programs in place, including periodically conducting legally focused cybersecurity risk assessments to help ensure appropriate controls are in place to safeguard information; creating backup and other procedures necessary to respond to a ransomware attack; and implementing incident response processes that take into account the appropriate decision-makers for decisions related to public disclosure.
If you need help conducting a cyber risk assessment or otherwise evaluating the sufficiency of your controls, please feel free to reach out to the authors or any of their colleagues. Arnold & Porter has significant experience helping clients work to preempt and respond to data breaches, cybersecurity threats, and any resulting litigation or enforcement.
© Arnold & Porter Kaye Scholer LLP 2020 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.