On Wednesday, September 20, 2017, Chairman Jay Clayton of the U.S. Securities and Exchange Commission (the “Commission”) released a public statement addressing cybersecurity risks.
Chairman Clayton’s statement is part of an ongoing effort to communicate the Commission’s approach to cybersecurity in connection with the May 2017 assessments of the Commission’s internal cybersecurity and of its approach to cybersecurity as a regulatory agency. Continue reading →
SEC Chairman Jay Clayton, Co-Directors of Enforcement Stephanie Avakian and Steven Peikin, and Acting Director of the Office of Compliance, Inspections and Examinations (“OCIE”) Peter Driscoll participated in a panel discussion on Tuesday, September 5, at NYU Law School. The moderated discussion, followed by questions from the audience, was titled “The Securities and Exchange Commission: Priorities Going Forward.”
In sum, the SEC officials emphasized that investors should expect no major shift from the SEC in terms of enforcement or examinations. While there has been some discussion in recent months of frauds victimizing retail investors, there will not be a major paradigm shift in the kinds of cases the Commission will focus on. The panelists also spent a significant amount of time discussing cybersecurity and cyber-related enforcement actions, as well as the SEC’s increased use of big data in investigations and examinations. Continue reading →
In August 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission released the results of its second Cybersecurity Initiative, which examined cybersecurity-related preparedness and implementation efforts by 75 regulated financial entities. The resulting OCIE RiskAlert depicts an industry demonstrating heightened sensitivity to cyber risks, but also experiencing gaps between policy ambition and day-to-day execution, and confronting growing pains associated with accelerated change, including the introduction of significant new policies and procedures that may lack focus or consistent implementation. While the Risk Alert directly addresses the cybersecurity procedures of broker-dealers, investment advisers, and other SEC-regulated entities, companies in all industries should consider assessing their practices with respect to the issues highlighted by the SEC. Continue reading →
Despite the increase in cyberattacks and data breaches against large corporations, directors have avoided personal liability. In three recent data breaches—Wyndham, Target, and Home Depot—shareholders have unsuccessfully brought derivative claims against directors. These Caremark claims against directors have failed because oversight duties for cybersecurity are not yet specific enough to establish that directors deliberately breached a known duty of care.
The current protection that directors have enjoyed from cybersecurity-related Caremark suits may soon come to an end. New and pending regulations from the New York Department of Financial Services and the Federal Reserve System provide more specific cybersecurity guidance for corporations. Failing to comply with these more detailed regulations prior to a cyberattack may increase the possibility that directors will be held liable for violating their Caremark oversight duties. Accordingly, directors should familiarize themselves with these new regulations that are applicable to the corporations they serve, and develop best practices to both protect corporate data and inoculate themselves from personal liability. Continue reading →
An important transformation is happening in the financial industry. The rise of new technology and compliance has dramatically altered many of the key functions and functionaries of modern finance. Artificial intelligence, algorithmic programs, and supercomputers, instead of human actors, now constitute the core of many financial operations. At the same time, compliance officers have become just as critical to financial institutions as traders, bankers, and analysts. Finance as we knew it has changed and continues to change.
My recent article, Compliance, Technology, and Modern Finance, offers a detailed commentary on these unfolding changes—the crosscutting developments in compliance, technology, and modern finance. It examines the concurrent and intersecting ascents of new financial technology and compliance as well as the potential perils linked with their ascents. It also highlights the larger implications of the changing financial landscape due to the growing roles of new technology and compliance. In particular, it focuses on the challenges of financial cybersecurity, the integration of technology and compliance, and the role of humans in modern finance. Continue reading →
Companies seeking to mitigate that risk of cybersecurity whistleblowing through insurance face a unique set of challenges. Cyber whistleblower claims fall in an area somewhere between cyber and D&O insurance, and poorly structured policies will yield little to no coverage. Organizations that have placed both policies nonetheless will likely assume that they have performed their due diligence and that coverage is in place for claims at time of loss. However, affording broad coverage for even standard whistleblower claims can be difficult. Continue reading →
Last fall, with some fanfare, the New York State Department of Financial Services (DFS) announced proposed cybersecurity regulations. As we previously reported, in a break from prior, high-level standards, the proposed regulations shifted toward a more prescriptive approach, mandating specific policies, onerous government notification requirements, and hands-on oversight from corporate leaders. Commentators and financial industry groups pushed back during the comment period. In response, on December 28, 2016, DFS released revised regulations, which, subject to further comment, will now become effective on March 1, 2017. Continue reading →
Your company’s security controls are lacking, and a high level employee in IT is naturally worried – he’s addressed his concerns a number of times. Employees are regularly transmitting unencrypted information, sharing passwords and using non-compliant cloud services to share data and sensitive client side IP. This doesn’t seem overly alarming, we’ve all made similar mistakes, so the comments fall on deaf ears and operations continue. A few months later however the employee becomes increasingly vocal so senior management decides to let him go. Problem solved. Or…the problem might just be beginning.
Companies that ignore (and retaliate against) employees who address cybersecurity vulnerabilities can face significantly increased liability resulting from a new breed of whistleblower claims – cyber whistleblowing. With cyber regulatory oversight increasing at a rapid rate, these claims are poised to increase as well. While no federal laws specifically protect cybersecurity whistleblowers, existing anti-retaliation provisions are often broad enough to cover employees who raise information security concerns. Most notably, federal statutes prohibiting retaliation against corporate whistleblowers and employees who report misconduct in connection with federal funds, as well as state wrongful discharge actions, may apply to cybersecurity whistleblowers. Continue reading →
As ever-increasing cyber attacks target companies in the financial sector and beyond, financial regulators in New York and Washington, D.C. have focused their attention on cybersecurity risk. On October 19, federal banking regulators sought comments, due January 17, 2017, on enhanced cyber risk-management standards for major financial institutions. Meanwhile, the New York State Department of Financial Services (DFS) recently announced detailed regulations, requiring covered institutions — entities authorized under New York State banking, insurance, or financial services laws —to meet strict minimum cybersecurity standards. And yesterday, the Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an advisory on the reporting of cyber events under the Bank Secrecy Act. Continue reading →