To reduce the risk of enforcement actions, regulated entities should scrutinize and periodically reassess their existing cybersecurity protocols, tailoring them to address specific risks. Regulated entities should consider the practical and regulatory benefits of adopting the NIST Cybersecurity Framework, favored by government agencies, or ISO/IEC 27001, an internationally recognized framework. The protocol should address prior intrusion attempts and extend to independent contractors. Importantly, regulated entities should consider dedicating more resources to implementation and governance, encouraging more institutional focus on cybersecurity.
Finally, the Order leaves open the benefit of self-reporting breaches and intrusions. In recent years, the SEC encouraged self-reporting to limit investor harm and to aid the prosecution of the perpetrators. The Order suggests that Voya did not self-report and that the issue was identified during the examination process, or perhaps through other public reports of the breach. Regulated entities should consider the benefits of self-reporting intrusion events, particularly when they are subject to examination and when federal or state law requires public reporting that can draw regulatory attention.
Paul Helms, a partner with the law firm McDermott Will & Emery LLP, defends clients in government investigations, principally investigations by the U.S. Securities and Exchange Commission, and conducts internal investigations involving securities, accounting, and other financial concerns. Prior to joining McDermott, Helms worked in the SEC’s Enforcement Division in various roles, including as counsel to the director of enforcement and a member of the Asset Management Unit. Sean Hennessy and Lynette Arce are associates at McDermott, practicing in the firm’s Litigation and Global Privacy and Cybersecurity Groups, respectively.