SEC update: Cybersecurity initiatives. SEC update: Cybersecurity initiatives. Intelligize // 02

Transcription

1 Intelligize // 02

2 As is tradition, at the beginning of the year, the U.S. Securities and Exchange Commission outlined both its current state of affairs and annual goals for maintaining proper compliance among all market participants from individual investors to officials of successful corporations. During the 2014 SEC Speaks Conference on Feb. 21 in Washington, D.C., chair Mary Jo White detailed the government agency s plan to specifically address a number of important issues, but chief among them was cybersecurity. As consumers and companies increasingly rely on mobile devices and other advanced technology to conduct business, the risk of damaging cyber attacks has become very real. In an effort to provide the most comprehensive look at how the SEC regulatory process works, Intelligize analyzed disclosure surrounding this rapidly growing area to see how effective the government agency has been in confronting cybersecurity, now a little more than halfway through With so many aspects to address and regulatory issues continually cropping up it hasn t exactly been easy-going for the SEC. However, some progress has been made in amending oversights and establishing clear-cut guidelines regarding cybersecurity. Intelligize // 01

3 CONTENTS 03 Cybersecurity growing in importance 04 Some new SEC rules established, more expected 05 Risk alert issued, examinations scheduled 06 Numerous industries looking to address cybersecurity risk 10 Sources Intelligize // 02

4 Cybersecurity growing in importance Actual Disclosure Language Following the breach, Target disclosed details of the incident to its affected customers and shareholders, as well as notified national media outlets and informed the SEC of the situation. Upon receiving comments from the regulator concerning potential limits to its network-security insurance deductible, the retailer responded by stating, We have a program of network-security (or cyber risk) insurance policies that insure against: the costs of detecting, remediating, and mitigating cyber breaches; the cost of credit monitoring; and reasonable expenses for defending and settling privacy and network security lawsuits. These policies are subject to a $10 million self-insured retention and a total insurance limit of $100 million, with a $50 million sublimit for Payment Card Loss (costs contractually owed to the payment card brands). Our network-security coverage contains a number of standard exclusions, none of which we believe will preclude recovery. In February, during the chairman s address at SEC Speaks 2014, White noted that cybersecurity is now among one of the biggest risks facing market participants of all sizes in both the private and public sectors. Alluding to the damaging breaches previously discovered at major retailers like Target and Neiman Marcus during which millions of consumers financial data was stolen by cyber criminals she stressed that organizations need to properly address all vulnerabilities immediately to prevent similar occurrences in the future. As part of the regulator s effort to encourage widespread comprehension of the many risks associated with cybersecurity, White announced that the agency would facilitate the sharing of pertinent information through a series of discussions detailing the best practices for a myriad of industries. The following month, as promised, the SEC hosted a roundtable in order to share critical information concerning cybersecurity and heighten awareness among market participants, as well as elicit comments from the public. On March 26, multiple panels consisting of numerous professionals from different sectors, each with a range of relevant perspectives and a great deal of expertise discussed the growing global threat, and approaches that individuals and corporations alike can take to better protect against the risk of cyber attacks. Intelligize // 03

5 Some new SEC rules established, more expected During her opening remarks at the roundtable, White mentioned the SEC s adoption of Regulation S-ID in 2013, which was designed to require specific regulated financial institutions to embrace effective identity theft programs. This new rule was reportedly built off established guidelines such as Regulation S-P, which concerns the protection of customer data. White suggested that creating a written information security policy is extremely important for firms to do moving forward. She also explained that the agency would look to move ahead with its proposed rule on Regulation Systems, Compliance and Integrity this year, which is specifically for financial institutions involved in the nation s capital markets. Under Regulation SCI, qualifying organizations would need to check automated systems for potential weaknesses and examine its disaster recovery and business continuity plans, as well as inform the regulator of all cyber attacks and recover trading and clearing operations within a certain amount of time. During his turn addressing the roundtable participants and attendees, SEC commissioner Luis Aguilar underlined the importance of adopting and implementing adequate cybersecurity measures. Cyberattacks on financial institutions have become both more frequent and more sophisticated. This is also true of cyberattacks on the infrastructure underlying the capital markets, he said. Cyberattacks aimed at these market participants can have devastating effects on our economy, on individual consumers, and on the markets and investors that the SEC was created to safeguard. Intelligize // 04

6 Risk alert issued, examinations scheduled On April 15, the SEC s Office of Compliance and Examinations issued a risk alert, noting that it planned to conduct comprehensive IT security examinations of more than 50 registered investment advisers and broker-dealers. The aim of the OCIE alert was to provide information regarding proper preparedness to compliance professionals and other members of the securities industry, as the SEC was gearing up to continue emphasizing the importance of a stronger partnership between the private sector and the government. The inspections would serve to identify areas where cooperation is needed, and supply the necessary tools to heighten firms levels of readiness. Intelligize // 05

7 Numerous industries looking to address cybersecurity risk While cyber attacks were a risk for organizations in various sectors prior to the regulator s speech, a number of companies have announced their efforts in adopting a focus on enhancing cybersecurity, in hopes of preventing potential problems and address current issues. In fact, many organizations in multiple industries have listed cybersecurity as a risk factor in their SEC disclosure checklists. Prominent businesses in the financial, technology, retail, engineering services, publishing, agricultural and energy sectors have all noted that a lapse in cybersecurity protection could lead to certain disaster. Alibaba the Chinese ecommerce company whose recent initial public offering raised a record-setting $25 billion on the New York Stock Exchange was among the many companies that listed cybersecurity as its No. 1 risk factor. The fact that one of the largest and most successful businesses currently in the marketplace has identified cybersecurity as its foremost risk should be enough to influence smaller entities to reevaluate their respective approaches toward possible breaches no matter the industry. Other corporations that listed security breaches as a top concern include Arrow Electronics, Nuvasive, United States Steel, Caterpillar and Acura Pharmaceuticals, among others. Intelligize // 06

8 Numerous industries looking to address cybersecurity risk The most disclosures came from the financial industry, which saw 387, according to figures obtained by Intelligize. A total of 350 were reported by the services industry, while manufacturing disclosures amounted to 310. The transportation, communications, electric, gas and sanitary services saw 204 disclosures, 116 were reported by the retail trade sector, as well as 87 by mining companies, 38 by wholesale trade businesses, 17 by construction organizations and two firms in the agricultural, forestry and fishing industry. FINANCIAL SERVICE MANUFACURING TRANSPORTATION, COMMUNICATION, ELECTRIC, GAS, & SANITARY FINANCIAL BANKS REAL ESTATE Of the nearly 400 finance, insurance and real estate companies that disclosed cybersecurity as a risk so far this year, 144 were banks, 93 were real estate organizations and 73 were insurance agencies, Intelligize concluded. Almost 40 security & commodity brokers, dealers, exchanges & services and investment advisors did the same, as did 37 credit agencies and one investor not elsewhere classified. RETAIL MINING WHOLESALE TRADE CONSTRUCTION AGRICULTURAL, FORESTRY, & FISHING INSURANCE 37 SECURITY & COMMODITY CREDIT Intelligize // 07

9 Numerous industries looking to address cybersecurity risk Any such breach or unauthorized access could result in significant legal and financial exposure, damage to our reputation, and a loss of confidence in the security of our products and services that could potentially have an adverse effect on our business, Google Incorporated wrote in a disclosure to the SEC, dated July 25, If an actual or perceived breach of our security occurs, the market perception of the effectiveness of our security measures could be harmed and we could lose users and customers. Following the recent hacking of several prominent individuals icloud accounts, Apple informed customers of the danger in using unsound passwords and noted that it had added new security measures, such as alerts whenever there is an attempted change in account specifics. Accordingly, other major companies are examining both their external and internal-facing measures, as a debilitating infraction could occur due to outside attacks as well as employee error or malfeasance. As cyber criminals at home and abroad utilize increasingly sophisticated methods to fleece individuals and corporations, putting the proper precautions in place is as important as ever. During the last several months, there have been well over 1,000 mentions of cybersecurity in the same time frame last year, there were only around 600. Many law firms are recognizing the danger and opportunity of cybersecurity breaches, as well. For instance, more than 250 law firm memos have been written since the beginning of the year spanning all aspects of guidance - including whether to disclose, what to disclose and how to disclose from top firms such as Skadden, Arps, Meager and Flom, Hogan Lovells and Morrison & Foerster. Intelligize // 08

10 Numerous industries looking to address cybersecurity risk Although the SEC outlined a list of objectives during its February gathering, Intelligize has found that its emphasis on addressing cybersecurity risks has been successfully met. However, while the SEC still has several months to reach its remaining goals before the end of the year, the current economic climate - which has seen records set in M&A activity and new IPOs since January - may serve to slow progress in these endeavors. In order to stay up-to-date with the latest developments concerning the SEC and cybersecurity, follow Intelligize, as we will keep you ahead of your market disclosure needs. Thanks to our cutting-edge website and high-tech applications, it s easy for law firms, accounting firms and corporations to quickly find pertinent market information and financial data. Intelligize // 09

11 SOURCES sec.gov/news/speech/detail/speech/ #.u8g7- lexology.com/library/detail.aspx?g=dad24c80-d2b bf43-0e8cd81d4544zrdwhi sec.gov/news/publicstmt/detail/publicstmt/ #.u-fidundvgh sec.gov/news/publicstmt/detail/publicstmt/ #.u-ibhundvgh sec.gov/news/speech/detail/speech/ #.u7qhu5rdxhq sec.gov/ocie/announcement/ Cybersecurity+Risk+Alert++%2526+Appendix pdf luminpdf.com/files/ /cybersecurity%20rf% pdf Intelligize // 10 6

12 INTELLIGIZE.COM Toll-free (888) General Info Customer Support Intelligize // 7