SEC Targeting Firms' Cybersecurity as Market Risk

By Yin Wilczek  

May 1 --The recent alert by the Securities and Exchange Commission's Office of Compliance Inspections and Examinations on financial firms' preparedness signals a “paradigm shift” in the way the commission views cybersecurity, panelists said May 1 during a webcast.

Historically, the SEC focused on broker-dealers and investment advisers' protection of customer data and information, said John Reed Stark, managing director of the digital risk management firm Stroz Friedberg, and a former chief of the SEC Enforcement Division's Office of Internet Enforcement.

Now, the SEC looks “at cybersecurity as: if you're a regulated entity and you don't have cybersecurity, that represents a threat to the global marketplace,” Stark said.

Stark was a participant in a Securities Docket webcast on cybersecurity.

Prior Enforcement Actions

Co-panelist Bradley Bondi, a Washington-based partner at Cadwalader, Wickersham & Taft LLP, also warned that registrants cannot “gain too much” comfort from looking at the SEC's prior enforcement actions under Regulations S-P and S-ID.

“It is a whole new world,” Bondi said. These cases “provide an interesting insight into what the staff has done in the past, but it's really a bit of uncharted territory” going forward as to how the SEC will police cybersecurity preparedness.

Reg S-P requires broker-dealers and investment advisers to implement policies and procedures reasonably designed to prevent unauthorized access. Reg S-ID requires registrants to set up programs that identify, detect and respond to identity theft “red flags.”

Cybersecurity is now a top regulatory concern in the wake of several high-profile incidents, including one at Target Corp. (29 CCW 105, 4/2/14). The SEC recently hosted a roundtable to discuss cybersecurity issues (29 CCW 61, 2/19/14).

Data Breach Response

The panel also was asked how firms experiencing a data breach can show in court or to regulators that they had a reasonable framework in place.

Stark observed that regulatory and judicial scrutiny of cyber preparedness usually revolves around how a company or firm reacts to a breach.

If firms show they consistently review and update their policies and systems, train their employees, allocate sufficient resources to cybersecurity and show a very “methodical response” to data incidents, that generally would constitute a reasonable response, Stark said.

Meanwhile, Shelley Parratt, deputy director of the Securities and Exchange Commission's Division of Corporation Finance, in a speech at Northwestern University School of Law said May 1 that inadequate explanation of cybersecurity preparedness and risks remains a key deficiency in corporate disclosure documents filed with the commission. 


To contact the reporter on this story: Yin Wilczek in Washington at

To contact the editor responsible for this story: Phyllis Diamond at