As the Securities and Exchange Commission more closely polices cybersecurity, companies must be careful to protect their customers' data or risk enforcement actions, says Partner Dan Schubert, in a recent video interview with Wolters Kluwer. Financial institutions, in particular, must exercise caution as they face specific federal cybersecurity guidelines, he notes.
“It seems like on an almost-daily basis new incidents and attacks are being disclosed by companies across a host of sectors,” Schubert said. “This development has caught the attention of the global regulatory community.” In the US, the SEC has taken steps to position itself as a “robust and aggressive cyber-regulator,” he said.
The SEC has several tools available to bring cyber-related enforcement actions, Schubert said. For regulated financial institutions, the SEC can employ the so-called Safeguards Rule, which requires certain financial institutions to adopt policies and procedures reasonably designed to protect customer data. The SEC has brought a number of actions under this rule in recent years, and can be expected to continue to do so in the future. For public companies, the SEC may also take action against companies for failing to disclose—or delaying disclosure of—information about a material cyber-attack.
Companies will only face increased cyber-attacks going forward, putting the onus on managers to prepare for these attacks and respond appropriately as they occur, Schubert said. Firms must stay up to date on cybersecurity rules and regulations and implement company policies in response to these growing risks, he said.
“Ultimately, while the cyber landscape will continue to evolve, I think it's fair to conclude that the SEC will continue to assert itself in order to ensure that financial institutions and public companies are in compliance with all applicable cybersecurity regulations,” Schubert said.