Each day this week, we are going to explore some of the issues in the rapidly growing area of cyberliability. We will examine the recent increase in focus on privacy issues, why directors should be concerned, the top questions directors should ask when it comes to coverage for cyber investigations, and what kind of cover is available for privacy violations.
Part 1 of 5: The Recent Increase In Focus on Privacy Issues
Privacy issues have been the focus of many state efforts over the past few years. However, the SEC has increased their focus tremendously over the past few months (see our blog posts here, here, and here). As early as October 2011, the SEC had demonstrated an interest in cybersecurity events by releasing guidance concerning public company cybersecurity disclosures. Otherwise, the SEC had remained relatively quiet. Recently, however, SEC involvement in this area has ratcheted up noticeably. On January 9, 2014, the SEC announced that it “will continue to examine governance and supervision of information technology systems, operational capability, market access, information security and preparedness to respond to sudden malfunctions and system outages.” Further, at a March 26, 2014, SEC-sponsored Cybersecurity Roundtable, SEC Chair Mary Jo White stressed “the compelling need for stronger partnerships between the government and private sector” to address security threats. Commissioner Luis Aguilar also emphasized the need for the SEC to gather additional information and “consider what additional steps the Commission should take to address cyber-threats.” Further demonstrating its commitment to the fact-gathering mission, and its increasing focus on cybersecurity, the SEC released an April 15, 2014, Cybersecurity Risk Alert containing a list of detailed questions to be posed to more than 50 different broker-dealers. The stated purpose of the questionnaire is to “assess cybersecurity preparedness in the securities industry.”
Directors often ask “what questions should I be asking and what areas should I be looking into?” A great starting point is looking at the areas the SEC has decided to focus on. What is your organization’s cybersecurity governance? How does your company identify and assess risks? Is it considered the best in class in your industry? How does your company protect its networks and information? What systems and protocols does the company maintain to detect unauthorized activity? Directors would do well to carefully consider these questions, as the SEC’s recent actions and focus indicate its commitment to increasing cybersecurity in the securities industry, and with that intent, an increase in enforcement actions is to be expected.