Recent SEC guidance and enforcement actions suggest that reactive firms may be in the SEC’s crosshairs.
In an environment where even the largest and most powerful corporations have fallen victim to data breaches, it can be challenging to fathom how to protect against the sophisticated and ever-evolving threat of cyber attacks.
The US Securities and Exchange Commission (SEC) and other regulatory law enforcers are making clear that companies, broker-dealers, financial advisers, and others must make cybersecurity—both before and after an incident—a priority. The failure to take proactive measures, such as establishing and implementing written cybersecurity policies and procedures, can result in actionable conduct, even in instances without a cyber attack. When a firm experiences a data breach, not only are there significant business consequences, but the breach also increases the risk that regulators will evaluate the firm’s cybersecurity policies and initiate an enforcement review.