If the Securities and Exchange Commission’s February 2018 guidance on cybersecurity represented a wakeup call, the September 26 enforcement settlement involving a one million dollar penalty for failure to have appropriate cybersecurity measures in place should be an alarm bell of warning to both executives and boards of directors.
The SEC’s guidance is based on the fact that an organization’s financial, operational and technology systems are intertwined, and protecting the integrity of both a company’s books and sensitive customer information are inextricably linked to cybersecurity.
The message associated with this settlement and penalty is clear. The SEC expects companies to not only have in place commercially reasonable standards, policies and procedures for cybersecurity, but to implement them along with compliance and audit procedures to assure that they are working as intended.
There is also an expectation that management and boards understand that cybersecurity is not a “one and done” proposition. As an organization’s business evolves and technology changes, the policies and procedures, along with their associated compliance measures must change. Cybersecurity must be as dynamic as the risks to the systems. System monitoring is becoming a recognized (and expected) best practice.
It is also clear that an organization cannot limit its concern about cybersecurity to its own cyber-operations. Those who can access your systems – independent contractors, partner organizations, supply chain partners or vendors – and those with whom you share nonpublic data must also be considered. The September 26 settlement involved attackers who established or took over – through social engineering – independent contractor accounts to commit crimes through the company’s systems.
In a case involving a company that suffered significant data breaches, analysis showed they had comprehensive cybersecurity standards and policies they described as “aspirational” and not what they actually committed to do. The SEC – as well as other regulators and potential class-action plaintiffs – expect a match between stated standards and the controls that are actually in place. Without periodic and independent evaluations, active monitoring and anomaly identification and evaluation, there is a risk of actual practice deviating from the expectations in a company’s standards.
If an organization has commercially reasonable standards that comply with legal and regulatory requirements, the gap between expectations and reality leads to the problems. Just as hackers look for and exploit vulnerabilities in systems and procedures, regulators and investors will be greatly troubled when those gaps should have been covered by cybersecurity practices.
Actual problems identified through monitoring, compliance and audit processes represent another input to the continuous improvement process.
The SEC’s action clearly shows it is serious about this issue, and that it is staffed and ready to conduct enforcement actions relating to cybersecurity.
How can we help?
Kroll, a division of Duff & Phelps, has helped clients in the cybersecurity space for over 30 years. We understand that even the best-intentioned cybersecurity processes can fail or fail to evolve.
Our experience indicates that the biggest danger faced by managers and directors in considering the SEC’s guidance and enforcement actions is not knowing the actual state of cybersecurity implemented within their organizations. Without actual and detailed knowledge, risk can’t be assessed, and effective response becomes difficult or impossible.
Kroll has methods to efficiently assess an organization’s cybersecurity standards and policies, and to determine how effectively a compliance program assures that the standards are implemented. A well-considered risk assessment, and understanding of your organization’s cybersecurity posture is critical to addressing identified gaps.
Where gaps exist, we help organizations to improve their standards and policies, to mitigate risks and consider opportunities for risk transfer. We can provide a professional to act as a Chief Information Security Officer on a dedicated basis until an appropriate candidate is located, or a shared CISO on an ongoing basis. For organizations subject to the Payment Card Industry Data Security Standard, it is important to know that we are a Qualified Security Assessor under the PCI program.
We also help clients assure that their cyber incident response programs are ready to implement when a problem arises. Our specialists can create and run customized table top exercises to determine operational readiness.
Given the prior SEC cybersecurity guidance and the September 26 enforcement announcement, firms cannot simply assume that their cybersecurity complies with the guidance and best practices.