Fall is upon us and, even in an election year, it's not too early to begin thinking about the Securities and Exchange Commission's enforcement priorities for 2017. Regarding data protection, we predict that the SEC will continue to focus on cybersecurity and may even mandate that financial firms share information regarding cyber threats to maintain industry awareness of the risks to consumer information.
Why? Information sharing is now hitting its stride as a countermeasure in the cybersecurity world. In late 2015, the Cybersecurity Information Sharing Act (CISA) became law. CISA was designed by Congress to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes." The law, among other things, allows the U.S. government and private entities to share "cyber threat indicator" information. CISA even provides private entities immunity from suit for such sharing.
At the same time, the need to improve cybersecurity in the financial arena has not been lost on the Executive Branch. For three years in a row, the SEC has named cybersecurity a top concern, especially in connection to internal security program assessment and evaluation. This year, for example, the Office of Compliance Inspections and Examinations (OCIE) has focused on cybersecurity protocols implemented by financial firms to protect consumer information from cyberattacks. As investment advisors and broker dealers well know, OCIE examiners ask hard questions about the effectiveness of protective procedures, and the SEC expects written policies, procedures and training to ensure security measures are implemented, systematically followed and effective. MORE