US: Today’s cyber threat is far from over…and the SEC knows that
Russia’s recent crackdown on the notorious ransomware crime group, REvil, flooded news headlines over the past few weeks. Perhaps a good sign, albeit many hacker groups remained untouched. Days later Ukrainian government sites were taken down, allegedly by Russian hackers. This didn’t escape US Securities and Exchange Commission (SEC) Chair Gary Gensler’s attention. Just this week in his speech to the Annual Securities Regulation Institute, Gensler emphasized that the “events of the past couple of weeks in Russia and Ukraine have once again highlighted the importance of cybersecurity to our national interest.”
Chair Gensler’s remarks on Russia and Ukraine underscore the SEC’s commitment to cybersecurity as an economic interest and national security concern. Gensler continues his push on cybersecurity to counter the evolving threat landscape.
C-Suites, Boards and compliance departments need to take notice, particularly as this follows on from previous action by the SEC against public companies and SEC registrants for poor cyber disclosures and the governance surrounding those disclosures (here).
SEC Cybersecurity Policy: A Team Sport
In his address, Gensler outlines three major tenets of SEC cybersecurity policy:
- cyber hygiene and preparedness,
- cyber incident reporting to the government, and
- in specific cases, disclosure to the public.
According to Gensler, cybersecurity policy is a collaborative undertaking requiring the work of regulatory agencies like the Financial Stability Oversight Council (FSOC) and Cybersecurity and Infrastructure Security Agency (CISA), the private sector, other government entities, foreign counterparts, and G7 Cyber Experts. Gensler underscored the team effort it would take to improve overall cybersecurity posture. The SEC’s cybersecurity policy relates to four groups of entities: (1) SEC registrants in the financial sector, (2) public companies, (3) service providers, and (4) the SEC itself.
Financial Sector SEC Registrants
Gensler discussed three major projects relating to financial sector registrants: Regulation Systems Compliance and Integrity (Reg SCI), broader financial sector registrant recommendations, and data privacy and personal information reform.
- Reg SCI: Adopted in 2014, Reg SCI helps ensure financial sector registrants “have sound technology programs, business continuity plans, testing protocols, data backups, and so on.” Chair Gensler has asked staff on ways to expand and deepen the rule, particularly by applying Reg SCI to other entities it does not currently cover.
- Broader Financial Sector Registrant Recommendations: For those not covered by Reg SCI, including broker-dealers, investment companies, and investment advisers, Gensler asked staff to make recommendations around strengthening financial sector registrants’ cybersecurity hygiene and incident reporting. With these potential recommendations, Gensler aims to reduce the risk that any financial registrant would lose critical operational capacity during a cybersecurity incident.
- Data Privacy and Personal Information: Congress addressed issues around customer and client data privacy and personal information in the Gramm-Leach-Bliley Act of 1999. In the wake of this law, the SEC adopted Regulation S-P, requiring that registered broker-dealers, investment companies, and investment advisers protect customer data. Noting that two decades have passed since Reg S-P was adopted, Gensler suggested it could be time to modernize the regulation and asked for staff recommendations to alter timing and substance of notifications currently required under Reg S-P.
To ensure investors can take risks based on “consistent, comparable, and decision-useful” information shared with them, Chair Gensler asked staff to make recommendations for the Commission’s consideration surrounding companies’ cybersecurity practices and cyber risk disclosures. While Gensler clarified that public companies already maintain certain cybersecurity risk disclosures requirements, increased recommendations around how and whether to update companies’ disclosures for investors when cyber incidents have occurred could help streamline information shared with investors as disclosure regimes evolve.
Like his staff request for recommendations surrounding disclosure practices, Gensler asked staff to make recommendations for the way that the Commission addresses cybersecurity risk from service providers. Various measures could include “requiring certain registrants to identify service providers that pose [cyber] risks” or “holding registrants accountable for service providers’ cybersecurity measures” to protect against inappropriate access to investor information.
Staying ahead of the attackers and the SEC
Russian actions against REvil may have forced other groups underground for the time being. But with last year’s ransomware profits estimated at well over a billion dollars, the next wave is coming. And the SEC is expected to take a tougher stance on cybersecurity enforcement. Companies should use this potential respite to regroup on the following:
- Ensure Proper Cyber Governance: Your Board and C-suite executives should understand cybersecurity risks, the cyber threat landscape, and how your company benchmarks against others. This requires an understanding of the threats, controls and remaining risks. Knowing the score rating on the NIST Cybersecurity Framework is not enough. For example, a Board may be told that the company scored a 4.2 out of 5 on the “Detect” elements of the NIST Framework. To be fair, that’s a very strong score. For most companies such a score is not attainable or necessary. A 3.8 may be sufficient. But that does not paint the full picture for the Board. What’s the financial implications of a 4.2 versus a 3.8, and what does spending another $100 million achieve? Boards and C-Suites need to have a real understanding of how the technical risks translate to regulatory risks (and fines) and financial risks. The time is now to educate the Board.
- Assess Compliance: Aligning technical capabilities and regulatory requirements is key to assessing compliance. Risk assessments are a good way of mapping your company’s technical controls to cybersecurity frameworks. But to really tie this to the points Gensler is making, you need to go one step further and map the analysis to the regulatory requirements (Reg SCI, Reg S-P and others). You can map your Company’s technical standards to regulatory requirements using this Cyber Profile from the Cyber Risk Institute. Involve your compliance and legal departments to partner with the information security team, which will pay dividends down the road as well.
- Conduct a Policies and Procedures Overhaul: So much has changed in the past few years that few privacy and cybersecurity policies could survive without a serious update. Review your response plans, policies and procedures regarding cyberbreaches and update them to address new risks and technology requirements. It is critical that your company’s playbook also keep up with the latest regulations and disclosure requirements. It is also a good idea to take a closer look with outside counsel at your cybersecurity disclosures. If, for example, the risk disclosure says that your company “may” experience cyber attacks, it is likely a good time to change it to reflect the reality that your companies “does” experience cyber attacks. The SEC is in favor of such candid statements.
- Test Your Preparedness: Testing your ability to respond to an incident is crucial. Policies and response plans alone are a good first step, but they are just a first step. There is a continued need to exercise incident response through Cybersecurity tabletop scenarios with legal counsel and forensic consultants and discussions across business units and at all levels of the company, including with the Board and C-suite.
- Work with Third Parties: Establish robust policies and contractual terms with third parties and contractors to ensure you are routinely notified of any problems. Even with robust policies, cybersecurity requires checking in with vendors and following-up with a due diligence program. Ultimately, if it relates to your third party, it can come back to your Company.