Cybersecurity is going to be “a ‘hot’ regulatory issue for the foreseeable future,” according to Brian Rubin, John Walsh and Shanyn Gillespie of the law firm Sutherland who recently penned a legal alert titled “Cybersecurity Issues in the Financial Services Industry: Fasten your cyber belts, it’s going to be a bumpy night.”
The threat of cyberattacks is rising, not diminishing, they wrote, and as the threat grows, “regulatory interest is likely to expand.” What’s more, as data breaches continue to generate headlines, regulators will likely face mounting pressure from Congress and the public to act in this area. “Future regulatory and enforcement actions are therefore anticipated” and could result in “significant” fines, the lawyers warned.
Indeed, the lawyers noted that the “best predictor of future cybersecurity enforcement activity is past enforcement activity.” They listed what they see as possible avenues the SEC and FINRA may take when they bring enforcement actions:
Future SEC and FINRA cybersecurity enforcement actions may be based on violations of the Safeguard Rule, with the regulators likely to focus on: adequacy of cybersecurity policies, procedures and controls; a firm’s compliance with its cybersecurity policies and procedures; adequacy of periodic assessments of cybersecurity policies, procedures and controls; responding appropriately and promptly to any cybersecurity deficiencies detected; protecting non-public customer information with suitable technology and strong user access restrictions; protecting non-public customer information shared with vendors; and responding appropriately to data breaches.
Many future cybersecurity enforcement actions will likely be based on actual data breaches. Of the past enforcement actions, 64% involved actual data breaches rather than just vulnerabilities that could have resulted in breaches. In this regard, the regulators may assert that a firm that experiences an actual data breach failed, by definition, to comply with the Safeguard Rule.
Actual customer harm is not required, however. The regulators may still bring enforcement actions in cases where non-public customer information has been exposed to unauthorized access, even if the information was not actually misused.
Responding promptly and appropriately to cybersecurity breaches may not be enough to prevent an enforcement action. However, regulators should consider remedial efforts in assessing sanctions.
In addition to Regulation S-P violations (the SEC adopted Reg S-P privacy rules in 2013 for entities under its jurisdiction, including registered BDs and advisors), the SEC will also likely review identity theft procedures and practices “in the near future, which could lead to enforcement activity,” the lawyers said.