Officials at the U.S. Securities and Exchange Commission are still focusing, intently, on cybersecurity.
Registered investment advisors and broker-dealers would be wise to take note of SEC pronouncements on the subject, and make sure they are using their best efforts to defend their firms against cyber attacks.
SEC examiners have been very proactive about conducting sweeps of broker-dealers and RIAs to assess their defenses against a cyber-attack.
Andrew Ceresney, head of the SEC’s Division of Enforcement, said that the SEC has cybersecurity enforcement actions in the pipeline at a recent panel discussion at the Investment Company Institute’s Mutual Funds and Investment Management Conference. These enforcement actions should not be a surprise, given that the SEC Office of Compliance Inspections and Examinations (OCIE) has listed cybersecurity as an area of interest to examiners in its 2017 examination priorities notice.
Registered entities must be ready to prove to examiners that they recognize the importance of cybersecurity and have taken appropriate action to protect their firms and clients. It is imperative that they have a tested plan in place to guard against cyber-attacks.
Safeguards Rule Violations
Ceresney said in an SEC’s Enforcement Division is using the Regulation S-P privacy rule to bring actions against firms that fail to safeguard client data. Ceresney cited the enforcement action brought against an RIA based in St. Louis, Missouri, for violating Rule 30(a) of Regulation S-P, known also as the “Safeguards Rule.” The Safeguards Rule has been in place since the year 2000 and was amended in January 2005.
In the St. Louis action, the RIA agreed to settle charges that it failed to establish the required cybersecurity policies and procedures to protect personally identifiable information from anticipated threats and unauthorized access. The personally identifiable information of 100,000 individuals, including thousands of clients, was compromised
For roughly four years, the RIA stored sensitive and personally identifiable information on its web server which was hosted by a third party. The firm stored this information without first adopting written policies and procedures designed to protect their customers’ records and other data. As a result, the personally identifiable information of approximately 100,000 people, including thousands of clients, was compromised.
The SEC alleged that the RIA was remiss in failing to:
implement an incident response plan;
assess cybersecurity risks periodically;
install a firewall; and
encrypt the stored personally identifiable information on its server.
Firms must anticipate potential cybersecurity events and should enact policies and procedures to address them. Even if a firm has policies and procedures in place, examiners will still look at whether it has gone far enough to thwart cyber-attacks.
The SEC did not find fault with the RIA’s efforts after it discovered the breach. In addition to hiring several cybersecurity consulting firms, the RIA promptly notified all impacted individuals and offered free identity theft monitoring through a third-party provider.
The SEC sanctioned the firm, even though there was no proof that clients were harmed. Although the firm did not dispute the SEC’s findings, the RIA agreed to be censured and pay a stiff fine. In addition, the RIA appointed an information security manager to bolster data security and implemented a written information security program. The RIA stopped storing personally identifiable information on its web server. It began encrypting this information on its internal network. To prevent and detect malicious incursions, the firm installed a new firewall and logging system.