Does blasting the SEC for failing to act on warnings help cybersecurity?

On the heels of the Equifax breach, the United States Securities and Exchange Commission (SEC) disclosed on September 20, 2017, that it had been hacked way back in 2016. It further disclosed that about a month ago it learned the hackers may have used their access for illegal online trading. With the SEC’s regulatory enforcement role in investigating and bringing enforcement actions against companies that have had cybersecurity incidents combined with its recent exercise of that power to join the Federal Trade Commission in being a key regulatory over cybersecurity, many are taking umbrage.

This post has nothing to do with any of that.

On July 27, 2017, the U.S. Government Accountability Office (GAO) issued a report assessing the SEC’s cybersecurity posture and recommending that the SEC take specific actions to improve its cybersecurity. Effectively, a risk assessment. Now, in the wake of the SEC’s announcement, many are jumping on the “the SEC failed to act” bandwagon. As tempting as this bandwagon may be, as I thought more about it, I wondered whether this is good for cybersecurity as a whole? Is this a good thing to be focsing on?

As tempting as this bandwagon may be, as I thought more about it, I wondered whether this is good for cybersecurity as a whole, which led me to a couple of questions to consider:

  1. Do any of us really believe there is any organization in the United States or even the world, that is 100% cyber secure–that is, that has no vulnerabilities or areas for improvement?
  2. Do any of us really believe that our own organization is 100% cyber secure, having no vulnerabilities or areas for improvement?
  3. What is the first thing many experienced cybersecurity professionals are encouraging organizations to do when beginning the journey of developing and maturing their own cyber risk management program?

If you answered the last question with something to the effect of “start with a risk assessment” then you are correct.

So, if no company is 100% cyber secure and every organization should start with a risk assessment, doesn’t it stand to reason that every single organization in the world will have “warnings” that they must heed in the event they later have an incident?

And, when an organization does obtain a risk assessment, how many are able to implement every recommendation, immediately?

If it is virtually guaranteed that an organization obtaining a quality risk assessment will result in it receiving recommendations that it is unable to immediately implement, and such recommendations will later be used against it if it has an incident, does this encourage organizations to obtain a risk assessment?

What do you think? Does the “the SEC failed to act” bandwagon advance the overall cause of cybersecurity?


Cybersecurity Legal Issues: What you really need to know (slides)

Shawn Tuma delivered the presentation Cybersecurity Legal Issues: What you really need to know at a Cybersecurity Summit sponsored by the Tarleton State University School of Criminology, Criminal Justice, and Strategic Studies’ Institute for Homeland Security, Cybercrime and International Criminal Justice. The presentation was on September 13, 2016 at the George Bush Institue. The following are the slides from Tuma’s presentation — a video of the presentation will be posted soon!

Continue reading “Cybersecurity Legal Issues: What you really need to know (slides)”

Cybersecurity Legal Year in Review – #DtSR Podcast

Do not miss this podcast discussing key cybersecurity legal events from 2015. Shawn Tuma joined the DtSR Gang [Rafal Los (@Wh1t3Rabbit), James Jardine (@JardineSoftware), and Michael Santarcangelo (@Catalyst)] on the Down the Security Rabbit Hole podcast.

In this episode…

  • Most important cybersecurity-related legal developments of 2015
    • Tectonic Shift that occurred with “standing” in consumer data breach claims
      • Discussion of law prior to Neiman Marcus case, and post-Neiman Marcus
      • Does this now apply to all consumer data breach cases?
      • Immediate impact? Companies now liable?
      • Lesson is in seeing the trend and how incrementalism works
      • Michaels & SuperValu case dismissals in light of Neiman Marcus
  • Regulatory Trends
    • FTC & SEC gave hints in 2014, post-emergence of Target details
    • Wyndham challenged authority – came to fruition in August 2015
    • SEC not far behind – significant case in September 2015
    • Aggressiveness of FTC is substantial – FTC v. LabMD … all over LimeWire
  • Officer & Director Liability
    • 2014 – SEC Comm. fired the warning shot … pointed the finger
    • Shareholder derivative litigation
    • Individual liability of IT / Compliance / Privacy “officers”
  • Anticipated 2016 Legal Trends
    • Regulatory enforcement … which, by the way, is why NIST is becoming default
    • Shareholder Derivative – much more likely than consumer class actions at this time
    • Lessons from both of these: when you need to persuade the “money folks” that they need to act, mention D&O Liability (especially Caremark) and Regulatory focus on individuals … now they’re in the cross-hairs
    • Realization that cybersecurity is more of a legal issue than anything else (IT or business) b/c it is the legal requirements and consequences that ultimately drive everything

Go HERE to listen to the Podcast!

SEC v. R.T. Jones shows the SEC has a role in regulating cybersecurity

The federal security laws require registered investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. SEC v. R.T. Jones Capital Equities Management, Consent Order (Sept. 22, 2015).

  • “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
  • R.T. Jones violated this “safeguards rule” during a four-year period when it had no such policies and hackers accessed more then 100,000 records of individuals, including its clients. The attack was traced to China; no individuals have reported financial harm.
  • This violated Rule 30(a) of Regulation S-P of the Securities Act of 1933. In settling, R.T. Jones agreed to censure and a $75,000 penalty.