Skip to content

Discerning Data

  • About Us
  • Additional Resources
  • Contact Us

DISCERNING DATA

A Faegre Drinker Blog Covering the Latest in Privacy, Cybersecurity and Data Strategy

  • Privacy
  • Cybersecurity
  • Data Strategy
  • Disruptionware

Death, Taxes and Cybersecurity

Share

If Ben Franklin were alive today, he would add cybersecurity to his famous quote “…in this world nothing can be said to be certain, except death and taxes.”  Cybersecurity is top of mind in every organization in part because of the recent massive ransomware attacks, new federal and state regulations (including the New York Division of Financial Services’ Cybersecurity Regulation) and the upcoming effective date of the European Union’s General Data Protection Regulation (GDPR).  There is no one-size-fits-all solution for organizations that want to shore up their cybersecurity vulnerabilities, but there are a lot of useful reports and advice from federal government agencies.

In July, the Federal Trade Commission (FTC) launched its “Stick with Security” initiative, which includes publishing business blog posts and other communications each Friday.  These blog posts offer practical advice on how the FTC Act applies to data security, informed by the 60+ complaints and orders announced since the Start with Security handbook was first published, as well as lessons learned from investigations that have been closed by staff.

Other federal agencies, including the Securities and Exchange Commission (SEC), have also recently issued important guidance.  In August, the SEC’s Office of Compliance Inspections and examinations (OCIE) published Observations from Cybersecurity Examinations, which describes lessons learned from 75 firms, including broker-dealers, investment advisers, and investment funds registered with the SEC, to assess industry practices and legal compliance issues associated with cybersecurity preparedness.  The OCIE review noted improvement since its 2014 report, observing that most, if not all of these entities maintained cybersecurity-related written policies, conducted periodic risk assessments of critical systems to identify cybersecurity threats and vulnerabilities, and also conducted penetration tests and/or vulnerability scans.  Most entities utilize some form of system, utility or tool to prevent, detect and monitor data loss as it relates to personally identifiable information and other proprietary data, and have processes in place for ensuring regular system updates, including installation of software patches.

While there was general improvement, the OCIE staff noted that a majority of entities examined had remaining issues with their policies and procedures, recommending the following:

  • Reasonably tailoring policies and procedures with more practical guidance for employees based on their specific digital environment and implementation needs
  • Regularly enforcing policies and procedures so that they match with actual employee practices
  • Ensuring that software patches are applied and any legacy systems were replaced
  • Remediating any known vulnerabilities or findings of penetration tests

The OCIE staff also highlighted certain policies and procedures that are the hallmark of more robust programs, such as:

  • Maintenance of an inventory of data, information and vendors
  • Detailed cybersecurity-related instruction relating to, for example, penetration tests, security monitoring and system auditing, access rights and reporting
  • Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities, including patch management policies
  • Established and enforced controls to access data and systems, such as implementation of detailed “acceptable use” policies, required and enforced restrictions on mobile devices, and required periodic logs from vendors
  • Mandatory employee training
  • Engaged senior management

These principles should not be a surprise to those who follow cybersecurity developments because these principles are largely based on existing sector-specific regulations, which include:

  • Knowledge of the entities’ data assets
  • Cybersecurity policies, procedures and controls
  • Proactive cybersecurity activities
  • Qualified cybersecurity personnel
  • Breach preparedness and reporting
  • Employee awareness and training
  • Engaged senior management

Unlike death and taxes, which cannot be completely avoided, good cybersecurity practices – whether in the financial sector or others – can help protect companies from regulatory sanctions, reduce the risk of harm from cyber attacks, and, more importantly, retain the public trust.

The material contained in this communication is informational, general in nature and does not constitute legal advice. The material contained in this communication should not be relied upon or used without consulting a lawyer to consider your specific circumstances. This communication was published on the date specified and may not include any changes in the topics, laws, rules or regulations covered. Receipt of this communication does not establish an attorney-client relationship. In some jurisdictions, this communication may be considered attorney advertising.

Receive Email Alerts to New Articles

SUBSCRIBE

August 24, 2017
Written by: Discerning Data Editorial Board
Category: Cybersecurity, Financial Services
Tags: FTC, GDPR, New York Financial Services Cyber Regulations, SEC

Post navigation

Previous Previous post: The Era of “Big Data” and EU/U.S. Divergence for Refusals to Deal
Next Next post: Webinar Series: Preparing for the General Data Protection Regulation (GDPR)

Search the Blog

Sign Up for Email Alerts

PODCASTS

Faegre Drinker on Law and Technology

©2023 Faegre Drinker Biddle & Reath LLP. All Rights Reserved. Lawyer Advertising.

  • About Us
  • Additional Resources
  • Contact Us
We use cookies to improve your experience with our website. By browsing our site, you are agreeing to the use of cookies. For more information about how we use cookies, please review our privacy policy and cookie policy. OK
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT