Regulator House Calls: Cybersecurity Examinations and Audits

In the not-too-distant past, doctors made house calls to check in on their patients. For many patients, in-home examinations were efficient and comfortable—even preferred. Today, for some companies, “house calls”—in the form of examinations, visits or audits by federal and state governmental regulators—are becoming more frequent, particularly in the realm of cybersecurity. As news of the frequency and severity of cyberattacks increases every month, an increase in these house calls by regulators should not come as a surprise. Of course, regulators are not doctors, and companies' initial reaction to these visits is rarely positive.

Yet this is the new normal. Recent public statements and other announcements by governmental regulators—particularly those with oversight over financial services companies—signal increased attention and focus on cybersecurity preparedness in 2015. For example, in mid-January, the U.S. Securities and Exchange Commission highlighted the importance of assessing cybersecurity risks and preparedness, while also providing information on priorities and timing of their 2015 examination program. In mid-February, the SEC and the Financial Industry Regulatory Authority (FINRA) each published summaries of market assessments of cybersecurity risks conducted in 2014 through broker-dealer and (for the SEC) investment adviser examinations. Also in February, the head of New York's Department of Financial Services (DFS) signaled the department's consideration of new rules protecting against “an Armageddon-type” cyberattack on U.S. financial markets, and the agency released its “Report on Cyber Security in the Insurance Sector,” summarizing its own survey results and announcing increased focus on cybersecurity in examinations.

All of these developments should put companies on alert that governmental regulator house calls, in the form of audits and examinations concerning cybersecurity, will only continue to increase.