For the last 18 months, the Securities and Exchange Commission has been telling companies to pay more attention to cyber security.
Within the last six weeks, however, the message has taken on a new urgency: "You need to pay a lot more attention to cyber security, and we really mean it."
Compliance officers should prepare themselves, because that message is not directed to the IT security department. Rather, the SEC has been flagging what it sees as poor policy and procedure for cyber security — with the implicit threat that enforcement action is coming for those firms that continue to give policy and procedure short shrift.
We already have one notable enforcement action on the books. In September the SEC fined an Iowa financial firm $1 million for sloppy governance of outside sales agents. Data thieves posed as contracted sales agents, and duped the firm into sending them password reset emails. The thieves used those resets to open bogus accounts and steal personal data of the firm’s customers.
That’s a violation of the SEC’s Identity Theft Red Flags Rule — which the SEC had never enforced until now. The SEC complaint details how the Iowa firm had not updated its authentication procedures for nine years, even after data thieves had run this scam on the firm before.
Then came a special report from the SEC Enforcement Division in October. The report examined cyber security failures at nine large companies where thieves tricked employees into wiring company money to overseas bank accounts. Total amount swindled: nearly $100 million.
In all these cases, traditional cyber security — firewalls, packet-sniffers, blocked IP addresses, and the like — would not have been much help. As the SEC noted in its report:
These frauds were not sophisticated in design or the use of technology; instead, they relied on technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.
Such weaknesses, the SEC warned, can qualify as violations of federal securities law. Section 13(b) of the Exchange Act requires companies to maintain effective accounting control — and falling for scams like as these ain’t that.
It’s About the Control Environment
Effective internal control is so difficult to achieve here because thieves can exploit cyber security in so many ways; no single internal control will ever hold back that onslaught.
Instead, a company needs to marshal a range of internal control components into one strong control environment — and, as the SEC notes above, weakness in any single component can leave the whole environment ineffective.
So compliance officers need to sit with numerous other risk management colleagues — HR, IT security, internal audit, legal — to determine which internal control components make for the best control environment to keep cyber security risk at the lowest possible level. That’s what the board wants to see. Clearly the SEC now wants to see that, too.
What could go into a cyber security control environment? Some examples:
- Procedures for “two-factor authentication” (such as the company sending a four-digit code to your cell phone, which you must enter online before receiving a password reset) when someone seeks access to a locked account
- CEO speeches regularly talking about the importance of cyber security
- Policies forbidding overseas wire transactions until the beneficial owner of the offshore account is confirmed
- Mandatory training for all employees on “human vulnerability” attacks and how the company wants employees to prevent them
- Annual cyber security audits testing policies and procedures to prevent cyber-based fraud
Finding the best mix of those elements is a question each company must answer for itself, depending on its risk profile, cyber security resources, and tolerance for cyber security risk. A small company might rely more on speeches, training, and smart thinking; a large company can use more automated controls and strong authentication procedures.
Policies, Procedures, & Prevention
One point that does cut across all types of organizations, however, is the importance of policy and procedure tailored to fit the cyber security risk in question.
The SEC doesn’t expect companies to prevent all cyber security attacks. Chairman Jay Clayton has said that in many instances, he would see no sense in imposing penalties on companies for cyber security attacks beyond their ability to prevent.
The crucial part, however, is establishing risk-based policy and procedure to maximize what you reasonably can prevent.
Best practices for cyber security, then, hinge on astute risk assessment; thoughtful conversation about how to bolster the company’s overall control environment to fight those risks.
For example, the Iowa financial firm fined $1 million had not updated its policy and procedure for outside sales agents since 2009. Meanwhile, the risk of cyber-based fraud has soared since then, and the firm had already fallen victim to the password-reset scheme before. That’s not keeping current with the risk. Hence the SEC sent a message with its fine.
Best practices for cyber security, then, hinge on astute risk assessment; thoughtful conversation about how to bolster the company’s overall control environment to fight those risks; and creating policies and procedures that encourage employees to prevent cyber security lapses.
Conceptually, that’s no different than policies and procedures meant to prevent suspicious bribery payments or fixing of contracts. But the stakes are potentially much bigger, with blunders happening much faster.
No wonder the SEC is sending a louder message.