No one is clear on how the new rules will be enforced. In the event of a breach, the SEC will likely carefully review a firm’s earlier annual self-assessment of cybersecurity risks and the steps taken by management to address them. Additionally, although the proposed rules do not dictate specifically what a firm should do for protection—in no small part because such prescriptions would quickly become obsolete— the regulators also will likely closely examine whether the firm has followed the industry’s “best practices” on cybersecurity.
What that means precisely remains unclear. It clearly involves spending a lot more money on cybersecurity. The largest and most equipped firms will likely set the bar for the SEC’s expectations. Smaller entities will need to rely on scalable solutions and be better at informing clients. Moreover, like technology, these standards are never static and will evolve as more firms are breached and as threats change, forcing wealth managers to spend even more.
The SEC has not yet taken a position that industry participants must absolutely appoint a chief information security officer, also called a CISO, to manage cybersecurity risks, but this requirement would be consistent with its past practices….
Subscribe
‘Enforcement 40’ for 2020
Our Sponsors
Join Us On LinkedIn
Join the Securities Litigation and Enforcement Group on LinkedIn