The Securities and Exchange Commission argued this week that a number of large firms had faulty cybersecurity policies and procedures in place, resulting in the breach of clients’ personal information. But a number of industry legal observers say the commission should be clearer about what it requires in the first place.
The commissions’ actions emphasized the implementation of multifactor authentication (MFA) for email communications for employees and contractors. MFA is the “second-step” required to log in to emails or accounts, often requiring a code sent to a mobile phone or other device. According to some securities attorneys, while Regulation S-P, the commission’s data privacy rules, may not specifically require MFA, it turns out firms should nevertheless ensure they have it and that employees comply with it or risk being slapped with similar sanctions and monetary fines by the commission.
“Obviously, past SEC enforcement actions in this area have emphasized the importance of cybersecurity policies needing to be implemented and followed,” A. Valerie…
