[BreachExchange] SEC Increases Focus on Cyber Incident Response

Tue Aug 8 20:16:36 EDT 2017

http://www.jdsupra.com/legalnews/sec-increases-focus-
on-cyber-incident-63926/

In the past few years, we have seen an uptick in agencies beginning to
focus on the cybersecurity readiness and response of organizations subject
to their jurisdiction.

The U.S. Securities and Exchange Commission (SEC), for example, has
identified cybersecurity as a top priority for many years. This past June,
the SEC named Stephanie Avakian and Steven Peikin as the new co-directors
of the enforcement division. Peikin noted that “[t]he greatest threat to
our markets right now is the cyber threat.” What has generally been a focus
on urging companies to bolster their cybersecurity prevention efforts may
be making a shift toward an expectation that companies respond efficiently
and effectively in the wake of a data breach. Such a shift is not
surprising, given that many experts believe that security breaches are
increasingly inevitable.

Given the growing recognition that, even with robust and mature information
security programs, incidents will occur, the SEC and others are looking to
frame appropriate regulatory responses. Recent SEC comments place an
increased importance on how companies are identifying and responding to
cybersecurity incidents.

By increasing regular examination of regulated entities, such as broker
dealers and investment advisers, these entities will likely have more
direct oversight and scrutiny of their information security programs. In
addition, direct regulatory oversight of financial institutions subject to
the SEC’s jurisdiction, and broader scrutiny of public companies and their
security breach-related disclosures, seems probable.  “In the wake of a
breach, we are going to ask questions and look at disclosures before and
after an incident,” said Avakian.

The SEC is cognizant of the fact that enforcement in the form of fines on
public companies can lead to negative consequences to seemingly innocent
parties, such as shareholders. However, the SEC has brought several
enforcement actions against registered firms, including a $1 million fine
related to allegations of a failure to meet the “safeguards” rule under the
Gramm-Leach-Bliley Act. As the SEC’s focus shifts more resources to
cybersecurity enforcement, it would not be surprising to see the agency
examine disclosures relating to data breaches, or the timing of disclosure
of such incidents, more closely. Now more than ever, companies may be held
accountable if they fail to invest in data security, or prepare and respond
to cyber-attacks adequately. While the companies may view themselves as
victims, the market, and those tasked with protecting investors and the
market, seemingly do not.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170808/fc3fa90a/attachment.html>