Cybersecurity Regulatory Risk: Where We Stand
Cybersecurity is a topic that pre-occupies, and may even frighten, investment advisors and broker-dealers. High profile data breaches, such as the Panama Papers, have embarrassed prominent institutions and caused significant losses of confidential data, money and reputations. If that weren’t enough, regulators waste no opportunities to hold organizations accountable when breaches occur. The unpredictable nature of this threat can overwhelm even the most sophisticated firms.
While meeting regulatory expectations can seem daunting, a closer look at the cybersecurity threat indicates that the regulatory risk can be mitigated with proactive management. For cybersecurity, recent SEC pronouncements indicate that blocking and tackling can go a long way to meeting regulatory expectations and mitigating cyber risk. To understand how to meet those expectations, it’s important to review how the SEC has addressed cybersecurity over the past couple of years.
REGULATORY DEVELOPMENTS SINCE 2014
On April 15, 2014, the SEC’s Office of Compliance Inspections and Examination (“OCIE”) issued a Risk Alert announcing an examination sweep of investment advisors and broker-dealers to assess cybersecurity preparedness. Document requests during the sweep largely tracked the cyber risk framework published by the National Institute of Standards ("NIST”). After examining 57 broker-dealers and 49 investment advisors, the SEC published its examination sweep summary in February 2015. The following key observations have set expectations for firms’ cyber practices:
- Policies and Procedures/Business Continuity Planning: The vast majority of firms (93% of broker-dealers and 83% of investment advisors) have adopted information security policies, and many address cyber impacts in business continuity plans.
- Risk Assessments: The vast majority of firms (93% of broker-dealers and 79% of investment advisors) conduct periodic firm-wide risk assessments, which include the identification of vulnerabilities to cyber-attacks.
- Vulnerability to Attacks: Most firms (88% of broker-dealers and 74% of investment advisors) reported being targets of cyber-attacks (e.g. fraudulent e-mails, phishing scams, employee misconduct) either directly or through their third party vendors.
- Published Standards and Frameworks: Most broker-dealers (88%) and over half of investment advisors (53%) utilized published cybersecurity risk standards, such as NIST, to model their information security architecture and processes;
- Vendor Management: Most broker-dealers (72%) have incorporated cyber risks into third party vendor contracts, but fewer investment advisors (24%) have done so.
What to make of these results? When viewed in the context of the SEC’s core mission of investor protection, they come from the Commission’s focus on firms’ ability to protect customer/investor information through stronger controls. These themes became apparent in OCIE’s 2015 cybersecurity examination initiative announced in September 2015:
- Governance and Risk Assessment: Have advisors and brokers conducted a risk assessment to determine their exposure the cyber threats applicable to their business? Have firms utilized cybersecurity frameworks, such as NIST’s, to determine their risk? Have risks been communicated to senior management and the board of directors for appropriate actions?
- Access Rights and Controls: Who has authorized access to the various parts of the firm’s systems? Does the firm segment critical data to prevent access from unauthorized users? What type of encryption methodology does the firm employ? Is multi-factor authentication employed? How is remote user access addressed?
- Data Loss Prevention: How does the firm monitor transfer of data through emails or uploads? Are data or fund transfers reviewed for authenticity? Are proper controls in place to protect data and meet recordkeeping requirements (e.g., SEC Rule 17a-4)?
- Vendor Management: What are the firm’s practices and controls related to the use of third-party vendors? Does the firm conduct adequate due diligence and oversight prior to engaging with the third parties? Is vendor management part of the firm’s risk assessment process?
- Training: Are employees properly trained to avoid unintentional losses of data or exposing the firm’s network to vulnerabilities? How often is the training conducted? Is training tailored to particular employees’ duties? Has the firm incorporated incident response plans into training?
- Incident Response: Has the firm established policies and procedures, assigned roles, assessed vulnerabilities, and developed plans to respond to cyber breaches? Has the firm inventoried all data to determine the highest priority assets requiring protection?
Recently, the SEC has also proposed a new rule to require investment advisors to adopt written business continuity and transition plans (“BCPs”), which makes reference to cyber-attacks as a key risk. This development indicates a possible convergence between BCP and cybersecurity frameworks.
RECENT ENFORCECMENT CASES
Recent enforcement cases closely track the OCIE’s pronouncements, as the Commission cited privacy rules under Regulation S-P to bring enforcement actions. In September 2015, the Commission censured and fined a St. Louis-based advisor for failure to establish cybersecurity policies, which preceded a cyber breach on a third-party site resulting in compromised personally identifiable information of approximately 100,000 customers. The SEC, citing a violation of Reg S-P, also noted the advisor’s failure to conduct periodic risk assessments. Though no harm resulted to the advisor’s clients, this case tracks the Risk Alert’s reminder to (a) conduct periodic risk assessments; (b) implement data loss prevention measures; and (c) properly manage third-party vendors, as advisors are still responsible for data breaches occurring on third-party sites.
In April 2016, the SEC fined a New York broker-dealer $100,000 for violations of Reg S-P for failing to safeguard customer data through the improper use of email addresses and electronic fax accounts. Although not citing cybersecurity concerns directly, the Commission stressed that the broker-dealer failed to adopt policies and procedures reasonably designed to ensure the confidentiality and security of data, a primary purpose of the SEC’s Risk Alert. As with the previous case, the fact that customers were not harmed did not prevent the enforcement action.
WHERE DOES REGULATION GO FROM HERE?
Investment advisors and broker-dealers must realize that the SEC will continue to pursue these cases where cybersecurity controls are weak. To prepare, the most effective steps to take include:
- Conduct a cybersecurity risk assessment: A complete review of a firm’s cybersecurity policies and procedures should reveal any control deficiencies. Without such an assessment, no firm can be sure how best to prevent breaches of customer data.
- Perform penetration and vulnerability testing: Firms must understand the vulnerability of client/customer data before they can protect the information. The Commission has made clear from enforcement cases that failure to take adequate protection steps under Reg S-P will result regulation sanctions. Many advisors and brokers hire third parties to test the vulnerability of their networks to hackers.
- Examine adequacy of policies and procedures: Advisors and brokers often fail to establish and implement policies and procedures reasonably designed to prevent and detect non-compliance. Cybersecurity is no different. Compliance officers should work with their firm’s chief information security officers (“CISOs”), or equivalent, to ensure information security and technology policies adequately address cyber risks.
- Review business continuity plans: The SEC’s proposed rule suggests BCPs should incorporate cybersecurity disruptions. When testing a BCP’s effectiveness, simulate scenarios where a cyber breach triggers the activation of an incident response plan.
Asset managers and broker-dealers should not wait for a cyber breach to take the aforementioned steps.
Asset Management Intelligence - Q3 2016