2015 Cybersecurity Priorities

Numerous government regulators have named cybersecurity as one of their top priorities in 2015. One of these regulators, the Securities and Exchange Commission, has emphasized the importance of assessments of cybersecurity risk and preparedness, as well as providing information on priorities and timing of their 2015 examination and audit programs.

Securities and Exchange Commission
On January 13, 2015, the SEC announced its 2015 examination priorities. Through its Office of Compliance Inspections and Examinations (OCIE), the SEC examines structural risks and trends that involve multiple firms or entire industries. Among the 2015 market-wide risks the SEC has identified as priority is assessing cybersecurity controls across a range of industry participants.

This announcement follows two related announcements from 2014 showing that the SEC plans to be active in the area of assessing cybersecurity readiness and vigilance. In April 2014, the SEC announced that OCIE would be conducting examinations of more than 50 registered broker-dealers and investment advisers, focusing on areas related to cybersecurity preparedness. In addition, in June 2014, SEC Commissioner Luis Aguilar gave prepared remarks on “Cyber Risk and the Boardroom” in which he made clear the SEC expects that board members will involve themselves in the company’s cybersecurity strategy before and after a data breach. His remarks included that, “boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.”

To date, the SEC has not made public any enforcement actions stemming from such cybersecurity-related examinations or investigations. The stated goals of these examinations are to, “assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats” and to “promote compliance.” However, public statements from the SEC, including the speech noted above, suggest the potential for increased investigations, enforcement activity and/or penalties, particularly at the board level, for companies that do not take cybersecurity assessments seriously.

If you have any questions about how the SEC’s renewed focus on cybersecurity may impact your bank or any other questions regarding cybersecurity assessments and preparedness give ITPAC a call today.