Broker-dealers and advisors should brace for “cybersecurity regulation or guidance” from the Securities and Exchange Commission “in the near future,” and expect that future cybersecurity enforcement actions could result in “significant” fines, says the law firm Sutherland Asbill & Brennan.
In a Tuesday legal alert titled “Cybersecurity Issues in the Financial Services Industry: Fasten your cyber belts, it’s going to be a bumpy night,” Sutherland notes that the recently launched exams by the SEC and FINRA of broker-dealers’ and advisors’ cybersecurity policies are assessing many of the same issues addressed in previous enforcement actions brought by both regulators against firms for cybersecurity-related failures.
Sutherland tells BDs and advisors to brush up on the areas that both regulators are focusing on in their cybersecurity “sweeps,” details previous cybersecurity-related infractions detected by both regulators, and predicts a more aggressive cybersecurity regulatory environment ahead.
Cybersecurity is going to be “a ‘hot’ regulatory issue for the foreseeable future,” say the legal alert’s authors, Brian Rubin, John Walsh and Shanyn Gillespie. “The threat of cyberattacks is rising, not diminishing.
“As the threat grows, regulatory interest is likely to expand,” they continue. What’s more, “as data breaches continue to generate headlines, regulators will likely face mounting pressure from Congress and the public to act in this area. Future regulatory and enforcement actions are therefore anticipated.”
Sutherland notes that FINRA’s cybersecurity sweep exams cover many of the same issues as the SEC’s examinations, including: information technology risk assessment; business continuity plans in the event of a cyber-incident; organizational structures and reporting lines; sharing and evaluating cyber threat information; cybersecurity breaches in the past years and their consequences; responding to denial of service attacks; cybersecurity training; cybersecurity insurance; and vendor contracts.
Thus, Sutherland writes, “both regulators appear to be in agreement that these issues represent important cybersecurity considerations.”
The SEC’s recently released alert from its Office of Compliance Inspections and Examinations noted that OCIE has now focused its exams on more than 50 registered broker-dealers and advisors.
Before the latest exam sweeps, securities regulators had already levied enforcement actions against firms based on cybersecurity governance failures, including inadequate written policies and procedures; failing to enforce written policies and procedures; failing to conduct periodic assessments of cybersecurity procedures and measures; and failing to respond to deficiencies identified through such periodic assessments.
The SEC and FINRA have brought “multiple enforcement actions” against firms for violating what Sutherland calls “the cornerstone of the cybersecurity regulatory landscape,” which is Regulation S-P. Rule 30 of Regulation S-P (referred to as the “Safeguard Rule”) requires registered broker-dealers, advisors and investment companies to establish written policies and procedures reasonably designed to insure the security and confidentiality of customer records and information; protect against any anticipated threats or hazards to the security or integrity of customer records and information; and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
One example cited in the alert for failing to follow or enforce written cybersecurity policies and procedures was an SEC action against the former chief compliance officer of a now-defunct broker-dealer because, among other things, the firm’s procedures tasked a “designated principal” with critical cybersecurity tasks, including monitoring and testing of the firm’s safeguards, but the CCO never named or appointed such a person.
The Sutherland lawyers predict that the SEC will “issue cybersecurity regulation or guidance in the near future.”
As to FINRA’s next cybersecurity steps, Daniel Sibears, FINRA’s executive vice president, stated at the SEC’s March 26 cybersecurity roundtable that FINRA intends to use the information it gleans from its cybersecurity sweep examinations to publish “best practices” guidance.
“This guidance should be helpful to firms struggling with how to identify and implement cybersecurity systems and procedures that will pass regulator muster,” say the Sutherland lawyers.
The lawyers note that the “best predictor of future cybersecurity enforcement activity is past enforcement activity,” and list what they see as “possible avenues” the SEC and FINRA may take when they bring enforcement actions:
Future SEC and FINRA cybersecurity enforcement actions may be based on violations of the Safeguard Rule. Among the specific issues the regulators are likely to focus on are: adequacy of cybersecurity policies, procedures and controls; a firm’s compliance with its cybersecurity policies and procedures; adequacy of periodic assessments of cybersecurity policies, procedures and controls; responding appropriately and promptly to any cybersecurity deficiencies detected; protecting non-public customer information with suitable technology and strong user access restrictions; protecting non-public customer information shared with vendors; and responding appropriately to data breaches.
Many future cybersecurity enforcement actions will likely be based on actual data breaches. Of the past enforcement actions discussed in [the legal alert], seven of 11 (or 64%) involved actual data breaches, rather than just vulnerabilities that could have resulted in breaches. In this regard, the regulators may assert that a firm that experiences an actual data breach failed, by definition, to comply with the Safeguard Rule.
Actual customer harm is not required, however. The regulators may still bring enforcement actions in cases where nonpublic customer information has been exposed to unauthorized access, even if the information was not actually misused.
Responding promptly and appropriately to cybersecurity breaches may not be enough to prevent an enforcement action. However, regulators should consider remedial efforts in assessing sanctions.
Future cybersecurity enforcement actions may result in significant fines. The fines imposed against broker-dealers and investment advisors in the cases examined in the article range from low-to-mid six figures (specifically, $100,000 to $450,000). The only exception is a $27,500 fine imposed against a small firm (with only five registered persons and five associated persons) for a procedural violation without any customer harm.
In addition to Regulation S-P violations, the SEC will also likely be reviewing identity theft procedures and practices “in the near future, which could lead to enforcement activity,” the lawyers say. The SEC adopted Reg S-P in 2013 for entities under its jurisdiction, including registered BDs and advisors.
Check out Top Cybersecurity Threats for BDs, Advisors on ThinkAdvisor.