The U.S. Securities and Exchange Commission is taking on cybersecurity. It announced last week a plan to conduct more than 50 cybersecurity examinations to identify risks and ensure broker-dealers are protecting customer information, according to Jeff Kosseff of Covington & Burling in an article on the Inside Privacy blog. Here are some key things to watch for:
- Severe consequences: Kosseff warns that the SEC has broad authority to issue fines and penalties. “Extreme cases of inadequate security could lead to revocation of registration,” he explains, noting that that could put a firm out of business.
- Employees and contractors: Detailed information about employee training on security risks and responsibilities will be requested by the SEC, as will any training firms supply to their vendors and business partners, said Kosseff. “The SEC also will ask if the firm has a Chief Information Security Officer or equivalent position,” he said.
- Remote access: The SEC will be investigating how employees access data remotely and how firms secure this and mobile media, as well as software to detect malicious code on mobile devices.
- Logging: The SEC issued a guidance implying it expects firms to “adequately log activity on their networks,” said Kosseff. However, the commission also said that firms should establish retention periods and have comprehensive data-destruction policies.
Attorney Marlisse Silver Sweeney is a freelance writer based in Vancouver. [email protected]. Twitter: @MarlisseSS. LTN: @lawtechnews.
