Financial Regulatory Forum

U.S. regulators urge firms to improve business continuity and disaster recovery plans

By Stuart Gittleman, Compliance Complete

NEW YORK, Aug.21 (Thomson Reuters Accelus) – Futures and securities firms should review their industry-wide and internal business continuity and disaster recovery plans to improve responsiveness to significant disruptions and reduce recovery time, their regulators said Friday in a staff advisory.

U.S. regulators have been particularly concerned over how financial firms plan for disasters since the attacks of September 11, 2001, and through the President’s Working Group on Financial Markets during the administration of George W. Bush urged the industry to strengthen its defenses. The concerns have included flooding following Hurricane Katrina and the threat of an influenza pandemic, and are growing. (more…)

Cybersecurity and the board: avoiding personal liability — Part III of III: Policies and procedures

By Steven L. Caponi, Thomson Reuters Accelus contributing author

NEW YORK, Aug. 8 (Thomson Reuters Accelus) - In the previous two installments of this series (Part I and Part II), we discussed the fiduciary obligation of officers/directors to proactively address cyber security and the legal basis for holding them personally liable if they fail to do so. This third and final article explores the more difficult task of deciding which best practices directors should consider adopting. Because each enterprise faces unique challenges, this process requires that directors understand their company’s cyber security risk profile and the options available for mitigating the risk.

When deciding which policies or procedures to adopt, boards should consider how their decisions will be viewed after an incident occurs. Following a loss or serious data breach, the various interested parties – stockholders, regulators, customers, politicians, media, and courts – will seek to assign blame. This chorus of finger pointers will inevitably be looking through the distorted lens of hindsight. Directors will not be accorded the benefit of the doubt, the presumption of good faith will be thrown out the window, and a conscientious cost-benefit analysis will be characterized as a deliberate decision to sacrifice data security on the altar of corporate profits. (more…)

Cybersecurity and the board of directors: avoiding personal liability — Part II of III

By Steven L. Caponi, Compliance Complete contributing author

NEW YORK, Aug. 6 (Thomson Reuters Accelus) - The first article in this three-part series discussed how legal principles governing directors’ fiduciary duties may be applied to cybersecurity and the risks posed by cyber attacks. To summarize, Delaware’s corporate law places an affirmative obligation on fiduciaries to keep informed of serious risks facing the enterprise. The failure to exercise appropriate oversight in the face of known risks constitutes a breach of the duty of loyalty, a breach that cannot be exculpated under 8 Del. C. §102(b)(7).

In Part II of this series, we explore the “red flags” placing directors on notice of their obligation to proactively manage cyber security risks, and that expose a complacent board to costly litigation and the specter of personal liability. When evaluating whether a particular issue warrants board consideration, directors and officers should look at the nature of the risk, its potential impact on the company, and the extent to which the risk is foreseeable.  (more…)

IA brief: State laws may require firms to re-think social media policies

By Jason Wallace

NEW YORK, Oct. 3 (Thomson Reuters Accelus) – Federal and state privacy legislation aiming to protect against employer access to private social media websites may put the investment industry in a bind — unable to fully supervise social-media and electronic communications used by their representatives.

Broker-dealers and investment advisory firms have been carefully embracing social media over the last few years. Firms have shaped policies and procedures with a balance between the needs and wants of their representatives while still making it possible to supervise and ensure compliance with regulatory regulations and guidance.

(more…)

Disclosures 2012: level of cyber-security risk disclosures varies after new SEC guidance

By Robert Kalb

NEW YORK, April 6 (Business Law Currents) – Ever-growing reliance on technology in customer interactions, proprietary data storage and even normal business operations is creating increased risk for companies working to ensure these systems remain uncompromised. As threats of cyber-attacks expand across industries, and given the potential material impact on operations, the security of these digital technologies from internal and external threats is vital.

Prior to newly released SEC guidance, there were no existing requirements to explicitly disclose these cyber-risks. With annual reports now being filed and sent to shareholders, companies have made varied levels of cyber-risk disclosure, and these disclosures may expand in the future with subsequent regulatory oversight. (more…)

  •