SEC Prepares for More Cybersecurity OversightTreasury Committee Meeting Foreshadows Changes on the Way
Leading U.S. banks, and other publicly traded companies, should expect increased cybersecurity scrutiny from the Securities and Exchange Commission.
This week, during a meeting of the Treasury Department's Financial and Banking Information Infrastructure Committee, leaders of the SEC and the Commodity Futures Trading Commission, which aims to protect consumers from fraud, shared updates about their agencies' approaches to cybersecurity, as well as an overview of their examination processes, rules and other actions.
"Cybersecurity threats are the No. 1 threats against the stability of the U.S. financial system."
The Treasury committee focuses on improving information sharing among financial regulators, promoting public-private partnerships and enhancing the resiliency of the financial sector. And its membership reads like a who's who of regulatory authority, including Sarah Bloom Raskin, deputy secretary at the Treasury Department; Mark Gruenberg, chairman of the Federal Deposit Insurance Corp.; and Thomas J. Currey, comptroller of the Office of the Comptroller of the Currency.
While all meetings of the FBIIC are closed, the post-meeting synopsis of the committee's July 19 meeting reinforces what many cybersecurity and legal experts have been saying for months: The SEC is staking claim on its right to review the consumer privacy and data protection practices at all publicly traded companies.
At this week's meeting, SEC Chairwoman Mary Jo White and CFTC Chairman Timothy Massad discussed their agencies' strategies for ensuring cyber resiliency in the financial sector. And committee members were briefed about results from recent cyber exercises conducted to evaluate the impact of a cyber incident on the nation's financial stability, according to the meeting synopsis.
The FBI also played a role at the meeting, noting the need for more information sharing with the financial sector.
The themes discussed at this week's committee meeting repeat what I've been hearing at Information Security Media Group's recent fraud and breach prevention summits: More regulatory oversight is on the way; so brace for it.
At our Boston Fraud and Breach Prevention Summit, Randy Sabett, special counsel at law firm Cooley LLP in Washington, pointed out that because federal regulators are paying more attention to how businesses are protecting consumer information, having detailed incident response plans in place before a breach occurs is more important than ever (see Preparing for Post-Breach Regulatory Scrutiny).
"It's really an extension of what the FTC [Federal Trade Commission] started several years ago," Sabett says. "Now we're seeing, because these various other agencies, in some way shape or form, touch or have jurisdiction over some aspect of personal information, they're now all getting involved. ... They're looking at the breach side of it and going after companies in very much the same way the FTC has done over the years."
And financial fraud expert Avivah Litan, an analyst at consultancy Gartner, says the Treasury Department, in particular, is concerned about cyberthreats that continue to escalate.
"Cybersecurity threats are the No. 1 threats against the stability of the U.S. financial system," she says. "It's good they are taking this so seriously. Just by building a security awareness culture among the regulators and the regulated, they are taking a big step forward."
SEC States Concerns
For the last year, attorneys specializing in regulatory issues have warned that the SEC is taking a more hands-on approach to cybersecurity. And in recent months, the SEC has publicly stated its concerns about cybersecurity and financial stability.
In May, SEC Chairwoman White noted during a speech at Reuters Financial Regulation Summit that cybersecurity is the biggest risk factor facing the financial system today (see SEC Chair: Cybersecurity Is No. 1 Risk).
White told conference attendees that SEC examiners were proactive about doing sweeps of broker-dealers and investment advisers to assess their defenses against a cyberattack.
The SEC, she said, had found that major exchanges, dark pools - private forums for trading securities - and clearinghouses did not have cyber policies in place to match the risks they face.
"What we found, as a general matter so far, is a lot of preparedness, a lot of awareness, but also their policies and procedures are not tailored to their particular risks," she said. "As we go out there now, we are pointing that out."
White's comments at the Reuters' conference came just weeks after the last meeting of the Financial and Banking Information Infrastructure Committee in April, when Assistant to the President for Homeland Security and Counterterrorism Lisa Monaco discussed needed efforts "to better secure government and critical infrastructure."
We can expect in coming weeks to see more from the SEC and the CFTC about their plans to be more proactive about cybersecurity oversight, risk assessment and cyber examination.
Numerous legal experts have told me in recent months that the SEC and other regulatory bodies are staking their claims of jurisdiction over cybersecurity, and this week's Treasury committee meeting seems to affirm that.
Cybersecurity attorney Chris Pierson, general counsel and CISO at invoicing and payments provider Viewpost, says regulators "are communicating early and often on their expectations and changing expectations. Taking a look at committee notes, meetings and public sessions is an important way to understand the direction of the regulators, as these items later find their way into guidance."
Publicly traded banks and other businesses need to be proactive, ensuring that they are prepared to answer SEC examiners' questions about risk assessment practices and incident response plans.
Why are the SEC, CFTC, FTC and others so interested in ensuring they have jurisdiction to enforce penalties for lax cybersecurity? We'll explore that question at our upcoming New York Fraud and Breach Prevention Summit on Aug. 2 and 3, which will feature a panel discussion on the subject.
To learn more about the event, visit our agenda and registration page.