Officials at the U.S. Securities and Exchange Commission are still focusing, intently, on cybersecurity.
Registered investment advisors and broker-dealers would be wise to take note of SEC pronouncements on the subject, and make sure they are using their best efforts to defend their firms against cyber attacks.
SEC examiners have been very proactive about conducting sweeps of broker-dealers and RIAs to assess their defenses against a cyber-attack.
Andrew Ceresney, head of the SEC’s Division of Enforcement, said that the SEC has cybersecurity enforcement actions in the pipeline at a recent panel discussion at the Investment Company Institute’s Mutual Funds and Investment Management Conference. These enforcement actions should not be a surprise, given that the SEC Office of Compliance Inspections and Examinations (OCIE) has listed cybersecurity as an area of interest to examiners in its 2017 examination priorities notice.
Registered entities must be ready to prove to examiners that they recognize the importance of cybersecurity and have taken appropriate action to protect their firms and clients. It is imperative that they have a tested plan in place to guard against cyber-attacks.
Safeguards Rule Violations
Ceresney said in an SEC’s Enforcement Division is using the Regulation S-P privacy rule to bring actions against firms that fail to safeguard client data. Ceresney cited the enforcement action brought against an RIA based in St. Louis, Missouri, for violating Rule 30(a) of Regulation S-P, known also as the “Safeguards Rule.” The Safeguards Rule has been in place since the year 2000 and was amended in January 2005.
In the St. Louis action, the RIA agreed to settle charges that it failed to establish the required cybersecurity policies and procedures to protect personally identifiable information from anticipated threats and unauthorized access. The personally identifiable information of 100,000 individuals, including thousands of clients, was compromised
For roughly four years, the RIA stored sensitive and personally identifiable information on its web server which was hosted by a third party. The firm stored this information without first adopting written policies and procedures designed to protect their customers’ records and other data. As a result, the personally identifiable information of approximately 100,000 people, including thousands of clients, was compromised.
The SEC alleged that the RIA was remiss in failing to:
implement an incident response plan;
assess cybersecurity risks periodically;
install a firewall; and
encrypt the stored personally identifiable information on its server.
Firms must anticipate potential cybersecurity events and should enact policies and procedures to address them. Even if a firm has policies and procedures in place, examiners will still look at whether it has gone far enough to thwart cyber-attacks.
The SEC did not find fault with the RIA’s efforts after it discovered the breach. In addition to hiring several cybersecurity consulting firms, the RIA promptly notified all impacted individuals and offered free identity theft monitoring through a third-party provider.
The SEC sanctioned the firm, even though there was no proof that clients were harmed. Although the firm did not dispute the SEC’s findings, the RIA agreed to be censured and pay a stiff fine. In addition, the RIA appointed an information security manager to bolster data security and implemented a written information security program. The RIA stopped storing personally identifiable information on its web server. It began encrypting this information on its internal network. To prevent and detect malicious incursions, the firm installed a new firewall and logging system.
Cybersecurity Risk Assessments
Firms can demonstrate that they are being proactive by conducting a cybersecurity risk assessment. As part of the assessment process, firms should identify and maintain an inventory of their information assets. They should document where these assets are located, such as on servers, workstations, laptops, smartphones, removable media, and databases. Firms should also look at the sensitivity of this information and how it is stored. During their risk assessments, firms should analyze the internal and external cyber-threats to its information and systems.
It is also imperative that firms evaluate the security controls and processes currently in place. As part of their assessment, firms should attempt to evaluate the impact that will result if information or technology systems are compromised. A firm should also look at whether its governance structure for neutralizing these cyber-threats is effective.
In his comments at the Investment Company Institute’s Mutual Funds and Investment Management Conference, Ceresney encouraged firms to report potential regulatory violations to the SEC. Firms may mitigate the sanctions imposed on them by self-reporting.
RIAs and broker-dealers are less likely to face regulatory consequences if their policies and procedures are reasonably designed to prevent, detect and respond to cyber-attacks. At a minimum, firms should take steps such as:
conducting due diligence of vendors;
encrypting personally identifiable information;
controlling access to various systems with firewalls;
restricting the use of removable storage devices;
utilizing software to detect unauthorized intrusions;
curtailing access to certain resources on the network and sensitive information; and
removing non-essential software programs.
Principals of a firm should be deeply involved in its cybersecurity efforts. A firm’s principals and employees should work together to create an incident response plan that can be set in motion if a cyber-attack occurs.
There should also be ongoing educational efforts to keep employees apprised of cybersecurity risks facing the firm. Cyber-breaches are often the result of human error and a failure to adhere to policies and procedures designed to prevent them. Frequently, employees use weak passwords or conduct business on a Wi-Fi network at a hotel, airport, coffee shop, or some other public location.
It is also a best practice for firms to educate their clients regarding cybersecurity risks they may encounter. These efforts may help firms to avoid harmful cybersecurity events. In addition, these efforts help to assure clients that a firm is doing everything in its power to protect their assets and privacy.
A firm might also benefit by holding educational seminars on cybersecurity and identity theft topics to attract prospective clients. It is one more way to help a firm differentiate its services from competitors.
It is not enough for firms to implement a strategy to prevent, detect, and respond to cybersecurity threats. They should also test that strategy.
—-Read Businesses Begin Filing Class Actions Against Equifax on ThinkAdvisor.