Financial Transactions and Regulatory Compliance Review

Covering the latest in capital markets transactions, funds, annuities, financial reporting and SEC filings

SEC Cyber Security Enforcement: First Use of "Red Flags Rule"

shutterstock_1095422036

In February 2018, the SEC voted unanimously to approve a statement and interpretive guidance to assist public companies in preparing disclosures about cybersecurity risks and incidents. Shortly thereafter, the SEC brought charges against Yahoo for failure to report data breaches in 2015-2016 periodic reports, and in recent months, the SEC has continued to signal their increased focus on this critical disclosure issue.

Most recently, the SEC settled charges against Voya Financial Advisors after hackers called their support line posing as clients and gleaned confidential information of 5,600 customers. The SEC determined this breach directly violated the Safeguards Rule and the Identity Theft Red Flags Rule, which is designed to protect confidential customer information and protect customers from the risk of identity theft.

This was the SEC’s first enforcement action charging violations under the Identity Theft Red Flags Rule. In light of the SEC guidance, companies can’t use boilerplate cybersecurity risk factors, policies and procedures in their reporting. Companies need to be specific and reflect accurate internal measures that will be followed in the event of a hack, which was reflected in the action against Equifax. The New York Times reports that the SEC’s first-ever use of its red flags rule “should set off alarm bells for every financial firm and board of directors under the agency’s watch. Most companies are probably not in compliance with the rule and, given the agency’s increased focus on cybersecurity, they should move quickly to address any issues.”

The Voya settlement shows the SEC is paying close attention not only to an organization’s data security compliance measures, including formal written data security policies and procedures – and whether they are kept current and work in practice – but the need to address cyber risk at the board and C-Suite level when required. The expectation for companies to have some expertise about cybersecurity issues among their Board of Directors, prompted the Senate to introduce Bill S.536 last year “Cybersecurity Disclosure Act of 2017.” Under this bill, public companies would be required to disclose cyber knowledge within their Board. With the SEC’s regulatory expectations so clear, the price of ignoring this message will likely be steep.

Kara Stein, SEC Commissioner, is urging the SEC to require even more specific cybersecurity rules, but also pushing boards to be more diligent about their fiduciary responsibility to shareholders. In a recent speech, Stein said, “Commission rules require public companies to disclose whether boards of directors have at least one financial expert on their audit committees. Likewise, boards should consider whether they have an independent member with expert knowledge of technology and cybersecurity. If not, Boards should retain independent experts to provide it with advice.”


Toppan Vintage

Toppan Vintage is a leading international financial printing, communications and technology company dedicated to delivering a hassle-free experience with the highest quality accuracy, reliability and value for your organization’s financial printing and communications needs.

toppanvintage.com

Show more posts from author

Subscribe to the Toppan Vintage Blog

Most Popular Articles

2018 SEC REPORTING RULES GUIDEBOOKS - PRE-ORDER FREE SET

Order now.  

2018 SEC FILING CALENDAR - DOWNLOAD NOW

Download the 2018 SEC Filing Calendar here.  

2018 MUTUAL FUND & ETF FILING DATES - DOWNLOAD NOW

Download the 2018 Mutual Fund & ETF Filing Dates here.  

2018 ETF HANDBOOK - DOWNLOAD NOW

Download the 2018 ETF Handbook here.

 

UNICORNS: WHAT WILL HAPPEN OVER THE NEXT 12 MONTHS?

Get your free whitepaper here

ANNUAL COMPLIANCE SUBSCRIPTION PACKAGE 

Click here to learn more about which XBRL service option best fits your team's business requirements and work standards.

Latest Blogs