Abstracted from: Implications Of The SEC's Increased Focus On Cybersecurity
By: Ryan Bergsieker
Gibson Dunn & Crutcher, Denver CO
Wall Street Lawyer, ol. 18, No. 5, Pgs. 1, 4-6
Intensified SEC focus on cybersecurity in 2014. The SEC is steadily raising the bar on cybersecurity disclosure, with a string of announcements and other initiatives. First it announced that all aspects of information technology and security would be examined, including the security of information, system reliability, and planned responses to outages, glitches, and security breaches. The SEC is also concerned with governance relating to responsibility for technological security, writes attorney Ryan Bergsieker, and with strategies for mitigating losses as well as reducing event risk. In March 2014, the SEC followed up on its previous cybersecurity announcements by hosting a Cybersecurity Roundtable, which included listed companies and regulated entities such as brokerages and financial firms. The Roundtable emphasized that both senior management and boards of directors have significant responsibilities in cybersecurity, which profoundly affects the entire entity. In this endeavor, public and private entities were encouraged to share information.
Focusing on broker-dealers and investment advisors. According to an April 15th Risk Alert, the SEC Office of Compliance Inspections and Examinations (OCIE) intends to scrutinize cybersecurity preparedness at the 50 broker-dealers and investment advisors where breaches would have the greatest impact on investors. Although the number of entities examined will be small compared to the total number (4,500 broker-dealers and upwards of 10,000 registered investment advisors), the examination of those selected will be comprehensive, the author notes. The National Institute of Standards and Technology (NIST) cybersecurity guidelines published in February 2014 are relatively generalized goals, but the OCIE wants the particulars of strategies for meeting these goals. Details will be required for system attributes, system testing, incursion prevention and detection, malware detection, data loss, responses to security breaches, loss mitigation techniques, among others. Although NIST is voluntary, the SEC's focus on the NIST guidelines as the minimum standard makes it a de facto benchmark for liability in the event of a security breach.
Preparing for the inevitable. Regulated entities need to be proactive in reducing potential losses from security breaches, advises the author. Document everything related to cybersecurity, as though defending a lawsuit. Breaches sometimes do occur despite the best precautions. To mitigate losses, the broker-dealer or investment advisor needs to demonstrate that it used-at a minimum-benchmark standards, if not absolute state-of-the-art systems, technology, strategic planning, testing, backup plans, and remediation for injured customers. Testing and upgrading systems, changes triggered by breaches, and technological issues must all be covered. The SEC will be looking for real-world details. While specific mandates and penalties do not yet exist for sinking below cybersecurity benchmarks, the odds favor increased stringency in the future.
Abstracted from Wall Street Lawyer, published by West LegalEdcenter, 610 Opperman Drive, Eagan MN 55123. To subscribe, call (800) 344-5009 or (800) 328-4880; or visit http://west.thomson.com/productdetail/127289/37005153/productdetail.aspx.
Editor's Note: According to a news report from Bloomberg News, the SEC is investigating several companies to determine if they correctly managed and disclosed cyberattacks carried out against them. The investigators are examining whether the companies, including Target, “adequately guarded data and informed investors about the impact of breaches,” the news report indicates.
Click here to access all Dimensions eNewsletters