Close
ThinkAdvisor

Regulation and Compliance > Federal Regulation > SEC

SEC Clarifies RIAs’ Cybersecurity Obligations

X
Your article was successfully shared with the contacts you provided.

This is an extended version of the article that appeared in the November 2015 issue of Investment Advisor.

In April 2014, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert indicating that the SEC would focus on cybersecurity as a major issue. Almost 18 months later, many registered investment advisors still seem to be confused about what, exactly, they are required to do to comply with SEC guidance to protect their clients’ confidential information from would-be hackers and other forms of data breaches (such as lost or stolen laptops containing confidential information). 

Two SEC-driven developments in September 2015 clarified those obligations. It is clear that registered investment advisors are obligated to: implement robust technical controls to protect their clients’ sensitive and confidential information from reasonably foreseeable threats; and adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of that information.

A Brief History of the SEC’s Cybersecurity Initiative

On March 26, 2014, the SEC sponsored a cybersecurity roundtable, during which Chairwoman Mary Jo White stressed the importance of cybersecurity to the integrity of the financial market system and customer data protection. White discussed the “compelling need for stronger partnerships between the government and private sector” to address cyberthreats.

With respect to SEC-regulated financial institutions, these “stronger partnerships” have apparently taken the form of examining cybersecurity practices and bringing enforcement actions against those whose failure to implement and document robust cybersecurity practices have resulted in the loss of clients’ confidential information.

On April 15, 2014, OCIE released a Risk Alert announcing its cybersecurity initiative. As part of this initiative, OCIE announced that it would conduct examinations of more than 50 financial institutions, including registered investment advisors, focused on: cybersecurity governance; identification and assessment of cybersecurity risks; protection of networks and information; risks associated with remote customer access and funds transfer requests; risks associated with vendors and other third parties; detection of unauthorized activity; and experiences with certain cybersecurity threats.  

This Risk Alert attached a list of sample questions comprising 28 requests with multiple sub-parts, which address a broad range of issues and technical complexity.  For example, one of the simpler questions is whether a firm maintains an inventory of the physical devices and systems.  Some more complex and technical questions include: whether a firm maintains protection against distributed denial of service (DDoS) attacks for critical Internet-facing IP addresses; whether the firm maintains baseline information about expected events on its network; and whether the firm aggregates and correlates event data from multiple sources to assist in detecting unauthorized activity on its networks or devices.

September 2015 Developments

On Sept. 15, 2015, OCIE released another Risk Alert to elaborate upon “the areas of focus for OCIE’s second round of cybersecurity examinations, which would involve more testing to assess implementation of firm procedures and controls.” 

According to OCIE, this next round of examinations would focus on:

  • Governance and risk assessment, which generally evaluates whether registered investment advisors have cybersecurity governance and risk assessment processes to address OCIE’s stated focus areas; are periodically evaluating cybersecurity risks; have implemented cybersecurity infrastructure and risk assessment processes tailored to business operations; and are communicating with senior management.
  • Access rights and controls, i.e., whether registered investment advisors are at risk of a data breach resulting from the failure to implement basic controls to prevent unauthorized access to systems or information, and evaluation of the way in which they manage user credentials, authentication and authorization methods.
  • Data loss prevention, which would include analysis of how registered investment advisors monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads; and unauthorized data transfers.
  • Vendor management, including an assessment of a registered investment advisor’s due diligence, monitoring and vendor oversight process, in addition to an evaluation of relevant contract terms.
  • Training, which could focus on the ways in which registered investment advisors prevent data breaches resulting from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured Internet connection or downloading attachments from an unknown source.
  • Incident response, for which examiners would assess whether firms have established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible data breaches. 

Much like the previous Risk Alert, the September Risk Alert also attaches an appendix with a list of information that OCIE “may review as part of its cybersecurity examinations.” 

Critically, a footnote in the September Risk Alert references Regulation S-P, Rule 30(a), which requires registered investment advisors to adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information, which must be reasonably designed to:

  Ensure the security and confidentiality of customer records and information
  Protect against any anticipated threats or hazards to the security or integrity of customer records and information
  Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer
  Requires registered investment advisors to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer information and records

In the context of this Risk Alert, the footnote signals that registered investment advisors that do not adopt written policies and procedures to address the risk of data breaches and unauthorized access to confidential client information are potentially violating Rule 30(a).

One week later, on Sept. 22, the commission announced that an investment advisor agreed to settle charges that it failed to establish “the required cybersecurity policies and procedures” in advance of a breach that compromised the personally identifiable information of thousands of that firm’s clients. According to the SEC’s Order Instituting a Settled Administrative Proceeding, the firm “failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information.” For example, the firm failed to conduct periodic risk assessments, implement a firewall, encrypt [personally identifiable information] stored on its server or maintain a response plan for cybersecurity incidents.” As a result, the firm agreed to be censured and pay a $75,000 penalty.

The Takeaway

Based on the Risk Alerts and the enforcement action discussed above, I strongly recommended that all registered investment advisors undertake the following action without delay:

  1. Consult with IT staff or vendors to see what, if anything, can be done to implement technical controls and safeguards to better protect the firm’s network and the sensitive and confidential client information it maintains.
  2. Evaluate and potentially purchase an insurance policy to cover damages that could be incurred with respect to a hacking event or other form of data breach.
  3. Adopt a written cybersecurity policy addressing the two appendices attached to the April 2014 and September 2015 Risk Alerts. The written cybersecurity policy should be tailored to the firm’s actual business practices and information technology framework, and should also include means to test the efficacy of the policy by, for example, incorporating a checklist that the registered investment advisor may use to conduct periodic risk assessments.