The U.S. Security and Exchange Commission (SEC) has issued the first penalty to a public company for “deficient disclosure controls and procedures related to cybersecurity”. The company involved also falls under the New York State Department of Financial Services; (NYSDFS) and is battling regulators from both entities after being hit with monetary penalities and a cease and desist order.
In the case that led to the initial penalty, it was discovered that the IT personnel had been made aware of a vulnerability in their web application, failed to address it, and didn’t inform senior executives until a journalist published an article about the issue.
The resulting settlement with the SEC was the cease and desist for using the application and a fine of $487,616. The charges from the NYSDFS are still pending, and with penalties of up to $1,000 per violation and each of the 800 million exposed records counting as individual violations, even a settlement is likely to be in the millions.
What does this mean for other businesses in the finance sector? It shows that the SEC and NYSDFS will use their oversight to verify that robust cybersecurity risk management is in place, as per the requirements this sector has been subject to for years. To avoid substantial monetary penalties and other sanctions, companies need to develop comprehensive cybersecurity risk management standards and to test and upgrade their effectiveness regularly.