Financial Regulatory Forum

INSIGHT: SEC cyber-risk exam guidelines set template for firms

By Abel Picardi, Compliance Complete

NEW YORK, May 6, 2014 (Thomson Reuters Accelus) - As the U.S. Securities and Exchange Commission tightens its supervision of technology security on Wall Street, with plans to examine cybersecurity preparedness at more than 50 broker-dealers and investment advisers, the agency has released a checklist intended to help firms review their controls whether or not they come into the crosshairs of examiners.

The move is in keeping with a cybersecurity push by SEC Chair Mary Jo White, as well as principles outlined in February by the National Institute of Standards and Technology. (more…)

Cybersecurity and the board: avoiding personal liability — Part III of III: Policies and procedures

By Steven L. Caponi, Thomson Reuters Accelus contributing author

NEW YORK, Aug. 8 (Thomson Reuters Accelus) - In the previous two installments of this series (Part I and Part II), we discussed the fiduciary obligation of officers/directors to proactively address cyber security and the legal basis for holding them personally liable if they fail to do so. This third and final article explores the more difficult task of deciding which best practices directors should consider adopting. Because each enterprise faces unique challenges, this process requires that directors understand their company’s cyber security risk profile and the options available for mitigating the risk.

When deciding which policies or procedures to adopt, boards should consider how their decisions will be viewed after an incident occurs. Following a loss or serious data breach, the various interested parties – stockholders, regulators, customers, politicians, media, and courts – will seek to assign blame. This chorus of finger pointers will inevitably be looking through the distorted lens of hindsight. Directors will not be accorded the benefit of the doubt, the presumption of good faith will be thrown out the window, and a conscientious cost-benefit analysis will be characterized as a deliberate decision to sacrifice data security on the altar of corporate profits. (more…)

Cybersecurity and the board of directors: avoiding personal liability — Part II of III

By Steven L. Caponi, Compliance Complete contributing author

NEW YORK, Aug. 6 (Thomson Reuters Accelus) - The first article in this three-part series discussed how legal principles governing directors’ fiduciary duties may be applied to cybersecurity and the risks posed by cyber attacks. To summarize, Delaware’s corporate law places an affirmative obligation on fiduciaries to keep informed of serious risks facing the enterprise. The failure to exercise appropriate oversight in the face of known risks constitutes a breach of the duty of loyalty, a breach that cannot be exculpated under 8 Del. C. §102(b)(7).

In Part II of this series, we explore the “red flags” placing directors on notice of their obligation to proactively manage cyber security risks, and that expose a complacent board to costly litigation and the specter of personal liability. When evaluating whether a particular issue warrants board consideration, directors and officers should look at the nature of the risk, its potential impact on the company, and the extent to which the risk is foreseeable.  (more…)

Cybersecurity and the board of directors: avoiding personal liability – Part I of III

By Steven L. Caponi, Contributing author for Compliance Complete

NEW YORK, July 25 (Thomson Reuters Accelus) - The likelihood of a cybersecurity breach hitting one’s company in the near future is as certain as will be the resulting drop in shareholder value, finger pointing, fines, regulatory headaches and civil litigation alleging the board was asleep at the wheel in the face of a known danger. In a letter to the Chairman of the Securities and Exchange Commission from five U.S. senators, including Commerce committee Chairman Jay Rockefeller, the Senators noted:

“Every day, malicious actors attack and disrupt computer networks to steal valuable trade secrets, intellectual property, and financial and confidential information, causing significant damage to the United States Government, our citizens, our business, and our country.”  (more…)

Cybersecurity in Canada: Finance industry, government seek ways to share data

By Daniel Seleanu, Compliance Complete

TORONTO/NEW YORK, July 18 (Thomson Reuters Accelus) - More cooperation with government intelligence agencies would improve the Canadian financial industry’s cyber security capabilities, regulatory and industry experts told Thomson Reuters. Financial institutions have deployed defences, but face considerable threat from cyber-criminals intent on committing fraud, stealing sensitive information, and disrupting their networks.

To mitigate those risks, security and financial experts have called for an enhanced information-sharing system that would allow firms to provide detailed cyber-attack statistics to the government in exchange for intelligence on emergent threats and mitigation strategies. To date, attempts to establish such a system have had little result.  (more…)

Financial cybercrime a national security threat, U.S. Justice Department official warns

By Julie DiMauro and Stuart Gittleman

NEW YORK, Sept. 21 (Thomson Reuters Accelus) - U.S.-based financial services institutions that don’t tell law enforcement agencies about having been victimized by cybercrime are compromising the nation’s security as well as that of their firms, a top Department of Justice official warned this week.

The remarks on Wednesday by Lanny Breuer, assistant attorney general for the department’s criminal division, came as a financial industry group warned banks to be on heightened alert for cyber attacks after Bank of America and JPMorgan Chase experienced unexplained outages on their public websites. (more…)

Disclosures 2012: level of cyber-security risk disclosures varies after new SEC guidance

By Robert Kalb

NEW YORK, April 6 (Business Law Currents) – Ever-growing reliance on technology in customer interactions, proprietary data storage and even normal business operations is creating increased risk for companies working to ensure these systems remain uncompromised. As threats of cyber-attacks expand across industries, and given the potential material impact on operations, the security of these digital technologies from internal and external threats is vital.

Prior to newly released SEC guidance, there were no existing requirements to explicitly disclose these cyber-risks. With annual reports now being filed and sent to shareholders, companies have made varied levels of cyber-risk disclosure, and these disclosures may expand in the future with subsequent regulatory oversight. (more…)

  •