A law enforcement investigation is not an excuse for not disclosing a substantial crime to the Internet or investors or investors, experts say.
Companies can contact law enforcement agencies such as the FBI when dealing with an abuse of the internet, experts say.
"If you are a public company, you are obliged to inform investors of significant events occurring with your company," said Serrin Turner, New York-based partner and member of the Information Act, Data Privacy and Cyber Security Practices, Latham & Watkins LLP , on Wednesday's response forum in Washington, DC, on Wednesday. "Whether you tell the FBI about it or not, if you experience a significant event, you must disclose it."
In February 201
Under the leadership, companies must disclose significant cyber risks and essentials cyber events and determining the essence is a "very fact-specific investigation – what it depends on is the nature and extent and potential of the event or risk, especially in relation to the business of the company," says Deborah Tarasevich, Washington, DC-based Deputy Head of Market Abuse, Securities and Exchange Commission Certain factors to be considered are the importance of compromising the formation, impact on the company's business, damage to the company, including reputation or financial damage, as well as any litigation or regulatory action, she said.
"The fact that you have an ongoing internal investigation or even an external investigation such as the FBI, it is not a reason not to disclose a major cyber accident," Tarasevich said.
But Elizabeth Gray, Washington, DC-based partner in trial and co-chair of the Securities Practice Group for Willkie Farr & Gallagher LLP, noted that "on the SEC site is one of the reasons to be very careful before disclosing it when you start talking, you have an obligation to update, if you make a mistake you can cause more harm than if you just waited a month and judged it, if you have a good system in place, when the SEC will tap your door to look on your enlightening, you can say "this is what we did. We didn't know for sure. We talked to the FBI. We did our internal investigation. If we talked a month ago we may have got wrong and then we have an obligation to correct and investors may have sold out because we gave the wrong information. ""
Andrew Pak, vice president and corporate adviser for cybersecurity and privacy for Prudential Financial Inc. in Newark, New Jersey, said: "If you are a large financial institution and you have a cyber security program, you have incidents plans, likely to come Becoming Challenges That Gives You a Feeling of Something that Can Be Essential. "
Prudential Financial has subordinate incident plans for events that" can reach some degree of importance so that we would have broader or deeper interaction with senior executives, "he said.  "If you have an incident plan that is actually adapted to different levels of importance, it is already a good starting point for understanding if you now have to address the issue of materiality because there will be insignificant events that come up and those will not even trigger the valuable plan, he says.
According to the SEC information guide, you need to have sufficient information checks in place so that when a cyber event occurs, it is raised to the appropriate staff, up the business steps, who can make the disclosure decisions, "Ms Tarasevich said. "It is very important. But somehow, if you make an enlightenment that is so pancake, so basic that it can't even help an investor or be important to an investor, you can be in some risk there."
The SEC does not mean "other guesses, good faith, reasonable disclosure decisions," she said.
"We should look at this as" were you fair? What did the company know at that time and what they revealed, "said Ms. Tarasevich." It is said … there will be some circumstances where information is missing so that we will carry out enforcement action. But we believe that this is a very thoughtful and well-considered approach when it comes to developing such cases. "
In 2016, Morgan Stanley Smith Barney LLC agreed to pay a $ 1 million penalty to settle charges related to its failure to protect customer information, according to the SEC, which issued an order certificate that Morgan Stanley failed to adopt written policies and procedures that are reasonably designed to protect customer data From 2011 to 2014, a then employee inadvertently opened and transferred data on approximately 730,000 accounts to his personal server, ultimately hacked by third parties. to settle the fees without acknowledging or denying the SEC's findings.
"I think it is a very interesting case," says Mr. Turner. "What shows me is that the regulators apply a sliding scale based on the sophistication of the concerned uniqueness."
For example, Morgan Stanley had a written information security policy and on-the-spot checks to ensure that the information was only available to people with the right privileges, but the then employee found and was able to use a glitch, he said. Morgan Stanley did not review the specific system or test relevant authorization modules or monitor or analyze employee access to and use of the portals, according to the SEC.
SEC "came pretty hard on Morgan Stanley while they might not have a smaller, less sophisticated company," he said.
"Morgan Stanley is pleased to resolve this issue, which is the result of the theft of a former employee of some limited client data reported in January 2015, the company said in a statement in June 2016." After the discovery of the incident, Morgan Stanley warned Immediate law enforcement and regulatory authorities and reported to affected customers. Morgan Stanley worked fast to protect affected customers by changing account numbers and offering credit monitoring and identity theft services and has strengthened his customer data protection mechanisms. No fraud against any customer account was reported as a result of this event. "