SEC Targeting Firms' Cybersecurity as Market Risk

Corporate Counsel Weekly™ helps corporate lawyers get the big picture on the legal challenges facing corporations today. Practitioners can discover trends on the horizon and stay alert to the full...

By Yin Wilczek  

May 1 --The recent alert by the Securities and Exchange Commission's Office of Compliance Inspections and Examinations on financial firms' preparedness signals a “paradigm shift” in the way the commission views cybersecurity, panelists said May 1 during a webcast.

Historically, the SEC focused on broker-dealers and investment advisers' protection of customer data and information, said John Reed Stark, managing director of the digital risk management firm Stroz Friedberg, and a former chief of the SEC Enforcement Division's Office of Internet Enforcement.

Now, the SEC looks “at cybersecurity as: if you're a regulated entity and you don't have cybersecurity, that represents a threat to the global marketplace,” Stark said.

Stark was a participant in a Securities Docket webcast on cybersecurity.

Prior Enforcement Actions

Co-panelist Bradley Bondi, a Washington-based partner at Cadwalader, Wickersham & Taft LLP, also warned that registrants cannot “gain too much” comfort from looking at the SEC's prior enforcement actions under Regulations S-P and S-ID.

“It is a whole new world,” Bondi said. These cases “provide an interesting insight into what the staff has done in the past, but it's really a bit of uncharted territory” going forward as to how the SEC will police cybersecurity preparedness.

Reg S-P requires broker-dealers and investment advisers to implement policies and procedures reasonably designed to prevent unauthorized access. Reg S-ID requires registrants to set up programs that identify, detect and respond to identity theft “red flags.”

Cybersecurity is now a top regulatory concern in the wake of several high-profile incidents, including one at Target Corp. (29 CCW 105, 4/2/14). The SEC recently hosted a roundtable to discuss cybersecurity issues (29 CCW 61, 2/19/14).

Data Breach Response

The panel also was asked how firms experiencing a data breach can show in court or to regulators that they had a reasonable framework in place.

Stark observed that regulatory and judicial scrutiny of cyber preparedness usually revolves around how a company or firm reacts to a breach.

If firms show they consistently review and update their policies and systems, train their employees, allocate sufficient resources to cybersecurity and show a very “methodical response” to data incidents, that generally would constitute a reasonable response, Stark said.

Meanwhile, Shelley Parratt, deputy director of the Securities and Exchange Commission's Division of Corporation Finance, in a speech at Northwestern University School of Law said May 1 that inadequate explanation of cybersecurity preparedness and risks remains a key deficiency in corporate disclosure documents filed with the commission. 

 

To contact the reporter on this story: Yin Wilczek in Washington at ywilczek@bna.com

To contact the editor responsible for this story: Phyllis Diamond at pdiamond@bna.com