SEC Showing Greater Interest in Companies’ Cyber Defenses

In the wake of recent hackings of Microsoft and SolarWinds software, cybersecurity in the United States – or the lack thereof – currently sits top of mind for security experts at numerous companies and government agencies. Count the Securities and Exchange Commission among them.

The Wall Street regulator issued its 2021 examination priorities report last week in an annual exercise undertaken by the Division of Examinations to peel back the curtain on “its risk-based approach, including the areas it believes present potential risks to investors and the integrity of the U.S. capital markets.” (You may know the Division of Examinations as the Office of Compliance and Inspections Examinations, which didn’t exactly roll off the tongue; the name was changed in December.) Along with the other complications presented by COVID-19, the widespread shift to remote work heightened concerns at the SEC about cybersecurity. The Division warned the entities it oversees to prepare for questions about what they are doing to:

• Safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access;
• Oversee vendors and service providers;
• Address malicious email activities, such as phishing or account intrusions;
• Respond to incidents, including those related to ransomware attacks; and
• Manage operational risk as a result of dispersed employees in a work-from-home environment.

The Division of Examinations’ responsibilities are limited primarily to investment advisors, broker-dealers, mutual funds and securities exchanges, and the division tailored its cybersecurity discussion to that audience. But obviously, cybersecurity threats don’t stop at the financial services sector. The Microsoft hack alone reportedly ensnared more than 20,000 U.S. organizations.

As public companies continue to name cyberthreats one of the top risks to their businesses, they’re also anticipating that investors will expect more public disclosure and cybersecurity oversight by boards of directors. Meanwhile, directors themselves are discovering that a rudimentary understanding of technology and the associated security concerns won’t cut it.

In that sense, the Division of Examinations’ emphasis on cybersecurity aligns with increasing scrutiny of data security at corporations in general. One strategy that may appeal to companies for addressing the risks is simply insuring against hacks and other attacks. Insurance providers are beginning to offer policies covering potential liabilities resulting from such events. Regulators are even beginning to issue guidance to the insurance industry regarding best practices for writing the policies.

However companies decide to beef up their cybersecurity protections, they should prepare for authorities to take a more active role in creating and enforcing cybersecurity standards. Officials in Europe are already considering a proposal to impose financial penalties for companies found to be in violation of EU cybersecurity rules. If the SEC enforcement priorities for this year are any indication, the U.S. government may soon follow suit.