In response to recent security breaches at major retailers like Target and numerous reports of cyber espionage against financial institutions, the U.S. Securities and Exchange Commission has made strides to improve cybersecurity for the organizations it regulates. But regardless of whether a company is subject to SEC oversight or not, the development is an important one for all businesses. The launch of the SEC cybersecurity initiative opens a new chapter in an increasing drive toward regulation of the private sector's information systems.
Following a cybersecurity roundtable held in late March of this year, the SEC Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert which revealed its plans for a program to examine the cybersecurity preparedness of more than 50 registered broker-dealers and investment advisers.
There is no new, formal cybersecurity rule -- the Alert emphasizes it was not issued by the actual SEC commissioners but by their staff. However, the Alert does reveal a glimpse of the SEC's stance on the building blocks organizations should have in place to demonstrate adequate cybersecurity strategy.
A sample document request attached to the Alert lists the policies, procedures and document records that the OCIE is requesting as part of the SEC cybersecurity initiative. Seven principal areas are described, and the SEC requests evidence that answer the following questions:
- How is cybersecurity governed within the organization?
- How does the organization identify and assess cybersecurity risks?
- How are digital information networks and electronic information assets protected?
- What controls are in place to protect the integrity of remote, online access by customers to a firm's systems and services?
- How does the firm identify and evaluate cybersecurity risks posed by vendors and other third parties?
- How is unauthorized activity identified and investigated?
- What records outline specific cybersecurity incidents and how has the firm responded to those incidents?
Why is the SEC pushing for cybersecurity?
For many stakeholders affected by the ongoing struggle to balance regulations with free market principles, cybersecurity may seem like an awkward fit under traditional SEC mandates. However, the basic reality is that market insecurities, such as a lack of transaction integrity, lagging remote access security and breached trading activity, could destabilize the continued reliance on automated market systems and trading platforms, as well as similar integrated tools and resources.
The launch of the SEC's cybersecurity push opens a new chapter in an increasing drive toward regulation of the private sector's information systems.
There is another reason why cybersecurity and the SEC initiative affect every company, regardless of whether they are subject to the agency's jurisdiction: The SEC, like any governmental agency, has a responsibility to enforce specific rules and regulations. They do so by collecting evidence and relying on that material to demonstrate whether corporate conduct complies with defined legal requirements.
We are currently witnessing an important shift in how government agencies exercise their enforcement responsibilities. Virtually all business records within any regulated industry are now created and stored within electronic information systems. As a result, the evidence agencies require to conduct investigations and pursue enforcement actions is nearly all digital. Public agencies are charged with assuring the integrity, availability and security of these digital records because these are the assets required to enforce the law.
Public agencies are also learning that digital operating logs, metadata and application logs are potentially invaluable evidence to prove fraud, corruption and other malicious internal actions. As with primary digital content, these information assets are only useful if their integrity and availability is assured. If not, the agency's ability to enforce the law is increasingly handicapped, and possibly even defeated.
Why should businesses care about the cybersecurity initiative?
More than ever before, there is a synergy between public agencies and the companies they regulate. Both sides heavily rely upon the data integrity, availability and security of business records and information assets. If those assets are at risk or their reliability is compromised due to poor cybersecurity, there are only unfavorable consequences. Companies may be prepared to take the risk and not implement cybersecurity best practices, but agencies simply cannot tolerate this stance for very long if poor cybersecurity interferes with enforcement.
More on cybersecurity strategy
The bright side is internal champions for cybersecurity improvements now have a new argument on their side. The SEC cybersecurity initiative highlights that new regulations are on the horizon if companies are not building effective strategies for cybersecurity. In addition, companies that take the initiative to develop a strong cybersecurity strategy may emerge as the best advocates for limiting adoption of new regulations and controls. In turn, proactive cybersecurity strategy may end up reducing the future costs associated with ongoing compliance programs.
About the author:
Jeffrey Ritter is one of the nation's experts in the converging complexity of information management, e-discovery and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and evidential value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law. Learn more at www.jeffreyritter.com.