Highlights Areas of High Risk and Examination Priorities for Financial Industry Firms
On September 15, the U.S. Securities and Exchange Commission's (SEC's) Office of Compliance, Inspections and Examinations (OCIE), issued new guidance outlining areas of cybersecurity risk to be addressed by registered broker-dealers and investment advisers in their systems and procedures. The guidance, issued in the form of a "Risk Alert," sets forth examination priorities to be used by SEC examiners, in upcoming examinations of these firms. Just one week later, the SEC's Division of Enforcement filed its first enforcement action in the cybersecurity arena, against St. Louis investment adviser R.T. Jones Capital Equities Management, for violations surrounding an incident of hacking that exposed the firm's customers to risk of identity theft. Matter of R.T. Jones Capital Equities Management, Inc., Admin. Proc. File No. 3-16827, SEC Investment Advisers Act Release No. 4204 (Sept. 22, 2015). Although the case settled and R.T. Jones neither admitted nor denied the SEC's findings, the case underscores the need for financial industry firms to have robust written procedures and systems to detect, prevent, and respond to instances of cybercrime and other breaches.
Summary of Key Issues
- A new round of SEC examinations, focusing specifically on cybersecurity, will begin soon
- Broker-dealers and registered investment advisors now have an
opportunity to assess, and if necessary improve, their systems,
practices, and written policies and procedures in the following key
- Governance and risk assessment
- Access rights and controls
- Data loss prevention
- Vendor management
- Incident response
- The SEC has signaled that it will not hesitate to sanction firms for deficient written policies and procedures, even in cases where firms are victims of cybercrime and have responded promptly and effectively to the incident
The September 15th Risk Alert
The September 15th Risk Alert comes on the heels of a number of cybersecurity initiatives by the SEC in 2014, as well as earlier this year. The Alert draws on concepts and findings reflected in the SEC's March 2014 Cybersecurity Roundtable, its April 2014 Risk Alert, announcing a "sweep" examination for cybersecurity preparedness, and its February 2015 report of observations from that sweep. Further, the SEC also included cybersecurity topics in its 2015 Examination Priorities letter, issued January 13, 2015.
OCIE indicated that this second round of examinations, to be known as the "Cybersecurity Examination Initiative," will "involve more testing to assess implementation of firm procedures and controls." These examinations will build on the earlier round. In sum, the September 15 Alert is a straightforward announcement of the SEC's expectations in this area, and firms would be wise to take advantage of this "heads up" in preparing for the upcoming examinations.
What Was the SEC's Intent in Issuing its Risk Alert?
The best statement of the SEC's intent regarding the Alert is found in a post-script, in which the SEC noted:
This Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor.
As such, it seems clear that the SEC expects all firms subject to its examination jurisdiction to review their systems and procedures and make any necessary changes before the examiners arrive. The Alert provides a general overview of the six main cybersecurity compliance topics that will be the subject of the upcoming examinations. These topics are listed below. With such topics articulated in the Alert, it will be difficult for firms to defend the adequacy of their systems or procedures if they lack attention to each of these topics.
Secondly, the SEC is allowing firms to prepare themselves for the examination itself, by providing an advance copy of a lengthy and detailed set of information and document requests, which are attached as an appendix to the Alert.
The Alert provides little guidance, however, as to the substance of how the goals reflected in the six main topics are to be implemented. Thus, the OCIE examiners will likely see wide variation in how firms deal with the topics articulated in the Alert. For example, the Alert speaks broadly about user access rights and controls and prevention of data loss, but does not mention any specific requirement that electronic communications or devices be encrypted. Some firms may choose to employ encryption, while others may choose to safeguard information through a variety of other layers of protection, while not employing encryption. Under the unique circumstances faced by an individual firm, either approach may be deemed adequate.
The Alert hastens to caution, however, that neither the topics discussed in the Alert, nor the information and document requests are, in and of themselves, rules or SEC requirements of any sort, although they may reflect requirements that arise out of the SEC's rules and governing statutes. The overall approach of the Alert makes it clear that the specific facts and circumstances relevant to each firm are to be considered in assessing the adequacy of the firm's systems and procedures, and that such systems and procedures should be tailored to each firm's business.
That said — returning to the encryption example — the information and document request attached to the Alert do request documents relating to any encryption requirements firms may have for firm-issued or personal devices. The fact that OCIE is making such a request may reflect the staff's view that, at least in some instances, encryption is required. A less likely, but possible, reason for such a request might also be to allow OCIE to survey how many firms are using encryption and whether it has become a best practice in the industry regarding cybersecurity. Dozens of other documents requests are equally specific, and because they are obviously designed to cover the waterfront of known cybersecurity challenges facing broker-dealers and investment advisers generally, many of the requests may not even apply to some firms.
How Will the SEC Examine Firms for Compliance?
The Alert announced that that the SEC will examine registered broker-dealers and investment advisers, as part of its Cybersecurity Examination Initiative, focusing on "key topics" including:
- Governance and risk assessment
- Access rights and controls
- Data loss prevention
- Vendor management
- Incident response
The OCIE examiners will review each firm's written policies and procedures with respect to cybersecurity, and will request documents and information in accordance with the form requests attached as an appendix to the Alert.
The R.T. Jones Case
R.T. Jones' Systems "Hacked" by Unknown Assailant
According to the Order Instituting Administrative and Cease-and-Desist Proceedings, Making Findings, and Imposing Remedial Sanctions and a Cease-and-Desist Order issued against R.T. Jones on September 22, 2015 (the Order), in July 2013, R.T. Jones' third-party web server was attacked by an unauthorized intruder, whose identity was never discovered, but was determined to originate from multiple IP addresses in China. The intruder gained access rights and copy rights to nearly four years of personally identifiable information (PII) of customers and third parties. The stored information was not encrypted, but the firm restricted access to two individuals who held administrator status. As a result of the attack, the SEC alleged that "the PII of more than 100,000 individuals, including thousands of R.T. Jones's clients, was rendered vulnerable to theft."
Upon learning of the breach, the firm promptly hired multiple cybersecurity consulting firms to investigate and assist the firm. The consultants could not assess the full extent of the breach because the log files had been destroyed in the attack by the intruder. Another cybersecurity consultant unsuccessfully attempted to determine if any of the PII stored on the server had been accessed. The firm provided notice of the breach to all individuals whose PII may have been compromised and offered to provide free identity monitoring services. More than two years have passed since the breach occurred, and the firm has not been informed that any client has suffered financial harm stemming from the breach.
The SEC's Charges Against the Firm
The SEC charged R.T. Jones with violations of Rule 30(a) of SEC Regulation S-P, 17 C.F.R. § 248.30(a), which is known as "the Safeguards Rule." As summarized in the Order, the Safeguards rule requires that:
Every investment adviser registered with the Commission adopt policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
In its 2005 amendments the Safeguards Rule, the SEC required that such policies and procedures be in writing.
The SEC alleged that R.T. Jones did not have written policies and procedures that were reasonably designed to safeguard its clients' PII. While the SEC acknowledged that the firm did have some written procedures for protecting its clients' information, such procedures did not include such items as:
- Conducting periodic risk assessments
- Employing a firewall to protect the web server on which client PII was stored
- Encrypting client PII stored on that server
In addition, the firm lacked any written policies or procedures for responding to a cybersecurity incident.
The firm was censured, ordered to Cease and Desist from future violations of Rule 30(a) or Regulation S-P, and pay a fine of $75,000. It is noteworthy that the SEC did not impose a requirement that the firm retain an independent compliance consultant to review the firm's procedures and recommend any necessary improvements.
Conclusions and Compliance Strategy
1. Steps to Safeguard Data
The specific steps to be taken by any individual firm must be tailored to the business and circumstances of each firm. It is interesting that in the R.T. Jones case, the SEC cited the firm for failing to provide for encryption of customer PII on its third-party hosted web server, yet in the Alert, there is no mention of encryption as a topic to be addressed by broker-dealers and investment advisers generally. Perhaps the SEC wishes to avoid pronouncing an encryption requirement, while nevertheless concluding that under the facts of R.T. Jones, it was unreasonable not to encrypt. This tension is illustrative of the difficulty that firms are likely to have in assessing the level of security required to satisfy the SEC's examiners. Based on the SEC's assertions, as well as enforcement actions taken by the Federal Trade Commission and the Federal Communications Commission, we believe encryption of sensitive personal information is becoming the de facto standard and therefore firms should seriously review whether encryption should be adopted in their cybersecurity systems and procedures.
In the face of such uncertainty, we believe the best approach a firm can take is to create a robust process for assessing all known risks, addressing them through responses that the firm concludes are reasonable, providing appropriate training to its employees, and — importantly — periodically repeat the process of assessment and response to assure that the firm's approach is up-to-date and commensurate with industry standards, both in terms of the current risk environment, but also in the application of the most current and efficient technologies available for response. The use of outside counsel or an independent cybersecurity consultant not only adds to the quality of the assessment and problem solving beyond the capabilities of whatever in-house staff the firm may have, but serves as additional proof that the firm takes its cybersecurity responsibilities seriously.
2. Written Policies and Procedures
The requirement that a broker-dealer or investment adviser have written policies and procedures to address Cybersecurity risks can be traced to various sources. Most directly, SEC Regulation S-P requires such firms to maintain procedures to protect the security and confidentiality of customer information and records. In addition, both the Securities Exchange Act of 1934 and the Investment Advisers Act of 1940 effectively require firms to maintain written supervisory procedures. In addition, broker-dealers who are Financial Industry Regulatory Authority (FINRA) members have a specific requirement under FINRA Rule 3130 to maintain procedures to supervise their employees and their business. (Notably, the FINRA Report on Cybersecurity Practices, issued in February 2015, contains a very detailed and substantive discussion of data protection issues, while expressly recognizing that there is no "one size fits all" approach when it comes to cybersecurity, especially as concerns the use of generally recognized frameworks and standards. The Report is a good resource even for firms that are not FINRA members.)
It is important that the firm's written procedures address each topic articulated in the SEC Alert, as well as other issues unique to the firm regardless of whether they are mentioned in the Alert. Everything that the firm does in this area should be documented as a written policy or procedure. While a significant part of the examination will be establishing that the written policies and procedures are, in fact, being performed, the converse is often overlooked by firms — i.e., that a firm is, in fact, performing a process (and even doing so effectively), cannot cure the omission of that process from its written procedures.
The R.T. Jones case presents a good example of this. Although the firm (a) promptly engaged consulting firms to determine the extent of the attack; (b) implemented measures to prevent such an attack from reoccurring; and (c) took steps to alert all persons whose private information was compromised (including offering free identity theft monitoring), the firm was nevertheless disciplined. The SEC noted that the sanctions would have been more severe had such prompt remedial steps (which, we emphasize, were accomplished in spite of the absence of any written procedures) not been taken.
The procedures should not simply be a listing of principles or rules, but should be process-oriented. For example, they should identify, by title, individuals within the organization who have responsibility for ensuring compliance, the manner in which they are expected to do so, the training regarding cybersecurity they received, how such activities are to be documented, and should specify a system of follow-up and review (i.e., audit) to ensure that the designated individuals are performing their responsibilities in an effective manner.
For example, an effective procedure to guard against data loss by employees might be a real-time alert that notifies a designated supervisor in the event that an employee attempts to download firm data to a thumb or flash drive, or emails an unusual amount of data to an outside email address. But such a procedure may be seen as deficient if it is not adequately documented, including specifying the response steps to be undertaken by the supervisor if such suspicious activity is detected.
The Alert also telegraphs the SEC's obvious desire that firms involve senior management in cybersecurity issues. That too should be reflected in the written procedures.
We recommend as a baseline that organizations address the following areas in their cybersecurity policies:
- Cybersecurity Governance and Risk Management — Each organization should adopt a framework for internal investigation, decision-making and escalation within the organization to identify and manage cybersecurity risks
- Cybersecurity Risk Assessment — Firms should conduct periodic risk assessment to identify cybersecurity risks relating to firm technology, information access and vendor compliance, and to prioritize remedial activities and initiatives
- Technical Controls — Organizations should implement and maintain technical controls to protect information assets and technology, such as access management and control, data encryption and penetration testing
- Incident Response Planning — Firms should establish written procedures and guidance for preparing for and responding to security breaches and other cybersecurity incidents, including designation of an incident response team and roles and responsibilities
- Vendor Management — With the tremendous move to the use of cloud based software and data solutions, firms should proactively manage cyber-risks associated with its vendor relationships, including vendor due diligence and appropriate contractual protections
- Staff Training — Employees are critical to a successful cybersecurity risk management program. Thus, firms should include regular training for information security professionals, as well as the workforce as a whole on issues such as incident response, good security practices and anti-phishing education
- Cyber Intelligence and Information Sharing — Responsibility should be assigned to one or more individuals for remaining current on the constantly evolving cyber threats and risks, and communicating those threats and risks throughout the organization
- Cyber-Risk Insurance — Recognizing that no firm will always maintain 100 percent security, firms should consider the use of cyber-risk insurance as another way of mitigating losses and exposure from security breaches and other cybersecurity incidents
3. Preparation for Upcoming OCIE Examinations
The Alert plainly states that the information and document requests, which are attached as an appendix to the Alert, are "to be used" in the Cybersecurity Examination Initiative. Thus, firms should begin to assess whether they are in possession of documents, or have accessible information, relevant to each of the requests. It may well be most efficient to gather and segregate responsive documents as they are located, even before the firm receives a formal request from the OCIE examiners. Another reason to do this ahead of time is because in some cases documentation may be missing, and efforts to recover or locate the documentation can be undertaken without the urgency of a pending request from the regulator.
Of course, perhaps the most valuable part of the Alert is the opportunity to review and revise written procedures before the staff asks for them as part of the examination. While it will be obvious, and should be transparent, if the firm has made changes between September 15 and the date of the eventual examination, firms are much better off making the changes on their own, rather than being prompted by deficiencies noted in the examination.
Some firms will decide to employing counsel with experience in cybersecurity issues to review and assist in the revision of written procedures, and assess the adequacy of the prospective responses to the document and information requests. Outside counsel can view the firm with more objectivity — even as an examiner would — in order to allow the firm to make better-informed decisions regarding possible changes and initiatives.
4. Responses to Breaches
As noted above, effective security breach incident response is critical to every cybersecurity management program. In the R.T. Jones case, the firm's response appears to have been immediate, and it notified customers promptly that a breach had occurred. The SEC's focus was not, therefore, on the firm's response, but rather its lack of written procedures. A portion of the violations enumerated in the SEC's order were based on the firm's failure to document its response plan, even though the response appears to have been executed quite successfully. In other words, a firm that successfully navigates it way though a cyber-breach incident "on the fly," even in the absence of any damage to the firm or harm to its customers, will not be able to escape regulatory scrutiny if it does not have a well-documented response plan. Moreover, the failure to have such a well-document response plan may also be the focus of any civil litigation which may follow a breach.
Financial services firms doing business in California should also review new requirements for responding to data breaches signed into law on October 6th. Read more about these requirements in our next Cybersecurity Alert, available here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.