OCIE Issues Risk Alert on Global Cyberattack; Insurer Requirements Push Firms to Improve Cyber Security Practices

The SEC’s Office of Compliance Inspections and Examinations issued a risk alert last week, urging financial firms to review the Department of Homeland Security’s alert and to consider previous SEC staff guidance and FINRA resources to prepare for and to respond to cyberattacks. The risk alert followed a global ransomware attack, known as WannaCry, which is still affecting organizations around the world. The risk alert also discussed the staff’s findings from examinations of registered broker dealers and investment advisers and identified various shortcomings in the firms’ cyber security infrastructure and policies and procedures.  The Wall Street Journal recently reported that the WannaCry attack highlighted a lack of technological expertise in many corporations’ finance departments and pointed to challenges presented by the complexity and fast-changing nature of information technology and the difficulty of quantifying cyber security risk. Meanwhile, the increase in cyberattacks continues to spur interest in cyber security insurance. A recent article in the security and risk publication CSO noted that the recent growth in the cyber insurance market has improved cyber security.  The article noted that insurance companies are setting general cyber security standards by adding language to contracts that require companies to maintain a particular level of security, for instance by requiring end-to-end encryption and cyber security training. According to the article, while demand is high for cyber security insurance, “the cyber insurance industry is struggling with a dramatic shortage of personnel and a problem with getting good actuarial data.”