With major data breaches making headlines on a near-weekly basis, many in the securities industry have wisely begun to focus on developing an effective approach to cybersecurity. Although cybersecurity plans can vary widely among firms depending upon their business, clientele and technical architecture, among other things, effective plans include the following features.
1. Build a Strong Cybersecurity Team
The first step in developing an effective approach to data security is choosing the right information security team. Effective teams are cross-sectional and include personnel from legal, information technology, human resources, and communications or public relations departments. The team should also include at least one member of senior management.
2. Conduct a Privacy Survey
Companies should conduct a privacy survey, which is the process of identifying the legal and regulatory landscape that applies to companies in the industry and to the types of data that the company collects and maintains. Firms in the securities industry should consider:
— Regulatory regime. SEC and FINRA scrutiny of industry cybersecurity measures is based on two SEC regulations. Regulation S-P requires firms to establish written policies and procedures to ensure the security and confidentiality of customer records and information. Regulation S-ID focuses on preventing identity theft. Under Regulation S-ID, companies are required to create and maintain reasonable policies and procedures to promote identification, detection and responses to red flags for identity theft.
— Federal and state laws. For example, the Gramm-Leach-Bliley Act (GLBA) requires organizations to protect banking and financial information, and has direct application to the securities industry. Additionally, many states have laws that require companies to protect personally identifiable information (PII) of customers and employees, and to notify individuals if their PII is breached. Although the definition of PII varies from state to state, PII generally covers data that can be used to identify a specific individual including Social Security numbers, driver's license numbers, financial account information and other identifying information.
— Contractual obligations. When the company will be responsible for maintaining a third party's data, the company should consider whether the contract creates additional cybersecurity obligations or cybersecurity liability in the event of a breach. When the company's data will be maintained by a third party, the company should take care to enter contracts that ensure the company's data will be protected.
— Industry standards, audit protocols and internal policies related to privacy and security
3. Understand Technical Systems
The information security team should develop a specific and detailed understanding of its own network and identify where sensitive data is stored. Sensitive data includes data protected by law, data protected by contract, personally identifiable information and proprietary data.
Next, the team should ensure that sensitive data is segregated from regular data and subject to additional physical, technical or procedural protections, such as:
Segmenting the network to separate sensitive data from non-sensitive or public data and using technical protections, such as firewalls, to protect the sensitive segments
Using password protection and encryption on sensitive data
Restricting physical access to hardware (including servers and computers) and physical files
4. Implement “Privacy by Design”
The company should take a “privacy by design” approach when developing cybersecurity solutions. This means that the company should create policies and procedures that account for customer privacy, legal compliance and data protection throughout the data life cycle (i.e., collection, processing, storage and destruction). As part of this effort, the company should develop comprehensive policies to address privacy and data security, including:
A “bring your own device” (BYOD) policy governing whether, and under what circumstances, employees can use their own devices to conduct company business
A password policy requiring the use of strong, complex, unique passwords
Personnel policies (including onboarding and off-boarding policies) that enhance security
A network tracking policy requiring regular monitoring of network traffic for evidence of suspicious access
5. Train Employees
Regardless of the industry, employees are a frequent source of data breaches. To combat this, the company should clearly establish that it takes data security and unauthorized computer access seriously. Many cyberattack techniques exploit employees’ inattention and lack of technical expertise. Employees need regular training on how to identify and prevent attempted cyberattacks.
6. Manage Vendors
Relationships with third-party vendors can pose substantial cyber-risks that should be mitigated to the extent possible. Vendors should only receive the network access and data necessary to perform their role. The company should scrutinize the adequacy of a third party's cybersecurity policies and procedures before entering into a business relationship with that company. Contractual safeguards should be taken to minimize risk, including requiring safeguards to protect sensitive data, providing rights to audit the vendors’ security practices and requiring vendors to notify the company if a breach occurs. The contract should allocate risk in the event that a breach at the vendor harms the company. (Among other things, companies should consider requiring vendors to carry cyber insurance and to name the companies as additional insureds.)
7. Engage in Information Sharing
One way for companies to ensure that their data security solutions remain up to date is by participating in industry cybersecurity information sharing through, for example, Information Sharing and Analysis Organizations (ISAOs). ISAOs allow industry players to keep abreast of evolving cyberattack tactics and industry security standards. Companies that do not actively participate in industry information sharing risk falling behind in their cybersecurity initiatives and may miss critical information that could prevent or mitigate the consequences of a cyberevent.
8. Consider Cybersecurity Insurance
The company may also benefit from cybersecurity insurance coverage. Depending on the policy, cyber insurance may cover forensic investigation and system restoration costs; defense and indemnity costs associated with litigation resulting from the loss of personal information or other sensitive data; defense costs and penalties associated with regulatory investigations; notification costs and credit monitoring for affected customers and employees; losses attributable to the theft of the policyholder-company's own data (including transfer of funds); business interruption costs attributable to a cyberattack; costs required to investigate threats of cyberextortion and payments to extortionists; and crisis management costs, such as the hiring of public relations firms.
It is critical to carefully review the particular provisions of each cyber liability policy with a broker and coverage counsel. Unlike many traditional policies, cyber liability policies differ significantly because they are not (yet) based on a standard form.
9. Develop an Incident Response Plan
Firms should create an incident response plan, which is a detailed plan that outlines how a company will respond to suspected cyberevents. These plans help companies quickly and effectively investigate and remediate attacks. Among other things, an incident response plan should identify the leaders of the response team and present easy-to-follow, scenario-based responses to different types of cyberincidents. For each scenario, the plan should clearly delineate the first steps that must be taken and include a timeline of major investigative events. The plan should also provide guidance on the timing and substance of appropriate disclosures.
The plan should provide for the involvement of legal counsel in all aspects of the investigation of a suspected cyberevent (including communications about the potential event, remediation efforts, and disclosure and reporting) to ensure that the investigation is protected under the attorney-client and work product privileges. Privilege is critical because, although the company is a victim, it may soon find itself the defendant in a variety of lawsuits, including lawsuits by regulators or investors. Accordingly, incident response plans should identify an experienced data security attorney to call and include their emergency contact information.
10. Execute the Incident Response Plan Efficiently
Once a company becomes aware of a suspected cyberattack, time is of the essence. Losses from the attack—and potential liability to claims by regulators and plaintiffs—are likely mounting. It is important to contact the attorney identified in the incident response plan immediately; he or she will help execute the response plan while maintaining privilege.
The attorney should counsel the company to avoid drawing premature conclusions regarding the cause and source of an attack and whether the attack has resulted in unauthorized access or exfiltration of data. Companies should also avoid using the term “breach” unless it confirms that a breach has actually occurred. A breach occurs when information is accessed or taken by unauthorized parties. Breaches often trigger legal or contractual obligations, including disclosure of the breach. However, many cyberattacks (e.g., denial of service attacks) do not result in a breach. Imprecise or inaccurate communications during an investigation can hinder an organization's ability to defend against charges of liability by affected third parties or regulators. In our experience, it is particularly critical to counsel employees involved in the incident response to be cautious about how and what they communicate.
Legal counsel (and, often, public relations experts) will assist with any disclosures to investors, other contractual counterparties or regulatory agencies that may be required as a result of a material breach. Legal counsel will work to limit any harm to the company (including any reputational damage) while at the same time limiting legal liability by avoiding sweeping or inaccurate statements.
11. Develop a Business Continuity Plan
Cyberattacks may also result in victimized companies losing access to their data and systems. For example, many companies have been affected by the Cryptolocker malware, which encrypts (and renders useless) the company's data until a ransom is paid. If companies are not prepared for these types of attacks, they may suffer a substantial interruption of services that can be extremely costly. The company should have a written business continuity plan to facilitate rapid and efficient data recovery and resumption of operations.
The first step in creating an effective business continuity plan is identifying critical systems. Systems should be prioritized in order of the maximum time that each can be down without causing substantial harm to the business. The company must then select a back-up system. In deciding which back-up system to choose, the company should consider how quickly the data needs to be restored, how much data must be stored and how long data must be maintained. It is critical that the company's back-up system be sufficiently segregated from the company's day-to-day systems so that a cyberattacker cannot access the back-up system during an attack.
Cybersecurity Essential to Regulated Entities
The SEC and FINRA have made clear that they are focused on cybersecurity in the securities industry, and this focus is only likely to grow as cyberthreats become more sophisticated. Therefore, a strong cybersecurity program is an essential part of any long-term strategy for regulated entities. Securities firms developing their approach to cybersecurity should ensure they incorporate the features discussed herein.