Apr 20 2015

A Sign of What’s to Come – Reporting Cyber Vulnerabilities

This appears to be a sign of what’s to come, both for how companies view and report cyber vulnerabilities. The first step for every entity is to get an information security risk assessment (which of course we would encourage) but the reality is that whether you act or not there is new legislation on the horizon, new rules for third party vendors and a “New Normal” for the way business is done.

Here is an excellent example, courtesy of the SEC.  Read on, and feel free to ask questions in the comment box.

The Securities and Exchange Commission (SEC) is advancing measures requiring the disclosure of cybersecurity vulnerability information of publicly owned companies, including data breaches.

The new requirements would put pressure on companies to tighten their own security as the SEC rules would make public the extent to which personal information is secured by each firm.

In 2014 The SEC’s Office of Compliance Inspections and Examinations (OCIE) announced that its 2014 Examination Priorities included a focus on technology, including cybersecurity preparedness.  As a follow up, on February 3, 2015 OCIE issued a Risk Alert summarizing findings from its examinations of over 100 registered investment advisers and broker-dealers, focused on how registered investment advisers identify cybersecurity risks; establish cybersecurity policies, procedures and oversight processes; protect their networks and information; identify and address risks associated with remote access to client information, funds transfer requests and third-party vendors; and detect and handle unauthorized activities and other cyber-attacks.  In 2015, these proposals could become actual regulations, and the SEC announced this week that it may soon publicly announce the results of the examinations.

This week, the White House launched an initiative intended to spur greater sharing of cyber threat information among both the private sector and governmental agencies following all of the high profile attacks that have been in the news.