Last week, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) released an updated Cybersecurity Framework (PDF: 1,038 KB) that revises NIST’s baseline recommendations for the design of cybersecurity risk management programs. In announcing its release, Commerce Secretary Wilbur Ross described the updated Framework as “a must do for all CEOs” and recommended that “every company” adopt the Framework as its “first line of defense.” As with the prior version, the updated NIST Framework provides a useful tool to guide and benchmark company approaches to cybersecurity risk and will impact how regulators evaluate cybersecurity programs and incident responses across sectors. Continue reading
Yesterday, in keeping with a heightened governmental focus on cybersecurity, as exemplified by the Justice Department’s formation of a new Cyber-Digital Task Force (PDF: 62 KB) earlier this week, the Securities and Exchange Commission announced new guidance on cybersecurity disclosures by public companies (the “Guidance (PDF: 139 KB)”).
Much of the Guidance tracks 2011 interpretive guidance from the SEC’s Division of Corporation Finance and retains a focus on “material” cyber risks and incidents. However, the expanded details and heightened pressure to disclose indicated in the Guidance, along with its issuance by the Commission itself, signal that the SEC expects public companies to consider more detailed disclosure of cyber risks and incidents, and to maintain “comprehensive” policies and procedures in this area. The SEC is also encouraging, though not requiring, forward-leaning approaches, such as with respect to disclosures about the company’s cyber risk management programs and the engagement of the board of directors with management on cybersecurity issues. SEC Chairman Jay Clayton has also directed (PDF: 92 KB) SEC staff to monitor corporate cyber disclosures. Continue reading
In a stinging rebuke, the Federal Reserve on February 2nd issued an enforcement action barring Wells Fargo from increasing its total assets and mandating substantial corporate governance and risk management actions. The Federal Reserve noted in its press release that Wells will replace three current board members by April and a fourth board member by the end of the year. In addition, the Federal Reserve released three supervisory letters publicly censuring Wells’ board of directors, former Chairman and CEO John Stumpf and a past lead independent director. These actions are a sharp departure from precedent, both in their severity and their public nature. They come on the heels of significant actions already taken by Wells, including appointing a former Federal Reserve governor as independent Chair and replacing a number of independent directors as well as its General Counsel. Continue reading
In August 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of the Securities and Exchange Commission released the results of its second Cybersecurity Initiative, which examined cybersecurity-related preparedness and implementation efforts by 75 regulated financial entities. The resulting OCIE Risk Alert (PDF: 310 KB) depicts an industry demonstrating 0heightened sensitivity to cyber risks, but also experiencing gaps between policy ambition and day-to-day execution, and confronting growing pains associated with accelerated change, including the introduction of significant new policies and procedures that may lack focus or consistent implementation. While the Risk Alert directly addresses the cybersecurity procedures of broker-dealers, investment advisers, and other SEC-regulated entities, companies in all industries should consider assessing their practices with respect to the issues highlighted by the SEC. Continue reading