SEC Cybersecurity Examinations and Enforcement: What Broker-Dealers and Investment Advisers Need to Know

by Dechert LLP
Contact

The Securities and Exchange Commission’s (SEC or Commission) Office of Compliance Inspections and Examinations (OCIE) announced in a September 15, 2015 Risk Alert (2015 Risk Alert) that it will be conducting a second round of examinations of broker-dealers and investment advisers, focused on cybersecurity.1 One week later, the SEC’s Enforcement Division announced the settlement of an enforcement proceeding against an investment adviser for failing to establish adequate cybersecurity policies and procedures, as required under Regulation S-P.2

The announcement of the second round of OCIE cybersecurity exams and the recent enforcement action are strong signals that the SEC remains focused on evaluating the cybersecurity policies and procedures adopted by investment advisers and broker-dealers. While the first round of OCIE exams appeared to be more focused on inventorying the particular cybersecurity policies and practices that firms had adopted, the sample information request included in the 2015 Risk Alert indicates that the SEC will now focus on the implementation and operation of cybersecurity policies and procedures. The enforcement proceeding indicates that firms may be subject to regulatory enforcement for failure to adopt adequate cybsecurity policies and procedures, even in the absence of financial harm to investors.

The Commission’s Continued Emphasis on Cybersecurity

Cybersecurity remains a priority for the Commission and its staff. Commission Chair Mary Jo White recently called cybersecurity a “key priority area[]” for the Commission.3 Earlier this month, Commissioner Kara Stein similarly signaled this issue’s importance, when she noted that “cybersecurity has become one of the most significant issues affecting investors, corporate issuers, and financial institutions – really just about everyone in the financial marketplace.”4 Likewise, Commissioner Luis Aguilar commented earlier this year that “it is not an overstatement to say that cybersecurity is one of the defining issues of our time.”5

Such intense and pointed remarks from multiple commissioners should make clear to industry compliance professionals that the issue remains front of mind for the Commission.6 In light of the heightened regulatory attention, compliance teams at investment advisers and broker-dealers should take note.

Background on Round Two of the OCIE Cybersecurity Examinations

In March 2014, the Commission sponsored a cybersecurity roundtable, after which OCIE announced that it would conduct an initial round of cybersecurity examinations (2014 Risk Alert).7 OCIE subsequently examined 57 broker-dealers and 49 investment advisers. In February 2015, OCIE published the results from these examinations. Notably, OCIE found that most of the entities examined had directly or indirectly been the target of a cyber-attack.8 OCIE’s second round of cybersecurity examinations has been expected since early 2015.9

OCIE’s 2015 Cybersecurity Examination Initiative

In the 2015 Risk Alert, OCIE announced that in this round of examinations it will focus on six areas: (i) governance and risk assessment; (ii) access rights and controls; (iii) data loss prevention; (iv) vendor management; (v) training; and (vi) incident response. In addition to providing the areas of focus, OCIE provided a set of sample requests for information. The sample list of requests is instructive, and provides helpful insight into what measures the Staff may expect firms to have taken to secure customer data.

Importantly, the 2015 Risk Alert and the sample inquiries indicate that OCIE expects each firm to have implemented more than a generic, cookie-cutter cybersecurity policy. Firms should actively analyze their particular risk profiles, and implement a policy specifically designed to address their relevant risks. In doing so, firms should consider internal as well as external risks.

The process of tailoring cybersecurity policies and procedures to a firm’s particular needs should not be a one-time endeavor. Indeed, the 2015 Risk Alert suggests that an effective plan involves the regular monitoring and analysis of potential risks including the risks arising from employees and vendors who inadvertently compromise the security of sensitive information. Firms should also consider implementing systems to actively document new risks, so that the firm’s program can keep pace with ever-evolving threats.

The 2015 Risk Alert also makes clear that merely adopting a policy, but failing to effectively implement and monitor that policy, is insufficient. Importantly, implementation of an effective cybersecurity plan should include an incident response plan to address what will happen if data is compromised, including processes to document the firm’s response and the extent of the impact on the firm and its clients.

In addition, as compared to OCIE’s 2014 Risk Alert, the 2015 Risk Alert highlights OCIE’s concern with the increased risk that firms may face if they fail to implement “basic controls.” To address this issue, the sample requests attached to the 2015 Risk Alert seek specific information regarding the technologies and technical processes firms have in place to protect customer information. For example, the 2015 Risk Alert indicates that OCIE may request information about a firm’s use of multi-factor authentication, the remote de-activation of devices, and penetration testing.

Importantly, the 2015 Risk Alert notes that “[t]he adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm[.]” It is clear that the OCIE examiners will be looking for evidence of a cybersecurity plan that addresses the risks based on a firm’s own risk profile. In fact, the 2015 Risk Alert cautions that the enumerated items of emphasis are not exclusive, and that examiners may select additional areas on which to focus, based on the risks identified in the course of the examinations.

Recent Cybersecurity Enforcement Highlights the Importance of Proactively Assessing Risks and Tailoring a Cybersecurity Program to Those Risks

In a recent settled enforcement proceeding, In the Matter of R.T. Jones Capital Equities Management, Inc.10 (R.T. Jones Order), the Staff alleged that an SEC-registered investment adviser failed to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (Safeguards Rule).

According to the Staff, from at least September 2009 through July 2013, the adviser stored sensitive personally identifiable information (PII) of clients and others on a third-party-hosted web server “without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.” Then, in July 2013, the web server was attacked by an “unauthorized, unknown intruder,” and as a result, “sensitive data of more than 100,000 individuals, including thousands of [the adviser’s] clients, was rendered vulnerable to theft.” The adviser “promptly retained more than one cybersecurity consulting firm to confirm the attack and assess the scope of the breach,” but neither firm could determine whether the sensitive data stored on the server had been accessed or compromised during the breach. Shortly thereafter, the adviser provided notice of the breach to all individuals whose sensitive data may have been compromised. The adviser agreed to pay a $75,000 penalty, and took remedial steps to improve its cybersecurity program after the attack.11 It is important to note that the apparent trigger for the SEC’s enforcement action was the adviser's failure to adopt written policies and procedures that were reasonably designed to protect customer records and information, and there was no indication that a client had suffered actual financial harm as a result of the incident.

The R.T. Jones Order highlights the importance of oversight of third-party web services and tailoring cybersecurity policies and procedures to a firm’s particular business, indicating that firms cannot simply adopt cookie-cutter policies and procedures and then take swift action to remedy a breach if one occurs. Indeed, the Commission alleged that, “[t]aken as a whole, [the adviser’s] policies and procedures ... were not reasonable to safeguard customer information.” For example, while the adviser kept customer PII on a web server, the SEC noted that the adviser both failed to employ a firewall to protect the server and failed to encrypt the PII stored on the server. In addition, even though the Commission acknowledged that the adviser “promptly” took certain steps to address the breach, the Commission noted that the adviser had failed to establish procedures for responding to a cybersecurity incident and also did not conduct periodic risk assessments.

The R.T. Jones Order underscores that investment advisers and broker-dealers may face regulatory scrutiny and enforcement actions even without a concrete, identifiable financial impact to clients. Indeed, the Order notes that, to date, the adviser has not learned that any client has suffered financial harm as a result of the attack. Moreover, in announcing the settlement, the Co-Chief of the Enforcement Division’s Asset Management Unit explained that “it important to enforce [Regulation S-P] even in cases like this when there is no apparent financial harm to clients.”12

Conclusion

The continued focus on cybersecurity by the SEC signals that the importance of this issue for the financial sector continues to grow. In particular, it is likely there will be a notable increase in cybersecurity-related enforcement. Commissioner Aguilar stated earlier this year that “the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority, and how that authority might need to be broadened to meet emerging cybersecurity threats.”13

Commission Chair White has made clear that “[the SEC] publish[es] these risk alerts, in part, so that compliance professionals can evaluate controls and procedures in these areas and make proactive improvements as appropriate.”14 Like the 2014 Risk Alert, the 2015 Risk Alert provides an opportunity for investment advisers and broker-dealers to evaluate current efforts to deal with cyber threats, including whether current policies are effectively implemented, whether that implementation is actively monitored and documented, and whether – in light of the 2015 Risk Alert – the Staff may expect more.

Footnotes

1) OCIE’s 2015 Cybersecurity Examination Initiative.

2) For further information regarding the general obligations under this regulation, please refer to Dechert OnPoint, SEC Staff to Conduct Broker-Dealer and Investment Adviser Examinations Focused on Cybersecurity.

3) Opening Remarks at the Compliance Outreach Program for Broker-Dealers.

4) Accountants and Capital Markets in an Era of Digital Disruption: Remarks to the Institute of Chartered Accountants in England and Wales and British American Business.

5) A Threefold Cord – Working Together to Meet the Pervasive Challenge of Cyber-Crime.

6) As discussed in Dechert OnPoint, U.S. SEC Division of Investment Management Issues Cybersecurity Guidance, the Division of Investment Management recently issued its own cybersecurity guidance.

7) For further information, please refer to Dechert OnPoint, SEC Staff to Conduct Broker-Dealer and Investment Adviser Examinations Focused on Cybersecurity, supra note 2.

8) For information regarding the results of the first round of cybersecurity examinations, please refer to The Evolving U.S. Cybersecurity Landscape: What Firms Want to Know.

9) See The Evolving U.S. Cybersecurity Landscape: What Firms Want to Know, supra note 8, which noted comments by Jane Jarcho, National Associate Director of OCIE’s Investment Adviser/Investment Company Examination Program, indicating that a second round of exams would be forthcoming.

10) Advisers Act Rel. No. 4204 (Sept. 22, 2015).

11) The Order represents an administrative settlement, rather than the results of an adjudicated proceeding. The respondent settled without admitting or denying the Commission’s findings.

12) SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach.

13) See A Threefold Cord – Working Together to Meet the Pervasive Challenge of Cyber-Crime, supra note 5.

14) See Opening Remarks at the Compliance Outreach Program for Broker-Dealers, supra note 3.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dechert LLP | Attorney Advertising

Written by:

Dechert LLP
Contact
more
less

Dechert LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.