Cybersecurity Guidance from the SEC

Last week, the Securities and Exchange Commission joined the group of regulators issuing public guidance on cybersecurity matters. The SEC has taken this public position in light of the risk that cyberthreat actors pose to publicly traded companies and, by extension, to national financial markets.

Although their new guidelines do not have the force of binding law, the suggestions offered by the SEC are likely to become “best practices” against which regulated companies are judged in case of a cyber-incident. In addition, in the absence of cyber regulations for unregulated companies, these guidelines are likely to become a de facto standard for privately held businesses as well. They are, therefore, well worth studying and incorporating into any company’s planning. Finally, the guidelines take a common sense approach and lay out several areas that, intuitively, ought to be part of any organization’s cyber planning. In this, they emulate long-standing guidance from cyber professionals and other industries.

The areas addressed by the SEC include the following:

• Governance and risk management;
• Access rights and controls;
• Data loss prevention;
• Mobile security;
• Incident response and operational resiliency;
• Vendor management; and
• Training and awareness.

As is clear from this list, the SEC’s new guidelines largely address operational matters. They are not reliant on hyper-technical issues. Even small companies that do not have sweeping compliance or security programs can address such ordinary matters as governance, rules, training, and vendor management.

Cyberthreats are not “one size fits all.” With its commonsense focus of operational realities, the SEC has created helpful guidelines for any company, regardless of size or resources (and regardless whether it is publicly traded) to assess and improve its capability to prevent, detect, and react to threats to the data it holds. In addition, the SEC is advancing the public discussion about what any company ought to consider its minimum best practices in this area. This helps create resiliency for businesses of all sizes. It is also the latest indicator that ignorance will not be a helpful defense for any company that suffers a cyber-incident.