It is no surprise that numerous government regulators have listed cybersecurity amongst their priorities for 2015. This past week, two of these regulators – the Securities and Exchange Commission and the Office for Civil Rights of the Department of Health and Human Services – highlighted the importance of assessing cybersecurity risks and preparedness, while also providing information on priorities and timing of their 2015 examination and audit programs.
Securities and Exchange Commission
On January 13, 2015, the Securities and Exchange Commission (“SEC”)announced its 2015 examination priorities. Through its Office of Compliance Inspections and Examinations (“OCIE”), the SEC examines structural risks and trends that involve multiple firms or entire industries. “Our examination program collects information for the Commission on a range of important trends, issues, and risks,” said SEC Chair Mary Jo White. She continued that, “OCIE helps us to maintain a strong presence with SEC registrants and to make a positive impact for the benefit of investors and our markets.” Amongst the 2015 market-wide risks the SEC has identified as priority is “assessing cybersecurity controls across a range of industry participants.”
This recent announcement tracks two related announcements from 2014 showing that the SEC plans to be active in the area of assessing cybersecurity readiness and vigilance. In April 2014, the SEC announced that OCIE would be conducting examinations of more than 50 registered broker-dealers and investment advisers, focusing on areas related to cybersecurity preparedness. In addition, in June 2014, SEC Commissioner Luis Aguilar gave preparedremarks on “Cyber Risk and the Boardroom” in which he made clear the SEC expects that board members will involve themselves in the company’s cybersecurity strategy before and after a data breach. His remarks included that, “[b]oards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.”
To date, the SEC has not made public any enforcement actions stemming from such cybersecurity-related examinations or investigations. The stated goals of these examinations are to, “assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats” and to “promote compliance.” However, public statements from the SEC, including the speech noted above, suggest the potential for increased investigations, enforcement activity and/or penalties, particularly at the board level, for companies that do not take cybersecurity assessments seriously.
Department of Health and Human Services
On January 13, 2015, in written remarks to legal news outlet LAW 360, Jocelyn Samuels, Director of the Office for Civil Rights (“OCR”) at the Department of Health and Human Services (“DHHS”), highlighted increased cybersecurity risks for healthcare companies under strict obligations to protect sensitive patient data. As cyber-attacks of these entities increase, so do HIPAA privacy breaches. “We are certainly seeing a rise in the number of individuals affected by hacking [and information technology] incidents, as reported by entities under our breach notification requirements, especially those due to malware compromising the security of information technology resources,” Director Samuels wrote to LAW 360. In addition, Director Samuels wrote that, “[a]ny organization that holds sensitive data is at risk, and this is why it is so important that HIPAA covered entities and their business associates assess and address the risks to the [electronic protected health information] they hold on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
Separately on January 13, 2015, Director Samuels also commented on the timing of the next round of HIPAA compliance audits by the OCR. During a media roundtable, Samuels said that the next round of audits – the first stage of which was conducted in 2011 and 2012 – will be implemented “expeditiously” and will be accompanied by new audit guidelines. However, no specific timetable for beginning the audits was announced, and Samuels encouraged HIPAA-covered entities to monitor the OCR website in the next weeks and months for additional timing updates and guidance. When asked whether these upcoming audits will be “educational” or, in the alternative, whether they will also be used for enforcement, Samuels replied only that the audits will join OCR’s “existing arsenal of tools…to proactively identify areas of [HIPAA] compliance concern[s].”