Articles

SEC eyes more expansive cybersecurity requirements

New rules for publicly traded companies could add protections for consumer information, strengthen incident reporting, and require assessment of third-party risk.

Gary Gensler, chair of the Securities and Exchange Commission (SEC), has laid out an ambitious cybersecurity plan for his agency that could give it a far more expansive regulatory footprint than it currently has. Speaking to Northwestern Pritzker School of Law’s Annual Securities Regulation Institute, Gensler said that “the financial sector remains a very real target of cyberattacks” and is becoming “increasingly embedded within society’s critical infrastructure.”

Although the SEC participates in several advisory bodies, such as the Financial Stability Oversight Council (FSOC) and the Financial and Banking Information Infrastructure Committee (FBIIC), among others, that deal directly with cybersecurity requirements, the agency has no hard and fast cybersecurity rules or cybersecurity incident reporting requirements for publicly traded companies. It does, however, have data protection and other security requirements for the financial segments it directly regulates, including exchanges, brokers, financial advisers, and others.

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by lo lo on Unsplash

 

Articles

FTC, SEC raise legal risks surrounding the log4j flaw

The U.S. Federal Trade Commission also threatened possible legal action for companies that don’t address the risk from the Log4j vulnerabilities.

Last week, the U.S. Federal Trade Commission (FTC) issued a warning to companies to remediate the serious vulnerability in the popular open-source Java logging package Log4j to avoid future legal action. In issuing its notice, the FTC underscored that organizations have legal obligations “to take reasonable steps to mitigate known software vulnerabilities.”

The FTC also evoked the cautionary tale of credit rating agency Equifax, which in 2017 failed to patch a known vulnerability that irreversibly exposed the personal information of 147 million consumers. Consequently, Equifax was forced to pay up to $700 million as part of a global settlement with the FTC, the Consumer Financial Protection Bureau (CFPB), and 50 U.S. states.

The FTC says it “intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j or similar known vulnerabilities in the future.” Some legal experts consider the FTC’s warning “an unusual but interesting move.” Others say it’s a continuation of the Biden administration’s more muscular stance on a spectrum of cybersecurity issues.

“I really believe that the FTC is laying down a marker and it fits within the broader mosaic of how the executive branch is addressing cyber threats and the responsibility of the private sector to address them,” Scott Ferber, partner at McDermott Will & Emery, tells CSO. “It’s been a mix of carrot and stick, although some might say more stick than carrot, particularly regarding industries and sectors that are regulated, whether it’s critical infrastructure, finance or government contractors.”

This article appeared in CSO Online. To read the rest of the article please visit here.

Photo by Tingey Injury Law Firm on Unsplash