SEC Showing Greater Interest in Companies’ Cyber Defenses

In the wake of recent hackings of Microsoft and SolarWinds software, cybersecurity in the United States – or the lack thereof – currently sits top of mind for security experts at numerous companies and government agencies. Count the Securities and Exchange Commission among them.

The Wall Street regulator issued its 2021 examination priorities report last week in an annual exercise undertaken by the Division of Examinations to peel back the curtain on “its risk-based approach, including the areas it believes present potential risks to investors and the integrity of the U.S. capital markets.” (You may know the Division of Examinations as the Office of Compliance and Inspections Examinations, which didn’t exactly roll off the tongue; the name was changed in December.) Along with the other complications presented by COVID-19, the widespread shift to remote work heightened concerns at the SEC about cybersecurity. The Division warned the entities it oversees to prepare for questions about what they are doing to:

  • Safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;
  • Oversee vendors and service providers;
  • Address malicious email activities, such as phishing or account intrusions;
  • Respond to incidents, including those related to ransomware attacks; and
  • Manage operational risk as a result of dispersed employees in a work-from-home environment.

The Division of Examinations’ responsibilities are limited primarily to investment advisors, broker-dealers, mutual funds and securities exchanges, and the division tailored its cybersecurity discussion to that audience. But obviously, cybersecurity threats don’t stop at the financial services sector. The Microsoft hack alone reportedly ensnared more than 20,000 U.S. organizations.

As public companies continue to name cyberthreats one of the top risks to their businesses, they’re also anticipating that investors will expect more public disclosure and cybersecurity oversight by boards of directors. Meanwhile, directors themselves are discovering that a rudimentary understanding of technology and the associated security concerns won’t cut it.

In that sense, the Division of Examinations’ emphasis on cybersecurity aligns with increasing scrutiny of data security at corporations in general. One strategy that may appeal to companies for addressing the risks is simply insuring against hacks and other attacks. Insurance providers are beginning to offer policies covering potential liabilities resulting from such events. Regulators are even beginning to issue guidance to the insurance industry regarding best practices for writing the policies.

However companies decide to beef up their cybersecurity protections, they should prepare for authorities to take a more active role in creating and enforcing cybersecurity standards. Officials in Europe are already considering a proposal to impose financial penalties for companies found to be in violation of EU cybersecurity rules. If the SEC enforcement priorities for this year are any indication, the U.S. government may soon follow suit.

Latest Articles

New Rules Have SPACs Down, But Not Dead

Soon after the Securities and Exchange Commission announced the final version of new rules to protect investors in special purpose acquisition companies, industry analysts and news...

Read More

SEC Chimes in on Early Cybersecurity Disclosures

Earlier this year, we offered readers three lessons from the initial wave of disclosures made under new cybersecurity rules issued by the Securities and Exchange Commission in 2023...

Read More

Intelligize Report Drills Down on Growing Concerns About Use of AI

Whether artificial intelligence will prove to be society’s friend or foe depends not on the technology itself, but how we use it. To that end, business interests, government author...

Read More