Two Governmental Regulators Highlight Cybersecurity Issues In 2015 Priorities

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.jdsupra.com/legalnews/two-governmental-regulators-highlight-cy-55766/

It is no surprise that numerous government regulators have listed
cybersecurity amongst their priorities for 2015. This past week, two of
these regulators – the Securities and Exchange Commission and the Office
for Civil Rights of the Department of Health and Human Services –
highlighted the importance of assessing cybersecurity risks and
preparedness, while also providing information on priorities and timing of
their 2015 examination and audit programs.

Securities and Exchange Commission

On January 13, 2015, the Securities and Exchange Commission (“SEC”)
announced its 2015 examination priorities. Through its Office of Compliance
Inspections and Examinations (“OCIE”), the SEC examines structural risks
and trends that involve multiple firms or entire industries. “Our
examination program collects information for the Commission on a range of
important trends, issues, and risks,” said SEC Chair Mary Jo White. She
continued that, “OCIE helps us to maintain a strong presence with SEC
registrants and to make a positive impact for the benefit of investors and
our markets.” Amongst the 2015 market-wide risks the SEC has identified as
priority is “assessing cybersecurity controls across a range of industry
participants.”

This recent announcement tracks two related announcements from 2014 showing
that the SEC plans to be active in the area of assessing cybersecurity
readiness and vigilance. In April 2014, the SEC announced that OCIE would
be conducting examinations of more than 50 registered broker-dealers and
investment advisers, focusing on areas related to cybersecurity
preparedness. In addition, in June 2014, SEC Commissioner Luis Aguilar gave
prepared remarks on “Cyber Risk and the Boardroom” in which he made clear
the SEC expects that board members will involve themselves in the company’s
cybersecurity strategy before and after a data breach. His remarks included
that, “[b]oards that choose to ignore, or minimize, the importance of
cybersecurity responsibility do so at their own peril.”

To date, the SEC has not made public any enforcement actions stemming from
such cybersecurity-related examinations or investigations. The stated goals
of these examinations are to, “assess cybersecurity preparedness in the
securities industry and to obtain information about the industry’s recent
experiences with certain types of cyber threats” and to “promote
compliance.” However, public statements from the SEC, including the speech
noted above, suggest the potential for increased investigations,
enforcement activity and/or penalties, particularly at the board level, for
companies that do not take cybersecurity assessments seriously.

Department of Health and Human Services

On January 13, 2015, in written remarks to legal news outlet LAW 360,
Jocelyn Samuels, Director of the Office for Civil Rights (“OCR”) at the
Department of Health and Human Services (“DHHS”), highlighted increased
cybersecurity risks for healthcare companies under strict obligations to
protect sensitive patient data. As cyber-attacks of these entities
increase, so do HIPAA privacy breaches. “We are certainly seeing a rise in
the number of individuals affected by hacking [and information technology]
incidents, as reported by entities under our breach notification
requirements, especially those due to malware compromising the security of
information technology resources,” Director Samuels wrote to LAW 360. In
addition, Director Samuels wrote that, “[a]ny organization that holds
sensitive data is at risk, and this is why it is so important that HIPAA
covered entities and their business associates assess and address the risks
to the [electronic protected health information] they hold on a regular
basis. This includes reviewing systems for unpatched vulnerabilities and
unsupported software that can leave patient information susceptible to
malware and other risks.”

Separately on January 13, 2015, Director Samuels also commented on the
timing of the next round of HIPAA compliance audits by the OCR. During a
media roundtable, Samuels said that the next round of audits – the first
stage of which was conducted in 2011 and 2012 – will be implemented
“expeditiously” and will be accompanied by new audit guidelines. However,
no specific timetable for beginning the audits was announced, and Samuels
encouraged HIPAA-covered entities to monitor the OCR website in the next
weeks and months for additional timing updates and guidance. When asked
whether these upcoming audits will be “educational” or, in the alternative,
whether they will also be used for enforcement, Samuels replied only that
the audits will join OCR’s “existing arsenal of tools…to proactively
identify areas of [HIPAA] compliance concern[s].”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!