By Sarah N. Lynch
| WASHINGTON
WASHINGTON Feb 20 Investigators at the U.S.
Securities and Exchange Commission are on the lookout for
violations such as poor risk controls or lax disclosures
relating to hacking and other cyber breaches, a top SEC official
said Friday.
"Cyber security... is an area where we have not brought a
significant number of cases yet, but is high on our radar
screen," David Glockner, director of the SEC's Chicago Regional
Office, said at the Practising Law Institute's annual SEC Speaks
conference.
U.S policymakers have been paying close attention to cyber
security over the past few years, in the wake of high-profile
attacks against public companies like Target and Home
Depot, as well as banks such as JP Morgan Chase.
In 2011, the SEC drafted some informal staff-level guidance
for public companies on whether to disclose cyber attacks and
their impact on a company's financial condition.
There is no formal rule, however, outlining when and how
cyber incidents must be disclosed, and states have differing
laws on when and how customers must be informed about breaches.
Some have said the SEC should consider taking more steps to
require public companies to disclose major breaches more
quickly, though SEC Chair Mary Jo White has previously said the
cyber security guidance appears to be working well.
Last year, the SEC also made cyber security a priority in
its compliance examination program. As part of that, examiners
looked at policies that brokers and asset managers have in place
to prevent and detect cyber attacks, as well as how they conduct
due diligence to review third-party vendors.
Glockner said Friday the SEC was looking particularly at two
areas.
One is the cyber security controls that companies have in
place to protect market integrity. The other, he said, is how
adequately companies are disclosing "material" cyber events.
He said the enforcement division was working closely with
SEC examiners to share and coordinate on the topic.
