Cyber Update: Personal Certification by Corporate Executives on the Rise
The likelihood of meaningful federal cybersecurity legislation in 2020 remains suspect. Yet, developments in 2019 show that cybersecurity regulation is headed toward a Sarbanes-Oxley model with or without congressional input.
March 13, 2020 at 12:41 PM
8 minute read
The likelihood of meaningful federal cybersecurity legislation in 2020 remains suspect. Yet, developments in 2019 show that cybersecurity regulation is headed toward a Sarbanes-Oxley model with or without congressional input. The Sarbanes-Oxley Act (SOX) had a significant effect on corporate governance in the United States by requiring public companies to strengthen audit committees, perform internal controls tests, and make directors and officers personally liable for the accuracy of financial statements. For SOX certifications, the act requires that an organization's senior officer personally certify the accuracy of the company's financial reports. A false certification can implicate personal liability. Regulation of cybersecurity is taking a similar approach.
Cyber regulations promulgated by the New York Department of Financial Services (NY DFS), 23 NYCRR Part 500, in 2017 were among the first to require personal certification of a senior officer to compliance of the regulations' requirements. In 2019, cybersecurity regulation veered further toward the Sarbanes-Oxley model, materializing in numerous Federal Trade Commission (FTC) orders, and in a significant, but little spoken about, rule change in the financial services industry when the Securities and Exchange Commission required members of the National Securities Clearing Corporation (NSCC) to undertake cybersecurity confirmations. Growing passage of the model law for insurance data security in multiple states, including Delaware, also incorporates the certification requirement.
The threat of personal liability adds teeth to requirements in regulatory regimes for a written and comprehensive cybersecurity program. Yet, it has not received much attention. This article briefly addresses these 2019 changes.
|The FTC's Requirement for Annual Certifications
A recent blog entry posted on the FTC's website identified seven FTC orders issued in 2019 in connection with enforcement actions that contained self-described departures from prior orders to improve companies' compliance efforts. Discussed in a Jan. 6, 2020, post by Andrew Smith, director of the Bureau of Consumer Protection, those "major changes" were greater clarity, increased third-party assessor accountability, and a concerted effort to elevate data security considerations to organization's C-Suites and boards of directors.
The last change is critical. The FTC has begun requiring a senior officer of targeted company to provide "annual certifications of compliance" to the requirements set forth under the FTC order to which his organization is bound. For instance, in the action In the Matter of ClixSense.com, No. C-6678, the FTC annual certifications as part of the commission's ongoing oversight. The order requires that Clixsense, on an annual basis:
- File "a certification from a senior corporate manager" that the company "has established, implemented and maintained the requirements" of the FTC order;
- Confirm that the company "is not aware of any material noncompliance that has not been corrected or disclosed to the commission;" and
- Provide a description of any data security incident it sustained during the year.
The certification must "be based on the personal knowledge" of the senior officer or subject matter experts upon whom the senior officer reasonably relies in making the certification.
According to Smith's post, the certification requirement is intended to "force" senior management and the executing officer to "gather detailed information about the company's information security program, so they can personally corroborate compliance with an order's key provisions each year."
|The SEC Rule Requiring Certification for the NSCC
In October 2019, the NSCC, under the authority of Section 19(b)(1) of the Securities Exchange Act (SEC) of 1934 and corresponding Rule 19b-4, filed with the SEC proposed rule change to require confirmation of cybersecurity program that would require NSCC members, and new applicants, to submit a cybersecurity confirmation at least every two years. On Dec. 9, 2019, the SEC approved the rule, effective immediately.
The NSCC, a wholly-owned subsidiary of Depository Trust & Clearing Corporation (DTCC), is a market utility. It plays a prominent role in providing clearance, settlement, risk management and central counterparty services. It also assists to provide a guarantee of completion for virtually all broker-to-broker trades involving equity securities, and corporate and municipal debt securities. Under the Dodd-Frank Act, the NSCC was designated a systemically important financial market utility (SIFMU). As noted in the SEC's approval of the new rule, this designation is significant because it indicates the recognition that a failure of the NSCC by a cyberattack or other means would risk significant liquidity problems spreading among financial institutions and markets, and "thereby threaten the stability of" the U.S. financial system. Thus, this is not a "check-the-box" program. Because cybersecurity programs are evaluated in the context of systems, data and associated risks involved, perfunctory cybersecurity programs—even programs that were deemed sufficient in early 2019—may not satisfy the anticipated requirements of the cybersecurity confirmation.
The cybersecurity confirmation requires member organizations to confirm that they maintain a comprehensive cybersecurity program based on risk assessments aligned with an industry recognized framework, such as NIST's Cybersecurity Framework or the ISO 27001 standard. As specified by the certification form itself, the senior officer must attest that his organization has:
- "Defined and maintains a comprehensive cybersecurity program and framework that considers potential cyber threats that impact the organization and protects the confidentiality, integrity and availability" of the organization's data and information systems;
- "Implemented and maintains written enterprise cybersecurity policy or policies approved by senior management … or board of directors," and that its framework is aligned with industry "best practices and guidelines;"
- If using third-party services, "an appropriate program to evaluate the cyber risks and impact of those third parties, and to review the third-party assurance reports;"
- A "cybersecurity program and framework that protects the segment of the Company's system that connects to and/or interacts with NSCC;"
- An "established process to remediate cyber issues identified to meet regulatory and statutory requirements;" and
- "A comprehensive review of the cybersecurity program and framework has been conducted by one of the following:" itself, if it also has filed and maintains a certificate of compliance under the New York DFS Cyber Regulations, a regulator who assesses the organization's cybersecurity programs; an independent organization with relevant cybersecurity expertise; or an independent internal audit function reporting directly to the organization's board of directors.
The confirmation also must affirm that the organization's "cybersecurity program's and framework's risk processes are updated periodically based on a risk assessment or changes to technology, business, threat ecosystem and regulatory environment." The new rule requires that the NSCC need only provide 180 days' advanced notice of a required cybersecurity confirmation.
|The Insurance Data Security Act
At the close of 2017, the National Association of Insurance Commissioners (NAIC) promulgated the draft of a Model Law on Insurance Data Security (the act). With the final draft borrowing heavily from the NY DFS cyber regulations, the model law established data security standards and a regulatory framework requiring insurers and other organizations regulated by a state's insurance regime to develop and implement a comprehensive data security (or cybersecurity) program. Five more five states, including Delaware, enacted the model law in 2019.
In each state, the act creates due diligence requirements for insurers relating to their third-party vendors and service providers, including law firms, and requires senior executives and directors to become involved in their organization's cybersecurity framework. The act requires domiciled insurers or producers to report cybersecurity events, including data breaches, to the state's respective insurance commissioners, and empowers the state agencies with investigatory authority and responsibility for violations of the act. In each state, the act also requires certification of compliance to be filed annually with the commissioner of insurance.
|Where Are We Headed?
The threat of personal liability for the executive officer attesting to cybersecurity compliance increases the stakes for any organization. The FTC has a well-documented history of enforcing its orders in data privacy and security matters. While it is yet unclear as to the level and form of enforcement of these NSCC's cybersecurity confirmation, the Insurance Data Security Act, no senior executive wishes to be charged with lying to a regulator.
Greater pressure from the specter of personal liability will have a ripple effect, especially in the context of cyber-risk management of organizations' third-party vendors, such as brokers, accountants and law firms. Such organizations may begin requiring similar certifications and embed strict data privacy and security requirements in their vendor and supplier contracts. In fact, some already do. This is the intended effect.
Joshua A. Mooney is chair of the White and Williams' cyber law and data protection group. He advises companies, including members of the insurance and insurtech industries, on data use and ownership, licensing, privacy and security.
Richard M. Borden, counsel in the firm's New York office, focuses his practice on big data governance and the Internet of Things, cybersecurity risk management and technology sourcing and transactions.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllPa. Federal District Courts Reach Full Complement Following Latest Confirmation
The Defense Bar Is Feeling the Strain: Busy Med Mal Trial Schedules Might Be Phila.'s 'New Normal'
7 minute readFederal Judge Allows Elderly Woman's Consumer Protection Suit to Proceed Against Citizens Bank
5 minute readJudge Leaves Statute of Limitations Question in Injury Crash Suit for a Jury
4 minute readLaw Firms Mentioned
Trending Stories
- 1Decision of the Day: Administrative Court Finds Prevailing Wage Law Applies to Workers Who Cleaned NYC Subways During Pandemic
- 2Trailblazing Broward Judge Retires; Legacy Includes Bush v. Gore
- 3Federal Judge Named in Lawsuit Over Underage Drinking Party at His California Home
- 4'Almost an Arms Race': California Law Firms Scooped Up Lateral Talent by the Handful in 2024
- 5Pittsburgh Judge Rules Loan Company's Online Arbitration Agreement Unenforceable
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250