On November 2, members of our Data Security & Strategy and White Collar & Regulatory Defense teams hosted a webcast on the SEC’s Cybersecurity Year in Review 2021. The panelists, Julie Riewe, Christopher Ford, and HJ Brehmer discussed regulatory trends regarding enforcement actions, disclosures, and proposed rulemaking, with a particular focus on notable enforcement actions from the past 12 months. The following are a few quick takeaways from the webcast:
- Broker-Dealers & Investment Advisers: The panel discussed the current SEC focus on broker-dealers and investment advisers in light of recent enforcement actions, emphasizing a few key takeaways from those cases:
- Registrants’ policies and procedures should be reasonably tailored to their cybersecurity risks and implemented consistently throughout the organization.
- Different email accounts, such as those for employees and contractors, should be subject to the same level of security, such as multi-factor authentication, if they have access to similarly sensitive data; and
- Notifications to individuals and regulators regarding any cybersecurity incident must be accurate. It is unlikely that the SEC will find boilerplate notices sufficient.
- Vendor Risk Management: As emphasized in the SEC’s 2021 cybersecurity priorities, companies should evaluate the cybersecurity risk and implement policies to mitigate the risks associated with third-party vendors. Companies should consider risk-ranking vendors to ensure that diligence and security controls are appropriately tailored to the services provided and the amount of sensitive data to which they have access. Efforts should be made to contractually bind vendors to meet cybersecurity requirements that are consistent with the risk they pose to company data and operations.
- Incident Response Planning: The SEC has emphasized the importance of building appropriate disclosure controls into incident response protocols to ensure that information flows up to management (as shown in the First American action) and that disclosures are accurate (as shown in the Pearson Plc action). The SEC highlighted its concern regarding disclosure controls again a few weeks ago at the SEC Speaks. These actions suggest that companies should establish, and test through a tabletop exercise, clear internal notice triggers, processes, and procedures for raising key cybersecurity issues to management and other relevant stakeholders.
- Cybersecurity Risk Management: While the SEC has not yet released updated guidance on cybersecurity disclosures, its regulatory agenda suggests that it will look more broadly at issuer disclosures regarding cybersecurity risk management even when no incident has occurred. Companies should exercise caution and precision in their cybersecurity disclosures, ensuring that they are accurate, avoid hypotheticals, and do not overstate their cybersecurity program.
- Growing Expectations of the Board: As part of an increasingly broad view of cybersecurity risk management, it is likely that the SEC will take a closer look at how boards and senior management are executing their oversight function, including the frequency and content of cybersecurity briefings and participation in cybersecurity training.
- Increased Focus on Access Controls: The SEC’s 2021 enforcement actions, along with its 2018 Section 21A report, suggest that the staff may look beyond policies and procedures and scrutinize the sufficiency of underlying cybersecurity processes, even in the absence of any disclosure controls issues. In these investigations, companies should expect the SEC to take a hard look at whether a company’s access controls are sufficient under Section 13(b)(2)(B)(i) and (iii) of the Securities Exchange Act of 1934 and SOX 404 to establish and maintain adequate internal control over financial reporting.
* * *
To register for an on-demand version of the webcast, click here.
To subscribe to our Data Blog, please click here.