The SEC Will Begin Looking at Companies’ IT Security and Data Breach Response Policies

Securities and Exchange CommissionTHE POINT: Recent statements from the SEC indicate that the new standard of care for companies may require policies in place for (1) prevention, detection, and response to cyber attacks and data breaches, (2) IT training focused on security, and (3) vendor access to company systems and vendor due diligence. Do you still think your company’s are not that important? Wrong — you better get them updated and here is why.

More Lessons From Target’s Data Breach

Last week we learned that the likely penetration point for the intrusion into Target’s system that led to the massive data breach was traced back to network credentials that were stolen from a third party vendor. Apparently a refrigeration, heating and air conditioning subcontractor that had worked many Target locations, as well as for several other retailers. (KrebsonSecurity) The obvious question that many are asking is, “why did Target give an HVAC company access to its network?”

Recent Statements from the SEC

While we are still searching for an answer to that question, however, the Securities and Exchange Commission (SEC) has already foreseen the potential problems that come about when companies give others — including vendors — access to their systems. In late January 2014, Jane Jarcho, the National Associate Director for the SEC’s Investment Adviser Exam Program said they will begin looking to see whether companies have policies to prevent and detect cyber attacks and are properly safeguarding against security risks that could arise from vendors having access to their systems:

“We will be looking to see what policies are in place to prevent, detect and respond to cyber attacks,”

“We will be looking at policies on IT training, vendor access and vendor due diligence, and what information you have on any vendors,” 

via SEC examiners to review how asset managers fend off cyber attacks | Reuters.

What do you think the lesson for any business is if the SEC is now making a point to begin looking to see if companies have policies in place for (1) prevention, detection, and response to cyber attacks and data breaches, (2) IT training focused on security, and (3) vendor access to the company’s system and vendor due diligence? That’s right — this is becoming the new standard of care and your company had better have them.

Now, I know what you may be thinking, “but we have a full set of policies and they were done by some really good professionals, they must cover this.” Maybe. Maybe not. The problem is not that your company did not have great professionals writing very good policies … a couple of years ago, or even last year. The problem is that we are now facing emerging issues with hacking, cyber security, and data breaches that most people did not foresee even a year or two ago (such as with the Target third party vendor), thus they did not know to include these issues in the policies they were writing for companies. The speed with which technology is evolving and the nature of security threats are evolving, demands that companies review and, if necessary, update their policies on a yearly basis. Shouldn’t yours? Do you need to hear more?

Ok, let’s try this. Back in July 2011, I wrote a post that I titled Data Breach — Who’s Gonna Get it? The main point of the post was that data breaches were becoming so common that companies could no longer claim that they were not a foreseeable risk. Data breaches had become foreseeable and, by not taking appropriate measures to protect against them, companies were showing a callous disregard to the protection of their customers’ private information which, to the right jury, could result in a punitive damage award that would literally kill the company. Do you think data breaches are less foreseeable today than they were when I wrote about them in 2011?

Of course not! And, now we not only have enterprising lawyers out there continually testing theories for how get a data breach lawsuit to trial, but we also have substantially increased enforcement from the states’ attorneys general, the Department of Health and Human Services Office of Civil Rights, the Federal Trade Commission, and the Securities and Exchange Commission getting into the action. There will be more as this is the new hot issue and it really does deserve your attention.

One of my favorite sayings is, “an ounce of prevention is cheaper than the very first day of litigation.”

Nothing could be more true than when it comes to the issue of policies and procedures for cyber security and data breach response plans. If your company need policies and procedures for types of cyber security and data breach issues discussed herein, or if you would simply like to have its existing policies reviewed to ensure they are adequate, please feel free to give me a call (469.635.1335) or email me (stuma |at| I have assisted many companies with data security issues from assessing their data security strengths and vulnerabilities, helping them implement policies and procedures for better securing their data, preparing data breach incident response plans, leading them through responses to a data breach, and litigating disputes that have arisen from data breaches. When it comes to data security, I see the whole playing field and I would be happy to use my experience to help your company as well.

This site uses Akismet to reduce spam. Learn how your comment data is processed.