SEC cybersecurity initiative puts spotlight on data strategy

A new SEC initiative examines cybersecurity processes in markets the agency regulates, but it could impact every company's data management strategy.

In response to recent security breaches at major retailers like Target and numerous reports of cyber espionage

against financial institutions, the U.S. Securities and Exchange Commission has made strides to improve cybersecurity for the organizations it regulates. But regardless of whether a company is subject to SEC oversight or not, the development is an important one for all businesses. The launch of the SEC cybersecurity initiative opens a new chapter in an increasing drive toward regulation of the private sector's information systems.

Following a cybersecurity roundtable held in late March of this year, the SEC Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert which revealed its plans for a program to examine the cybersecurity preparedness of more than 50 registered broker-dealers and investment advisers.

There is no new, formal cybersecurity rule -- the Alert emphasizes it was not issued by the actual SEC commissioners but by their staff. However, the Alert does reveal a glimpse of the SEC's stance on the building blocks organizations should have in place to demonstrate adequate cybersecurity strategy.

A sample document request attached to the Alert lists the policies, procedures and document records that the OCIE is requesting as part of the SEC cybersecurity initiative. Seven principal areas are described, and the SEC requests evidence that answer the following questions:

  • How is cybersecurity governed within the organization?
  • How does the organization identify and assess cybersecurity risks?
  • How are digital information networks and electronic information assets protected?
  • What controls are in place to protect the integrity of remote, online access by customers to a firm's systems and services?
  • How does the firm identify and evaluate cybersecurity risks posed by vendors and other third parties?
  • How is unauthorized activity identified and investigated?
  • What records outline specific cybersecurity incidents and how has the firm responded to those incidents?

Why is the SEC pushing for cybersecurity?

For many stakeholders affected by the ongoing struggle to balance regulations with free market principles, cybersecurity may seem like an awkward fit under traditional SEC mandates. However, the basic reality is that market insecurities, such as a lack of transaction integrity, lagging remote access security and breached trading activity, could destabilize the continued reliance on automated market systems and trading platforms, as well as similar integrated tools and resources.

The launch of the SEC's cybersecurity push opens a new chapter in an increasing drive toward regulation of the private sector's information systems.

There is another reason why cybersecurity and the SEC initiative affect every company, regardless of whether they are subject to the agency's jurisdiction: The SEC, like any governmental agency, has a responsibility to enforce specific rules and regulations. They do so by collecting evidence and relying on that material to demonstrate whether corporate conduct complies with defined legal requirements.

We are currently witnessing an important shift in how government agencies exercise their enforcement responsibilities. Virtually all business records within any regulated industry are now created and stored within electronic information systems. As a result, the evidence agencies require to conduct investigations and pursue enforcement actions is nearly all digital. Public agencies are charged with assuring the integrity, availability and security of these digital records because these are the assets required to enforce the law.

Public agencies are also learning that digital operating logs, metadata and application logs are potentially invaluable evidence to prove fraud, corruption and other malicious internal actions. As with primary digital content, these information assets are only useful if their integrity and availability is assured. If not, the agency's ability to enforce the law is increasingly handicapped, and possibly even defeated.

Why should businesses care about the cybersecurity initiative?

More than ever before, there is a synergy between public agencies and the companies they regulate. Both sides heavily rely upon the data integrity, availability and security of business records and information assets. If those assets are at risk or their reliability is compromised due to poor cybersecurity, there are only unfavorable consequences. Companies may be prepared to take the risk and not implement cybersecurity best practices, but agencies simply cannot tolerate this stance for very long if poor cybersecurity interferes with enforcement.

More on cybersecurity strategy

Security controls to help negate cyber-risk and vulnerability
FAQ: How will the Target data breach influence cybersecurity regulation?

The bright side is internal champions for cybersecurity improvements now have a new argument on their side. The SEC cybersecurity initiative highlights that new regulations are on the horizon if companies are not building effective strategies for cybersecurity. In addition, companies that take the initiative to develop a strong cybersecurity strategy may emerge as the best advocates for limiting adoption of new regulations and controls. In turn, proactive cybersecurity strategy may end up reducing the future costs associated with ongoing compliance programs.

About the author:
Jeffrey Ritter is one of the nation's experts in the converging complexity of information management, e-discovery and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and evidential value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law. Learn more at www.jeffreyritter.com.

Let us know what you think about the story; email Ben Cole, site editor. For more regulatory compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

This was first published in June 2014

Dig deeper on Vulnerability assessment for compliance

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Related Discussions

Jeffrey Ritter asks:

Has your company changed its data protection strategy as a result of the SEC cybersecurity intiative? If so, how?

0  Responses So Far

Join the Discussion

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCIO

SearchHealthIT

SearchCloudComputing

SearchDataCenter

SearchDataManagement

SearchSecurity

Close