The media was abuzz last week about one of the biggest threats to website security in quite some time. Dubbed “Heartbleed,” the bug exploits encryption software and allows hackers to obtain confidential information without leaving a trace. This one apparently went undetected for years at some of the most sophisticated organizations. As scary as this may be—it’s the discovery of how strongly the regulators feel about cybersecurity that sends chills down the spines of many players in the U.S. marketplace. Until recently, some potential regulators had gone as undetected as the cyber-criminals themselves. Only last Monday, a U.S. District Court held the Federal Trade Commission could bring suits against companies with unreasonable data security safeguards—even before any data breach has occurred. Of course, the FTC is likely to go after companies that maintain large amounts of personal data. This particular case was against a major hotel chain and involved the information of over 600,000 individuals. Still, any widely-publicized event, even one occurring at a smaller organization, now brings the possibility of a knock on the door from the FTC.
The potential for a knock on the door from the U.S. financial regulators is another thought keeping folks awake at night. Both the SEC and FINRA, for example, are in the process of conducting cybersecurity exams. Expect these to be comprehensive and to lead to further guidance that firms proactively address cyber-risks. Proactive is the key here, in terms of undertaking cybersecurity risk assessments, developing a process to detect unauthorized activity, building incident response plans, developing internal policies and procedures, training employees, testing networks and determining when it is important to make sure that vendors and business partners do the same. Regulators are likely to question whether a firm has implemented identity theft red flag procedures, which may be required under rules adopted last year by the SEC and CFTC. (RFG offers a “health check” tool that firms can use to identify their obligations under these rules and test whether they are in compliance. Contact us to learn more.) They are also carefully looking at and considering revisions to disclosure requirements. Watch for acceptable standards to morph rapidly as the cyber-crime area is tackled in the coming months.
We encourage firms looking for help staying on top of these issues to contact Information@RegFG.com to learn about our support services.