No one likes being a victim, let alone being a victim twice. But that is what you may face if you have a data breach.
If your firm had a vulnerability that a hacker exposed, your regulator may come after you regardless if there is any client harm. After all, your system had a gap that a hacker exploited. So what should you do?
First, you have to know what you have on your systems that need protection. How can you protect what you do not even know that you have. Therapeutic neglect is not the way to go.
Second, do your systems (including portable devices) have adequate encryption. If an unprotected device is stolen and information exposed, you can bet your regulator will have an issue.
Third, how secure are the passwords your employees are using. Many phishing schemes will poke and prod a firm until a weak link in your employ is exposed. Have your IT or security consultant conduct a phishing scam directed to your employees to figure out who may be a weak link, and then address those weak links.
Fourth, are you educating your employees on data security issues. If not, you should make this education a common and repeated part of your internal education program.
There is a saying that there are those who know that they have been breached and those who have not yet learned that they have been breached. Regardless of what camp you are in, take action to protect your systems and employees so that you can hopefully avoid the wrath of your regulator.