Is your company ready for 2014? Are your Written Information Security Programs, Risk Management Procedures and Data Incident Response Plans up-to-date, tested and up to today’s dynamic threat landscape? Are you sure? Officials at the U.S. Securities and Exchange Commission (“SEC”) recently announced plans to increase scrutiny of how assets managers at companies subject to its jurisdiction plan for detection and intend to respond to cyber attacks. Most notably, the SEC is interested in minimizing security risks from access of third parties and vendors to firms’ various systems containing financial data.
Jane Jarcho, the SEC’s national associate director for its investment adviser exam program, stressed that the Commission “will be looking at policies on IT training, vendor access and vendor due diligence, and what information you have on any vendors.”
As part of the SEC’s 2014 Examination Priorities routine examinations of investment advisers and investment companies will include review of cyber security policies with the goal of identifying problems, given that numerous breaches occur via vendors and third parties. Case in point: the massive Target breach apparently resulted through the connection of an HVAC service vendor to Target’s systems.
Since 2011 the SEC has informally provided staff-level guidance to public companies on disclosure of material cyber attacks and any resulting effect on a company’s financial condition and risk posture.
In short, now’s the time (whether or not you’re a public company) to do an in-depth review (and if necessary update) of your information security, cyber risk insurance coverage and incident response plans. Though the SEC is the latest to join the party, we can help review your existing policies for prevention, detection, and response to cyber attacks and data breaches. And can aid in IT and employee training, vetting vendor access to company systems and updating vendor service agreements. 2014 is the time to make infosec a priority.
Feel free to contact us at 203 307-2665 or via email info@SmartedgeLawGroup.com to discuss yours WISPs, incident plans, cyber risk insurance and employee training programs.