Skip to content

Are you keeping on top of cybersecurity obligations?

October 27, 2015

castle-538722_640In a series of speeches earlier this year, Commodity Futures Trading Commission Chairman Timothy Massad repeated the remark that cybersecurity has become “perhaps the single most important new risk to market integrity and financial stability.” Indeed, with high-profile data breaches seemingly happening more frequently, cybersecurity has become an area of greater emphasis for companies and regulators alike.

How can Lexis® Securities Mosaic® help?

Securities Mosaic allows you to conduct research or stay current on a specific topic like cybersecurity across a broad spectrum of materials from a single gateway.  Below are some examples.

Guidance

  • In April 2014, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced a series of examinations aimed at identifying cybersecurity risks and assessing cybersecurity preparedness in the securities industry. Following up on that initiative, OCIE recently issued a Risk Alert providing information on the areas of focus for the second round of cybersecurity examinations of broker-dealers and investment advisers. These examinations will involve more testing to assess implementation of firm procedures and controls and will focus on governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response.
  • In Comment Letter review of filings, SEC examiners may ask a company to clarify the technological and administrative procedures it has in place to ensure privacy and security, or to spell out the risks and potential costs of a cyber attack or breach.
  • In the past two years, not just the SEC but the IRS, Federal Reserve Board, EPA, and FDA have offered official guidance or assessment tools in the area of cybersecurity. Find them on Lexis Securities Mosaic by going to our Laws, Rules, Agencies page, searching on “cybersecurity,” and narrowing by the “Guidance” category filter.

 Disclosure

  • Risk Factors. Risks disclosed to prospective and current shareholders via periodic reports and in registrations of securities offerings are always a barometer of trending topics.  Recently, it has become common practice for companies that maintain access to sensitive or confidential data to disclose risks of potential data breaches or security concerns.
  • Management’s Discussion & Analysis. When cyber attacks — or even the mere threat of such attacks — impact a company’s bottom line, it will merit discussion in the MD&A section of the annual report.
  • Proxy statements.  Cybersecurity has become a concern at companies’ annual meetings, as companies seek to adopt and refine risk mitigation policies and procedures. The issue can even impact the election of directors and officers, as a candidate’s credentials in the area of cybersecurity may be perceived as increasingly important.

Rulemaking

  • Earlier this year, the SEC formalized certain security standards for exchange-listed companies with the adoption of its final rule 34-73639 on Regulation Systems Compliance and Integrity (“SCI”).
  • In August, the National Futures Association submitted to the CFTC a proposed interpretive notice focused on cybersecurity. If approved by the CFTC, NFA members would be required to adopt written procedures to keep customer data secure and safeguard access to members’ electronic systems.

Enforcement

  • In late September, the SEC announced its first enforcement action related to cybersecurity, fining an investment adviser for failing to establish required policies and procedures in advance of a breach that compromised the personally identifiable information (“PII”) of approximately 100,000 individuals, including thousands of the firm’s clients. Without admitting or denying the allegations, R.T. Jones Capital Equities Management consented to the entry of an order finding that it violated Regulation S-P’s PII safeguard rules during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access. The firm will pay a $75,000 penalty.

News and Commentary

  • Stay well-informed on everything related to securities. Subscribe to our Daily Securities News in your inbox each morning. This comprehensive newsletter includes SEC updates, corporate and securities news stories from an assortment of notable world news sources, recent law firm memos, market regulation updates, pending securities legislation, SEC enforcement and an SEC Final Rules effective date calendar.
  • Check out what the top U.S. law firms are saying. Go to our database of over 100,000 Law Firm Memos and type in relevant keywords (e.g., “cybersecurity,” “data breach”). Set up a daily alert to automatically receive the results of your personalized search in your inbox.
  • See what other influential analysts are saying. Sign up for our SM Blogwatch email, which includes opinion and analysis from well-respected sources such as CorporateCounsel. net and the Harvard Law School Forum on Corporate Governance and Financial Regulation. You can also text-search the past six months of content in our Blogwatch archive.

Comments are closed.

%d bloggers like this: