SEC Showing Greater Interest in Companies’ Cyber Defenses

In the wake of recent hackings of Microsoft and SolarWinds software, cybersecurity in the United States – or the lack thereof – currently sits top of mind for security experts at numerous companies and government agencies. Count the Securities and Exchange Commission among them.

The Wall Street regulator issued its 2021 examination priorities report last week in an annual exercise undertaken by the Division of Examinations to peel back the curtain on “its risk-based approach, including the areas it believes present potential risks to investors and the integrity of the U.S. capital markets.” (You may know the Division of Examinations as the Office of Compliance and Inspections Examinations, which didn’t exactly roll off the tongue; the name was changed in December.) Along with the other complications presented by COVID-19, the widespread shift to remote work heightened concerns at the SEC about cybersecurity. The Division warned the entities it oversees to prepare for questions about what they are doing to:

  • Safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;
  • Oversee vendors and service providers;
  • Address malicious email activities, such as phishing or account intrusions;
  • Respond to incidents, including those related to ransomware attacks; and
  • Manage operational risk as a result of dispersed employees in a work-from-home environment.

The Division of Examinations’ responsibilities are limited primarily to investment advisors, broker-dealers, mutual funds and securities exchanges, and the division tailored its cybersecurity discussion to that audience. But obviously, cybersecurity threats don’t stop at the financial services sector. The Microsoft hack alone reportedly ensnared more than 20,000 U.S. organizations.

As public companies continue to name cyberthreats one of the top risks to their businesses, they’re also anticipating that investors will expect more public disclosure and cybersecurity oversight by boards of directors. Meanwhile, directors themselves are discovering that a rudimentary understanding of technology and the associated security concerns won’t cut it.

In that sense, the Division of Examinations’ emphasis on cybersecurity aligns with increasing scrutiny of data security at corporations in general. One strategy that may appeal to companies for addressing the risks is simply insuring against hacks and other attacks. Insurance providers are beginning to offer policies covering potential liabilities resulting from such events. Regulators are even beginning to issue guidance to the insurance industry regarding best practices for writing the policies.

However companies decide to beef up their cybersecurity protections, they should prepare for authorities to take a more active role in creating and enforcing cybersecurity standards. Officials in Europe are already considering a proposal to impose financial penalties for companies found to be in violation of EU cybersecurity rules. If the SEC enforcement priorities for this year are any indication, the U.S. government may soon follow suit.

Latest Articles

September SEC Enforcement Spike: Four Key Areas to Watch

Much like the cliché of a local police force ramping up patrols to meet its quarterly quota of speeding tickets, the Securities and Exchange Commission is yet again closing out its...

Read More

As Labor Strife Grows, So Do Complaints About CEO Pay

Elon Musk has apparently had enough of automotive companies showering their executives with lavish compensation packages. The Tesla CEO, himself under investigation by the Securiti...

Read More

New Disclosure Rules Prove Timely Amid Crippling Cyber Attacks

Here’s a case of what may be fortunate timing for both investors and gamblers. The Securities and Exchange Commission’s new cybersecurity disclosure rules went into effect this mon...

Read More