SEC Continues Focus on Cybersecurity Practices of Broker-Dealers and Investment AdvisersOctober 2015
Recent actions by the Securities and Exchange Commission ("SEC") mandate that investment management and broker-dealer firms enhance their attention to cybersecurity issues. The SEC initially had a collaborative approach with the securities industry. This apparently has changed. The SEC recently took enforcement action for cyber breaches and lack of adequate policies and procedures by a registered investment adviser even when no client incurred financial harm.
Investment adviser and broker-dealer executives should be proactive in cybersecurity matters and:
- Expect robust examination and enforcement of broker-dealers, investment advisers and others by the SEC and Financial Industry Regulatory Authority ("FINRA").
- Expect continued evolution and clarification of the minimum required cybersecurity-related policies and actions by the SEC and the securities industry.
- Expect clients to demand higher cybersecurity standards and be prepared for clients to add specific due diligence inquiries and demand representations and warranties on these issues.
- Update the firm's policies and monitoring protocol of employees and independent contractors as part of the firm's fiduciary duties, and to address regulatory scrutiny.
- Review insurance coverage to confirm that the firm's business and the indemnified persons have adequate coverage.
As recently as February 2015, the SEC's Office of Compliance Inspections and Examinations ("OCIE") noted that its examinations would be risk-based, and solicited comments and suggestions on ways that the SEC should address the cybersecurity issues to "…better fulfill its mission to promote compliance, prevent fraud, monitor risk, and inform SEC policy."1 The February 2015 report noted a range of cybersecurity procedures and effective actions by the 57 registered broker-dealers and 49 registered investment advisers that were examined. There was no reported enforcement action. However, in September 2015, the SEC took enforcement action against a registered investment adviser for a self-reported cyber breach even when there was no financial loss to any of its clients.2 "It is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients," said Marshall S. Sprung, Co-Chief of the SEC Enforcement Division's Asset Management Unit.
SEC Enforcement Action against an Investment Adviser for Cybersecurity Issues
On September 22, 2015, a St. Louis-based investment adviser agreed to pay a $75,000 fine and settle with the SEC for certain violations regarding cybersecurity, including the firm's failure to adopt policies and procedures designed to protect client records and information. The SEC brought the enforcement action after the adviser's web server was attacked by hackers who gained access to personally identifiable information of approximately 100,000 individuals. The firm failed to satisfy minimum cyber protection standards, including periodic risk assessments, implementing a firewall, encrypting information stored on its server and maintaining a response plan for cybersecurity attacks. The firm took remedial action following the hacking; however, the SEC stated that firms must adopt written policies and procedures to protect clients' information in advance of, rather than following, a cybersecurity event. The SEC took this action even though there was no apparent financial harm to clients and the firm provided the appropriate notice to its clients following the hacking.
OCIE's Second Examination Focuses on Implementation of Cybersecurity Policies and Procedures
The SEC announced in a September 2015 Risk Alert that its second round of examinations will focus on assessing a firm's implementation of cybersecurity procedures and controls.3 The six focus areas of the examinations and the specific areas that may be assessed are described below.
- Governance and Risk Assessment: Whether a firm: (i) has cybersecurity governance and risk assessment processes related to the focus areas; (ii) periodically evaluates cybersecurity risks; and (iii) has controls and risk assessment procedures that are tailored to its business. The examination may include a review of the firm's communication with its management and board. The board will need to document adequate discussion and analysis, which may include receiving reports from qualified professionals.
- Access Rights and Controls: How a firm: controls access to its systems and data through management of user credentials, authentication, and authorization methods, to prevent unauthorized access to systems or information.
- Data Loss Prevention: How a firm: (i) monitors volume of content transferred outside of the firm, such as by email attachments or uploads; (ii) monitors potentially unauthorized data transfers; and (iii) verifies the authenticity of a request to transfer funds.
- Vendor Management: The firm's practices and controls related to vendor management, how vendor relationships are considered as part of the firm's risk assessment, and how the firm determines the appropriate level of due diligence to conduct on vendors.
- Training: How a firm's cyber-related training is tailored to specific job functions, how it is designed to encourage responsible employee and vendor behavior, and how procedures for responding to cyber incidents are integrated into regular training.
- Incident response plan: Whether a firm has established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future cyber-related attacks and breaches.
In conducting its examinations, the OCIE may review, among other matters: (i) written policies and procedures relating to the examination focus areas and a myriad of other specific cyber-security and technology issues; (ii) information demonstrating implementation of such policies and procedures; (iii) board minutes and briefing materials relating to cybersecurity matters; and (iv) information regarding the firm's Chief Information Security Officer or employees responsible for cybersecurity.
Background on SEC's Cybersecurity Examination Initiative
A review of the SEC initiatives reflects the evolving SEC stance, from providing guidance to enforcement action for a firm's failure to comply with minimum standards.
- January, 2014 - The OCIE's 2014 Examination Priorities listed cybersecurity among its exam program priorities for broker-dealers.4
- March 2014 - The SEC hosted a cybersecurity roundtable, to discuss the issues and challenges that cybersecurity creates for market participants and public companies, and how companies are addressing those concerns.
- April 2014 - The OCIE's Risk Alert announced its first examination, designed to identify cybersecurity risks, assess cybersecurity preparedness and gather information about cyber threats.5 Like the recent September Risk Alert, the publication included a sample list of requests for information related to cybersecurity, including questions related to risk, cybersecurity governance and protection of information, which, the OCIE noted, can be used as a tool to assess a firm's cybersecurity risk level and its preparedness, regardless of whether the firm is examined by the OCIE.
- January 2015 - The OCIE's 2015 Examination Priorities stated that the OCIE will continue to examine broker-dealers' and investment advisers' compliance and controls and will expand its examination to include transfer agents.6
- February 2015 - The OCIE's Risk Alert summarized the findings of the examination of 57 broker-dealers and 49 registered investment advisers.
- February 2015 - FINRA's Report on Cybersecurity Practices provided broker-dealers with principles and effective practices on cybersecurity, based on FINRA's own examination of firms and its cyber-related initiatives.7
- September 2015 - The OCIE's Risk Alert announced its second examination designed to assess firms' implementation of cybersecurity procedures and controls.
- September 2015 - The SEC reached a settlement with an investment adviser for cybersecurity-related violations, including the firm's failure to adopt policies and procedures designed to protect client records and information.
Next Steps for Broker-Dealers and Investment Advisers
The OCIE's ongoing examination of cybersecurity compliance and controls underscores the importance of policies and procedures that address all aspects of cybersecurity. Broker-dealers and investment advisers should:
- Use the OCIE's publications, including the lists of sample policies and procedures appended to the Risk Alerts, and FINRA's report, in order to construct, assess and update the firm's current cybersecurity programs and related training programs.
- Recognize that the standards for adequate policies and actions is inherently dynamic and procedures and protections that are now thought to be adequate will continually require evaluation, reassessment and improvement in light of ever-increasing and sophisticated hacking and cyber threats.
- Confirm that the firm's documentation accurately reflects its assessment of the cyber risks and threats.
- Determine if the firm's insurance policies adequately cover the full range of cyber risks.
1 Risk Alert, OCIE, Cybersecurity Examination Sweep Summary (February 3, 2015), available at http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.
2 Press Release, SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior to Breach (September 22, 2015), available at http://www.sec.gov/news/pressrelease/2015-202.html.
3 Risk Alert, OCIE, OCIE's 2015 Cybersecurity Examination Initiative (September 15, 2015), available at http://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.
4 Risk Alert, OCIE, Examination Priorities for 2014 (January 9, 2014), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf.
5 Risk Alert, OCIE, OCIE Cybersecurity Initiative (April 15, 2014), available at https://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf.
6 OCIE, Examination Priorities for 2015, available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf.
7 FINRA, Report on Cybersecurity Practices (February 2015), available at https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf .
For more information on the evolving cybersecurity issues or assistance with your firm's cybersecurity policies and procedures, please contact:
Richard M. Morris at +1 212 592 1432 or [email protected]
Copyright © 2015 Herrick, Feinstein LLP. This alert is published by Herrick, Feinstein LLP for information purposes only.
Nothing contained herein is intended to serve as legal advice or counsel or as an opinion of the firm.