David BodenheimerJustin P. Murphy

On January 9, the Securities & Exchange Commission (“SEC”) released its National Examination Priorities (“NEP”) for 2014 and once again identified cybersecurity as a heightened risk that the agency intends to scrutinize as part of its mission to protect investors.  The NEP identifies technology — specifically, companies’ governance and supervision of IT systems, information security, and response readiness — as one of its most significant initiatives for 2014.  The NEP’s Broker-Dealer Exam Program also identifies market access controls related to “information leakage and cyber security” as a core risk on which the agency will focus in the coming year.

We wrote in a previous post about the SEC’s intensifying focus on corporations’ cybersecurity efforts – and on their cybersecurity weaknesses and risks.  Cybersecurity has continued to be a focal point for the SEC, especially in the face of mounting Congressional pressure on the agency to demand more transparency from companies about their cybersecurity risks and steps taken to address those risks, and recent reports of cyberattacks against U.S. companies and the massive costs to those companies that result.  SEC Chair Mary Jo White noted in a speech to the National Association of Corporate Directors in October that cybersecurity was a “hot topic from many perspectives.”  This year’s NEP is the latest sign that corporate cyber risks and incidents will remain in the agency spotlight in 2014.

The SEC’s focus on cybersecurity makes it critical for companies to assess whether a cybersecurity incident or risk is sufficiently “material” under the SEC cybersecurity guidance to warrant a disclosure in their SEC filings.  This should impact the conduct of private companies as well as public companies, in part because of the significant financial and reputational costs that companies can incur from cyberattacks.  In a recent study of CIOs and CTOs by PriceWaterhouseCoopers, Carnegie Mellon, and the U.S. Secret Service, when asked if their organization has a formalized response plan to cyberattacks, 48% either responded “no” or “don’t know.”  Of the 52% who responded “yes” to the question, only 26% said they test the plan at least once a year.  Corporate failures to assess cybersecurity vulnerabilities and develop formalized response plans to address these vulnerabilities are precisely the types of failures in governance of IT security that the SEC will examine in the coming year.