April 6, 2020

April 06, 2020

Subscribe to Latest Legal News and Analysis

April 05, 2020

Subscribe to Latest Legal News and Analysis

April 03, 2020

Subscribe to Latest Legal News and Analysis

Buyers (And Sellers) Beware!: SEC Observations on Cybersecurity and Resiliency

The Securities and Exchange Commission recently published a set of observations designed to assist financial market participants. While not legally binding, the observations are guideposts for investment companies, securities issuers, and others. They outline steps to improve cyber preparedness and to protect against well-known and evolving cybersecurity threats faced by companies in the United States and worldwide.

The observations come from the SEC’s Office of Compliance Inspections and Examinations. The OCIE operates the SEC’s National Exam Program, which is a risk-based inspection program intended to protect investors and ensure market integrity. OCIE collects and analyzes information on various measures that have been taken by market participants. Information gathered includes information about governance and risk management, access rights, and data loss prevention. OCIE also looks at mobile security, incident response resiliency and vendor management. Finally, OCIE looks at training and awareness as well.

The recently-issued observations provide specific examples of policies and practices that U.S. market participants have undertaken to protect sensitive data. Effective cybersecurity programs, the SEC noted, include those that look comprehensively at their risks. They also implement vulnerability scanning and monitor network traffic and detect security threats. The SEC also found effective programs are ones that had mobile device management and risk-assessed incident response plans for data breaches. The OCIE did recognize, though, that there is no “one-size fits all” approach for cybersecurity.

Putting it Into Practice: These observations give companies ideas about steps the SEC expects they will have taken to evaluate current cyber-risk infrastructure and make potentially-needed upgrades. While aimed at the financial markets, these recommendations may be helpful benchmarks for others as well.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.


About this Author

David M. Poell, business law Lawyer, Sheppard Mullin

David Poell is an associate in the Business Trial Practice Group in the firm’s Chicago office with an emphasis in the areas of consumer privacy and class action litigation.

Areas of Practice

A large portion of Mr. Poell’s practice is devoted to defending companies against class and individual actions brought under various state and federal consumer protection statutes, including the Telephone Consumer Protection Act (TCPA) and the Fair and Accurate Credit Transactions Act (FACTA), as well as other consumer-privacy and unfair business practices laws and...