Cyber-security has become – or perhaps should be – a key area of concern for every enterprise. The risks are substantial for the firm, its shareholders, executives and customers as recent cases illustrate. Every enterprise large or small is a potential victim. The losses can and often are substantial not just in dollars but also in trust, customers and more. The Commission has issued guidance. The agency has also brought enforcement actions.
Now, however, the Commission has issued a report based on nine investigations of firms involved in a variety of industries, cautioning about cyber risks in the context of the firm’s obligations to maintain proper internal controls. Report of Investigation Pursuant to Section 21(a) of the Exchange Act Regarding Certain Cyber-Related Frauds Perpetrated Against Public Companies, October 16, 2018.
The circumstances surrounding the replacement of Lu Wei as head of the Cyberspace Administration of China in June remain difficult to discern, but the politics surrounding its leadership seem not to have deflected the CAC from its mission to assert more control over cyberspace.
The CAC – also known as the Office of the Central Leading Group for Cyberspace Affairs – has issued new regulations which took effect on 1 August 2016 and place obligations on providers of mobile internet applications, or “apps”, that seem to mirror those placed on website and social media operators.
The White House and its top security advisors are regularly advised about cyberintrusions and as a result the “time has come for CEOs and Boards to take personal responsibility for improving their companies’ cyber security” according to Former White House Senior Director for Cybersecurity Sameer Bhalotra. In the recent report from LogRhythm entitled “The Cyber Threat Risk – Oversight Guidance for CEOs and Boards” Bhalotra went to say:
Global payment systems, private customer data, critical control systems, and core intellectual property are all at risk today.
As cyber criminals step up their game, government regulators get more involved, litigators and courts wade in deeper, and the public learns more about cyber risks, corporate leaders will have to step up accordingly.
While cybersecurity risks have increased, government regulation has traditionally lagged behind. Recently, some government entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.
With this shift in emphasis, companies are asking the obvious questions: “What are we expected to do and what is a proactive cybersecurity compliance program?”
Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection. Late last year, the U.S. Securities and Exchange Commission’ s Cybersecurity Examination Initiative directed broker-dealers to “further assess cybersecurity preparedness in the securities industry.” Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”
Guest Blogger Peter S. Vogel is a trial partner at Gardere Wynne Sewell LLP where he is Chair of the eDiscovery Group and the Internet, eCommerce, & Technology Team, and before practicing law he worked as a systems programmer, received a Masters in Computer Science, and taught graduate courses in information systems. In addition to… Read More
Cybersecurity threats have reached a point where they cannot go ignored by any government agency,even the U.S. Securities and Exchange Commission. Although an agency that is tasked with protecting investors is not one that typically comes to mind in the battle against cyberthreats,the SEC does maintain jurisdiction over cybersecurity issues for public companies, broker dealers and investment advisers, due to its responsibilities for ensuring the disclosure of material information, integrity of market systems and customer data protection.