Corporate Cybersecurity: Managing Data in the Era of Cyberattacks

Liam Kenney
Associate Editor
Loyola University Chicago School of Law, JD 2021

Within the last decade, data has surpassed oil as the world’s most valuable commodity. Earlier this year the Securities and Exchange Commission (SEC) released its observations made during audits that detailed the methods used by corporations to secure their data. This included the kinds of cybersecurity practices employed by companies as well as advice on how to better deal with sensitive data and protect against potential cyberattacks. The SEC’s observations coincide with a recent announcement from the National Security Agency (NSA) that showcases an increased concern surrounding cybersecurity in the corporate world.

However, smaller firms and corporations simply do not have the resources necessary to implement systems that address each and every concern raised by the SEC. Thankfully, the SEC has refrained from heavily punishing companies that are not yet able to comply with its advice. In this way, the SEC is walking a line between understanding the limitations and complexity involved in data management and being a heavy-handed regulator.

What can companies do to comply?

The SEC does not expect full implementation of its cybersecurity guidance by every corporation that it regulates. However, this emphasis on cybersecurity may point to an increase in data management regulations in the near future. Because of this, companies (especially those involved in providing financial services) should look to update and align their data management standards and procedures in anticipation of future cybersecurity regulations.

The SEC’s observations focused on areas of data management such as governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, and vendor management. It would behoove companies to perform an internal analysis and compare their own data management standards and procedures to that of the observations made by the financial regulator. The conclusion of the SEC’s announcement states that in doing so an organization may then implement the suggested measures and become more secure in its data management.

Some of the suggested procedures are rather simple. For instance, the SEC suggests that businesses implement controls for system access such as authenticating individuals through the use of randomly generated passcodes and then removing such access immediately when an employee leaves the corporation. To better secure sensitive information, such as account or Social Security numbers, from data loss the SEC advises that corporations utilize procedures that detect and block the transmission of such data. However, such systems may be inherently more complex and are likely harder to implement within small firms that lack access to the necessary resources.

Recent focus: data loss and the cloud

In the area of data preservation, the SEC suggests that companies should have procedures in place to terminate suppliers and cloud service providers. This would allow for the preservation of data necessary for regulatory compliance when moving to new providers. Such prevention of data loss has become a focus in the SEC’s examinations.

Cloud security in the context of data management has become an area of heightened interest for financial regulators such as the National Futures Association, the SEC, and the Financial Industry Regulatory Authority.  These regulators have alerted brokers and banks that a critical part of compliance audits moving forward will focus on how firms manage information stored in the cloud. The SEC has made it clear that while companies are outsourcing control of their data and services to the cloud, to players such as Amazon Web Services, the company may still be liable for data breaches.

Regulators want to see evidence that companies utilizing cloud services are aware of risk management issues concerning the storage of sensitive information in an external manner, and that such companies have oversight of their cloud providers. Allowing a third party to manage data externally may help reduce costs associated with such storage, but the SEC emphasizes the need for caution when utilizing this method for data management.

Between January and March of this year, corporations worldwide spent $31 billion on cloud computing services. This figure is up 34% when compared to the same timeframe in 2019. The rapid increase of cloud service implementation must be matched with proper compliance standards and procedures surrounding data management and security.