SEC issues first penalty for deficient cybersecurity

Share on facebook
Share on twitter
Share on linkedin
Share on email
Share on whatsapp

The U.S. Security and Exchange Commission (SEC) has issued the first penalty to a public company for “deficient disclosure controls and procedures related to cybersecurity”.  The company involved also falls under the New York State Department of Financial Services; (NYSDFS) and is battling regulators from both entities after being hit with monetary penalities and a cease and desist order.

In the case that led to the initial penalty, it was discovered that the IT personnel had been made aware of a vulnerability in their web application, failed to address it, and didn’t inform senior executives until a journalist published an article about the issue.

The resulting settlement with the SEC was the cease and desist for using the application and a fine of $487,616.  The charges from the NYSDFS are still pending, and with penalties of up to $1,000 per violation and each of the 800 million exposed records counting as individual violations, even a settlement is likely to be in the millions.

What does this mean for other businesses in the finance sector?  It shows that the SEC and NYSDFS will use their oversight to verify that robust cybersecurity risk management is in place, as per the requirements this sector has been subject to for years. To avoid substantial monetary penalties and other sanctions, companies need to develop comprehensive cybersecurity risk management standards and to test and upgrade their effectiveness regularly.


Tracy Fox
+ posts

Sign Up For Our Blog

Get our latest content delivered to your inbox.

partner with foresite consulting to become a More Effective Leader

Develop the skills and strategies you need to take your company to the next level of success.

Foresite Cybersecurity Announces Pivot to Open XDR & Compliance Platform