SEC Showing Greater Interest in Companies’ Cyber Defenses

In the wake of recent hackings of Microsoft and SolarWinds software, cybersecurity in the United States – or the lack thereof – currently sits top of mind for security experts at numerous companies and government agencies. Count the Securities and Exchange Commission among them.

The Wall Street regulator issued its 2021 examination priorities report last week in an annual exercise undertaken by the Division of Examinations to peel back the curtain on “its risk-based approach, including the areas it believes present potential risks to investors and the integrity of the U.S. capital markets.” (You may know the Division of Examinations as the Office of Compliance and Inspections Examinations, which didn’t exactly roll off the tongue; the name was changed in December.) Along with the other complications presented by COVID-19, the widespread shift to remote work heightened concerns at the SEC about cybersecurity. The Division warned the entities it oversees to prepare for questions about what they are doing to:

  • Safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;
  • Oversee vendors and service providers;
  • Address malicious email activities, such as phishing or account intrusions;
  • Respond to incidents, including those related to ransomware attacks; and
  • Manage operational risk as a result of dispersed employees in a work-from-home environment.

The Division of Examinations’ responsibilities are limited primarily to investment advisors, broker-dealers, mutual funds and securities exchanges, and the division tailored its cybersecurity discussion to that audience. But obviously, cybersecurity threats don’t stop at the financial services sector. The Microsoft hack alone reportedly ensnared more than 20,000 U.S. organizations.

As public companies continue to name cyberthreats one of the top risks to their businesses, they’re also anticipating that investors will expect more public disclosure and cybersecurity oversight by boards of directors. Meanwhile, directors themselves are discovering that a rudimentary understanding of technology and the associated security concerns won’t cut it.

In that sense, the Division of Examinations’ emphasis on cybersecurity aligns with increasing scrutiny of data security at corporations in general. One strategy that may appeal to companies for addressing the risks is simply insuring against hacks and other attacks. Insurance providers are beginning to offer policies covering potential liabilities resulting from such events. Regulators are even beginning to issue guidance to the insurance industry regarding best practices for writing the policies.

However companies decide to beef up their cybersecurity protections, they should prepare for authorities to take a more active role in creating and enforcing cybersecurity standards. Officials in Europe are already considering a proposal to impose financial penalties for companies found to be in violation of EU cybersecurity rules. If the SEC enforcement priorities for this year are any indication, the U.S. government may soon follow suit.

Latest Articles

Five Big Questions About Trump’s Plan for Tariffs on China

President-elect Donald Trump made the geopolitical rivalry between China and the United States a key theme of his campaign during the 2024 election cycle. Trump and his advisers ha...

Read More

SEC Dings SolarWinds Victims for Cybersecurity Disclosures

Last month, the Securities and Exchange Commission settled four enforcement actions against current and former publicly traded companies for making what it deemed “materially misle...

Read More

Southwest Airlines Makes Concessions to Thwart Proxy War

Southwest Airlines has long cherished its reputation for doing air travel differently than other major characters. Among its most famous quirks, Southwest has been known for its op...

Read More