Six Takeaways from Debevoise’s SEC Cybersecurity Yr in Evaluation 2021 – Debevoise Information Weblog

On November 2, members of our Information Safety & Technique and White Collar & Regulatory Protection groups hosted a webcast on the SEC’s Cybersecurity Yr in Evaluation 2021. The panelists, Julie Riewe, Christopher Ford, and HJ Brehmer mentioned regulatory traits relating to enforcement actions, disclosures, and proposed rulemaking, with a selected concentrate on notable enforcement actions from the previous 12 months. The next are a number of fast takeaways from the webcast:

1. Dealer-Sellers & Funding Advisers: The panel mentioned the present SEC concentrate on broker-dealers and funding advisers in mild of current enforcement actions, emphasizing a number of key takeaways from these circumstances:
   • Registrants’ insurance policies and procedures ought to be moderately tailor-made to their cybersecurity dangers and applied persistently all through the group.
   • Totally different e mail accounts, corresponding to these for workers and contractors, ought to be topic to the identical degree of safety, corresponding to multi-factor authentication, if they’ve entry to equally delicate information; and
   • Notifications to people and regulators relating to any cybersecurity incident should be correct. It’s unlikely that the SEC will discover boilerplate notices ample.

2. Vendor Danger Administration: As emphasised within the SEC’s 2021 cybersecurity priorities, firms ought to consider the cybersecurity danger and implement insurance policies to mitigate the dangers related to third-party distributors. Firms ought to take into account risk-ranking distributors to make sure that diligence and safety controls are appropriately tailor-made to the providers offered and the quantity of delicate information to which they’ve entry. Efforts ought to be made to contractually bind distributors to fulfill cybersecurity necessities which can be in line with the chance they pose to firm information and operations.

3. Incident Response Planning: The SEC has emphasised the significance of constructing acceptable disclosure controls into incident response protocols to make sure that data flows as much as administration (as proven within the First American motion) and that disclosures are correct (as proven within the Pearson Plc motion). The SEC highlighted its concern relating to disclosure controls once more a number of weeks in the past on the SEC Speaks. These actions counsel that firms ought to set up, and check by means of a tabletop train, clear inside discover triggers, processes, and procedures for elevating key cybersecurity points to administration and different related stakeholders.

4. Cybersecurity Danger Administration: Whereas the SEC has not but launched up to date steerage on cybersecurity disclosures, its regulatory agenda suggests that it’s going to look extra broadly at issuer disclosures relating to cybersecurity danger administration even when no incident has occurred. Firms ought to train warning and precision of their cybersecurity disclosures, guaranteeing that they’re correct, keep away from hypotheticals, and don’t overstate their cybersecurity program.

5. Rising Expectations of the Board: As a part of an more and more broad view of cybersecurity danger administration, it’s possible that the SEC will take a better take a look at how boards and senior administration are executing their oversight perform, together with the frequency and content material of cybersecurity briefings and participation in cybersecurity coaching.

6. Elevated Concentrate on Entry Controls: The SEC’s 2021 enforcement actions, together with its 2018 Section 21A report, counsel that the workers might look past insurance policies and procedures and scrutinize the sufficiency of underlying cybersecurity processes, even within the absence of any disclosure controls points. In these investigations, firms ought to count on the SEC to take a tough take a look at whether or not an organization’s entry controls are ample beneath Part 13(b)(2)(B)(i) and (iii) of the Securities Alternate Act of 1934 and SOX 404 to ascertain and keep satisfactory inside management over monetary reporting.

* * *

To register for an on-demand model of the webcast, click on here.

To subscribe to our Information Weblog, please click on here.