On October 13, the annual Securities and Exchange Commission Speaks seminar concluded with presentations from the Examination, Enforcement, and Investment Management divisions. As SEC regulated entities (including publicly traded companies, investment advisers, and broker-dealers) look to 2022, they should keep the following key cybersecurity takeaways in mind:

  1. Continued Focus on Corporate Governance. The Associate Director of the Division of Examination’s Technology Controls Program (“TCP”) emphasized the continued importance of strong corporate governance relating to cyber, including cyber posture, senior leadership oversight of potential cybersecurity risk, and vendor risk management. In its action against First American, the SEC made clear that directors and officers play a critical role in developing a culture that values cyber hygiene, as well as setting up the reporting systems, testing, and training that allow important information regarding cyber threats to flow up to management. SEC registrants should continue to review how senior executive leadership and the board are involved in cybersecurity, and check for policies and systems that would facilitate leadership’s timely engagement in critical cyber issues.
  1. Cyber Preparedness: TCP also specifically noted that exams will focus on four key cyber areas, among other topics: vendor management, company-wide cybersecurity risk management, operational resiliency, and incident response. Notably, these categories generally reflect the SEC’s 2021 cybersecurity priorities.
  1. Holistic Policy Implementation: The Division of Enforcement reiterated that all registrants should not only adopt cybersecurity policies and procedures tailored to their business, but should also ensure that these are implemented across all systems where customer data is stored. The SEC has reminded registrants of this need multiple times (here, here, and here), suggesting that the SEC is becoming less tolerant of delinquent risk remediation going forward.
  1. Increased Outreach: Registrants should also expect outreach from the SEC during cybersecurity events to determine the scope and severity of the incident. This is novel but not surprising given the increasing frequency and severity of such incidents, particularly ransomware attacks at companies. Registrants should consider (a) revising their incident response plans to ensure that the internal stakeholders who typically handle SEC communications are engaged; (b) drafting placeholder statements to the SEC in advance, so those statements can be adapted during an actual incident rather than being drafted from scratch at a time of crisis; and (c) incorporating SEC responses into tabletop exercises.
  1. Accurate, Succinct Disclosures: Companies should be careful about how they disclose the nature and extent of any cyber incident. As the SEC’s August 2021 enforcement action against Pearson Plc reflects, the SEC will scrutinize potentially misleading statements that, for example, overstate the merits of a firm’s cybersecurity program. Notably, the SEC plans to release Proposed Rules on Cybersecurity Disclosures in a matter of days, which should provide greater clarity in this area.
  1. Proactive Discussions on Tech Plans: Registrants should also take proactive steps to communicate with regulators regarding plans to adopt new technologies, such as blockchain, including with the Disclosure Review and Accounting Office to ensure they meet the substantive requirements.

* * *

On November 2, 2021, members of our San Francisco office will be hosting a webinar covering the SEC’s 2021 cybersecurity enforcement actions and proposed rulemaking regarding cybersecurity disclosures.  To join us, please RSVP here.

 

To subscribe to our Data Blog, please click here.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and artificial intelligence risks. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Charu A. Chandrasekhar is a litigation counsel based in the New York office and a member of the firm’s White Collar & Regulatory Defense Group. Her practice focuses on securities enforcement and government investigations, internal investigations and complex commercial litigation.

Author

HJ Brehmer is a Debevoise litigation associate and a member of the Data Strategy & Security Group. Her practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation, and regulatory defense. She can be reached at hjbrehmer@debevoise.com.

Author

Matthew C. Rametta is an associate in the Litigation Department.