SEC Announces 2nd Round of Cyber Exams; Judge Certifies Target Class Action; DHS Cybersecurity Improvements Needed; DoD Official Calls for Culture Change; Obama to Raise Cyber Concerns with Chinese President
SEC Announces 2nd Round of Cybersecurity Exams
The Securities and Exchange Commission (SEC) issued a Risk Alert indicating that it would begin a second round of cybersecurity-related exams to identify cybersecurity risks and assess cybersecurity preparedness among advisors and dealer-brokers. The exams are intended to address concerns regarding the integrity of the market system and customer data protection in light of recent breaches and continuing threats against the financial industry. For key takeaways on the exams, see our recent alert The SEC conducted its first round of cybersecurity exams after issuing a Risk Alert last April, and firms failing to adopt required cybersecurity policies and procedures potentially face investigation and charges following examination.
Judge Certifies Banks’ Class Action Over Target Breach
A Minnesota federal judge certified a class action brought by financial institutions that issued cards compromised in Target Corp’s massive data breach in 2013. In doing so, the judge rejected a number of arguments raised by Target, including that the banks’ injuries (like those of consumers in prior cases) were speculative even though the banks involved had reissued nearly all cards affected by the breach and had incurred the costs of doing so. Target previously agreed to a settlement with institutions that issue Visa cards that could be worth as much as $67 million, but a proposed $19 million settlement with MasterCard fell through when not enough banks accepted the agreement.
Report: DHS Needs to Improve Cybersecurity
A report issued by the Department of Homeland Security (DHS) Office of Inspector General indicates that DHS needs to better secure its own systems. An audit of DHS and three of its component agencies – U.S. Immigration and Customs Enforcement (ICE), the National Protection and Programs Directorate (NPPD), and U.S. Secret Service (USSS) – revealed significant shortcomings that could leave networks vulnerable to attack, despite improvement from prior performance. Issues identified included the lack of a strategic implementation plan for cybersecurity and sufficiency of internal resources. For example, the lack of internal coordination, limited staff, and insufficient training programs were noted. The report also focuses on failures of ICE and USSS to fully implement DHS internal policies and procedures.
DoD Official Calls for Cybersecurity Culture Change
The Department of Defense’s (DoD) Chief Information Officer discussed the need for a change in culture at DoD to respond to evolving cybersecurity threats and the rapid speed of such changes. Speaking at a cybersecurity conference, Terry Halvorsen highlighted three specific areas: discipline, economics, and enterprise. Halvorsen cited U.S. dependency on cyber as both a powerful advantage in warfare and business, as well as a unique vulnerability. He also stressed the importance of DoD leadership understanding cyber defense and incorporating that understanding at all levels of command.
President Obama Will Raise Cybersecurity Concerns with Chinese President
President Obama will reportedly raise cybersecurity concerns with China’s President Xi Jinping during their upcoming meetings. This report comes amid concerns over potential Chinese hacking of American government and commercial targets cited by the White House. National Security Advisor Susan Rice and other U.S. officials also recently met with Meng Jianzhu, secretary of the Central Political and Legal Affairs Commission of the Chinese Communist Party, to discuss concerns related to cyber issues.