SEC Releases Cybersecurity Guidance, Highlights Compliance Role
From the post:
The SEC’s Division of Investment Management recently released cybersecurity guidance highlighting best practices and warning that cybersecurity breaches and deficiencies in cybersecurity programs could cause funds and advisers to run afoul of securities laws. Importantly, the guidance places significant obligations on compliance officers to ensure that funds have adopted adequate cybersecurity policies and procedures.
The guidance recommends that funds and advisers conduct periodic cybersecurity assessments; create a strategy to prevent, identify, and respond to cyber threats; and implement the strategy through policies, procedures, and training that help to guide officers and employees and monitor compliance. According to the guidance, periodic assessments should include attention to internal and external vulnerabilities as well as the likely effects of a breach so that funds and advisers can better assess and mitigate risk. With respect to cybersecurity strategies, funds and advisers should consider exerting tighter control over data access, ramping up encryption, limiting the use of removable storage media to prevent data theft, monitoring system access, backing up data, developing an incident response plan, and implementing routine testing.
…
First step, make cybersecurity breaches into violations of something important, like securities laws.
Second step, prosecute violations of securities laws rooted in cybersecurity breaches.
Third step, defendants in securities actions take an interest in spreading the joy of securities liabilities.
Fourth step, software liability doctrines develop in the context of securities litigation.
Liability for software defects is coming.
The question is whether it will develop piecemeal and unexpectedly, or will it develop in a comprehensive and moderated fashion?
How’s your appetite for risk?
I first saw this in a tweet by Milo Camacho.