Securities and Exchange Commission Chair Mary Jo White emphasized the agency’s focus on cybersecurity preparedness and response at a conference in Washington, D.C. in mid May, stating “we can’t do enough in this sector.” Reuters reports that Chair White views cybersecurity as the biggest risk facing the financial system, quoting her as saying that “what we [have] found…is a lot of preparedness, a lot of awareness but also….policies and procedures [that] are not tailored to [entities’] particular risks.”
These statements follow in the wake of continued attention by the SEC to cybersecurity issues. Public issuers of securities have been put on notice of the commission’s interest in the area, which has manifested in the form of disclosure guidance, a statement by then-Commissioner Aguilar that boards should work with management to evaluate how cybersecurity policies map to the NIST Cybersecurity Framework, as well as at least one publicly-disclosed investigation focusing on Target following a data breach.
In addition to exercising and affirming their mandate over disclosures by public issuers, entities subject to specific regulation and oversight by the SEC – such as registered investment advisers and broker-dealers – have been subjected to examinations focused on cybersecurity, and the Office of Compliance Inspection and Examination issued a particularly significant Risk Alert on cybersecurity in September 2015.
While Chair White’s statements are not surprising to those closely watching the SEC’s growing interest in the area, regulated entities – and, to a certain extent, potentially even public issuers – are once again put on notice that the SEC views the development and implementation of specific programs and policies to mitigate cybersecurity risks and respond to incidents as a necessary element of corporate governance.