CYBER SECURITY REGULATORY RISK MANAGEMENT

In the US, many companies’ cyber security and IT operations are regulated at both the state and federal levels. The regulation has been inconsistent and confusing and is rapidly changing. For example, the Securities and Exchange Commission (SEC) requires public companies to disclose material information concerning cyber security, including filing a Form 8-K to report on significant events to shareholders. In 2022, the SEC proposed new public company rules that would require detailed disclosure regarding a company’s policies and procedures to identify and manage cyber security risks, the role of management and the board in such policies and procedures, as well as a requirement for public disclosure of the details of material cyber security events within four days. The SEC also proposed detailed cyber security risk management and disclosure rules for investment advisers and investment companies.

The Federal Trade Commission (FTC) has enforcement power under section 5 of the FTC Act to bring an action against a company that commits an unfair or deceptive trade practice, which the FTC has enforced against companies that suffered from cyber security incidents. The FTC also oversees certain financial institutions under the Gramm-Leach-Bliley Act (GLBA), including the details of the Standards for Safeguarding Customer Information under the GLBA (Safeguards Rule), which addresses cyber security.

At the state level, there are numerous cyber security requirements, some of which apply to all companies that collect, store or process personally identifiable information (PII) within a state, and some of which are sector specific. For years, Massachusetts had the most comprehensive cyber security regulation. Under the 201 CMR 17.00, every person that owns or licences PII of a Massachusetts resident is required to implement “minimum security standards” that contain administrative, technical and physical safeguards, including ongoing employee training, developing security policies, designating a person or persons to maintain the programme, and disciplinary measures.

Jan-Mar 2023 Issue

Frankfurt Kurnit Klein & Selz