by Avi Gesser and Clara Y. Kim
As regulators ramp up their cybersecurity enforcement, one area of increasing focus is in-house expertise. Regulators are starting to explicitly require companies to have qualified data protection personnel. For example, the New York Department of Financial Services (NYDFS) cyber rules require that companies’ cybersecurity personnel be qualified to manage the company’s cybersecurity risks, receive cybersecurity updates and training, and maintain current knowledge of cybersecurity issues.
On September 12, 2019, the Commodity Futures Trading Commission (“CFTC”) reached a $1.5M resolution with Phillip Capital Inc. (“PCI”) for a cyber breach, in which the CFTC made clear that the firm’s lack of cybersecurity training and expertise played a significant role in the decision to bring an enforcement action. PCI was the victim of a successful phishing email that compromised an account with administrative privileges. PCI reset passwords two days later, but the cybercriminals used personal information gleaned from the breach to pose as a customer and cause PCI to wire $1 million to an account in Hong Kong controlled by the criminals.
In finding that PCI violated Regulation 166.3 by failing to supervise implementation and compliance with cybersecurity policies and procedures, the CFTC made several connections between the incident and PCI’s lack of qualified cybersecurity personnel, including:
- When an IT manager who had cybersecurity responsibilities left the firm, PCI did not hire a replacement or assign a new employee with adequate qualifications to take over those responsibilities.
- The IT engineer who handled the incident for PCI had limited training in cybersecurity, and cybersecurity was not broadly within his sphere of responsibility.
- PCI’s Chief Compliance Officer had responsibility for certain IT matters, but did not have a background or familiarity with IT generally or cybersecurity specifically and was unable to adequately evaluate the sufficiency of PCI’s cybersecurity policies and trainings.
- The absence of compliance personnel who could knowledgeably assess the adequacy of its policies and procedures relating to cybersecurity resulted in PCI’s failure to grasp the importance of assessing the scope of the breach and its effect on customer data.
- The lack of experience of the PCI team was evident in its failure to consult with the firm’s written information security system program following the breach.
The CFTC’s focus on cyber qualifications and expertise is part of a trend. For example, the House of Representatives’ Committee on Oversight and Government Reform report on the Equifax breach (PDF: 2.43 MB) discussed the lack of accountability that resulted from Equifax’s ineffective organizational structure. Specifically, the report highlighted that the Chief Security Officer reported to the Chief Legal Officer, rather than to the Chief Information Officer. While Equifax’s former CEO Richard Smith received updates on occasion regarding IT security, the information “was presented by Kelley—the head of the legal department who did not have any background in IT or security—rather than Mauldin, the company’s IT security expert.” Similarly, the Senate’s Permanent Subcommittee on Investigations report on the Equifax breach (PDF: 817 KB) noted that senior managers did not attend “monthly meetings to discuss cyber threats and vulnerabilities” and that “follow-up was limited.”
It is often difficult for regulators to assess whether a company that has experienced a data breach took reasonable steps to prevent the attack and to mitigate the resulting harm. Having technical and non-technical personnel responsible for cybersecurity who have little or no experience and training is becoming a red flag for regulators in these cases.
In a job market with a significant shortage of people with cybersecurity expertise—especially in management, legal and compliance roles—companies should consider investing in cybersecurity training for employees whose responsibilities include protecting data and responding to cyber incidents.
Avi Gesser is a partner and Clara Y. Kim is an associate at Davis Polk & Wardwell LLP.
Disclaimer
The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.