The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations said that effective cybersecurity programs begin with the “right tone at the top” in a summary of observations made at SEC registrants published last week. 

OCIE said that it saw at registrants with effective cybersecurity programs a risk assessment process that helps identify, manage and mitigate potential cyber risks; comprehensive written policies and procedures addressing cybersecurity coupled with ongoing testing and monitoring to confirm the effectiveness of the policies; prompt responses to testing and monitoring results as well as amending policies to address any weaknesses; and robust internal communications.

Good company policies and procedures that OCIE has seen address access rights and controls; use of measures to minimize potential data loss such as vulnerability scanning, perimeter security, and implementation of capabilities that can assist identifying threats; patch management; inventory of hardware and software; encryption and network segmentation; insider threat monitoring; and securing legacy systems and equipment. Registrants also maintain policies and procedures regarding mobile devices, have plans that are tested and used addressing incident response; ensure vendors meet cybersecurity standards; and engage in effective staff training.

In issuing its observations, OCIE made no formal recommendations but indicated that cybersecurity is a key priority for it and has been a prime element in its examination program for eight years.

Compliance Weeds: By the end of the first quarter 2020, two states’ recently adopted requirements around cybersecurity could impact out-of-state and otherwise regulated businesses.

New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) law that was enacted during July 2019 broadened the scope of the type of personal information subject to New York’s breach notification laws, and extended breach notification obligations to all businesses – whether or not located in NY – that collect private information of NY residents. Moreover, a breach notification may be required when private information is improperly accessed even if not acquired; notification may be required to the NY Attorney General and other state agencies even when reporting obligations may already exist under certain federal laws. Out of state businesses collecting private information regarding NY residents may also be required to implement a data security program reasonably designed to protect the security and confidentiality of private information. The SHIELD Act’s notification requirements went into effect on October 23, 2019 while its data security requirements commence March 21, 2020. (Click here for additional information in a Katten Advisory dated August 1, 2019.)

Similarly, the California Consumer Privacy Act also went into effect on January 1, 2020. The law established requirements for certain for-profit businesses doing business in California – even from out of state – that collect or sell consumer personal information or discloses consumer data for business purposes. The definition of personal information is also quite broad under the statute. A private right of action exists under the relevant law and it appears class actions are possible; additionally, the state’s attorney general can also bring enforcement actions. (Click here and here to access two Katten advisories regarding the CCPA published last year.)