The SEC announced last week that an investment adviser had agreed to settle charges that it failed to take required steps to protect against and respond effectively to a cybersecurity breach.  The action comes on the heels of the SEC’s Risk Alert announcing that it once again intends to examine whether broker-dealers and advisers comply with specific, enumerated cybersecurity best practices.  The SEC’s recent announcements come amidst a spate of large data breaches and increased cybersecurity enforcement activity by other agencies, including the U.S. Department of Justice, Federal Trade Commission, Federal Communications Commission and the Department of Health and Human Services’ Office for Civil Rights.

To protect themselves against security incidents and regulatory enforcement actions, companies should ensure they have comprehensive cybersecurity governance and risk assessment procedures in place relative to several key areas.  These include incident response, controls to prevent unauthorized access, due diligence and effective contracting with third-parties who have access to information, and adequate insurance against the losses associated with a data breach.

SEC’s Recent R.T. Jones Enforcement Action

Regulation S-P under the Securities Act of 1933 requires registered investment advisers and broker-dealers to adopt written policies and procedures reasonably designed to protect customer records and information.  On September 22, 2015, the SEC announced a settlement with R.T. Jones Capital Equities Management, Inc., an investment adviser, relating to charges that it had failed to establish the required policies and procedures in advance of a breach that exposed the personally identifiable information of the firm’s clients.  R.T. Jones allegedly failed to adopt any such policies and procedures or to implement reasonable cybersecurity practices.  For example, the firm allegedly failed to conduct periodic risk assessments, implement a firewall, encrypt personally identifiable information on its server or maintain an incident response plan.  While no client has yet identified any financial harm as a result of the breach, the SEC still charged the firm with violating Regulation S-P, and the firm paid a $75,000 penalty to settle the matter.

SEC’s Cybersecurity Examination Initiative

The SEC’s enforcement action closely follows its Risk Alert on September 15, 2015 that focuses on cybersecurity compliance and controls as part of its “2015 Examination Priorities” for broker-dealers and investment advisers.  The examinations will focus on key topics, including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.  The SEC also released a sample document request as an appendix to assist firms in assessing their cybersecurity preparedness.  In issuing this guidance, the SEC has laid down a clear marker of its expectations for broker-dealers and investment advisers in the area of cybersecurity.

What to Do Now to Reduce Risk

The SEC’s recent activity is part of a larger regulatory enforcement trend that should serve as a warning to all public companies that they would be wise to review and revise their cybersecurity policies, procedures and practices to ensure that they are adequate in today’s changing environment.  Clearly, simply having cybersecurity policies is not enough if they are not comprehensive and are not in line with current standards (e.g., NIST’s 2014 Cybersecurity Framework).

The SEC has outlined what it believes are necessary policies and procedures and, while technically applicable only to broker-dealers and advisers, they put public companies on notice of the SEC’s expectations.  Further, the SEC’s framework should be considered minimum requirements and not a panacea.  Comprehensive cybersecurity preparedness and response also should include the following:

• A cybersecurity governance structure composed of a board-level information management policy, a comprehensive security and privacy program that consolidates disparate aspects and business-level implementation plans.
• Thorough diligence and contractual terms that allocate risk and minimize liability with respect to third-party vendors and service providers that have access to company data.
• Insurance policies with appropriate levels of coverage that protect against the claims and potential damages that pose the most risk.
• Regular penetration testing and breach response table-top exercises performed by a third-party vendor retained and overseen by a law firm, so that the analysis, results and mitigation steps are protected by the attorney-client privilege.
• Understanding the complex patchwork and interrelationship among state and federal data security and breach notification laws, which cover different sets of protected data and carry separate notification requirements, including SEC disclosure requirements.
• Using caution when utilizing non-legal compliance firms that assist entities with formulating policies and procedures that track SEC and FINRA rules, as there may be additional legal risks that expose you to liability.
• Understanding comprehensively the data that a company collects, uses and discloses, ensuring the lawfulness of those practices, and taking steps to mitigate associated risks, including the risks relating to potential mergers and acquisitions.
• Regular briefings for the board of directors (or the appropriate board committee) to ensure appropriate oversight and resources.
• Experienced privacy and data security attorneys who can assist with all of the foregoing steps.

Given the SEC’s recent activity in the cybersecurity area and its plans for additional scrutiny and action, investment advisers, broker-dealers and public companies should assess their current state of cybersecurity preparedness, including the purely legal issues, and incorporate the SEC’s expectations in their planning.