While cybersecurity risks have increased, government regulation has traditionally lagged behind. Recently, some government entities have tried to catch up by mandating that companies take a proactive approach toward protecting personal and competitively sensitive data. The move is a departure from the traditional reactive response of simply notifying consumers after their personal data is breached.
With this shift in emphasis, companies are asking the obvious questions: “What are we expected to do and what is a proactive cybersecurity compliance program?” Both on the state level and through federal regulatory agencies, the government is beginning to dictate a comprehensive compliance approach to data protection. Late last year, the U.S. Securities and Exchange Commission’s Cybersecurity Examination Initiative directed broker-dealers to “further assess cybersecurity preparedness in the securities industry.” Thus, the SEC announced that it “will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.”
