September has been a busy month for the SEC in addressing cybersecurity. In the span of a week, the SEC issued a new alert in connection with its cybersecurity examination of Wall Street firms, entered a Cease and Desist Order against a firm for failing to adopt written policies or procedures to protect customer information, and issued an Investor Alert that highlights actions individuals should take if their personal information is compromised.
Cybersecurity Examination Initiative
On September 15, 2015, the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) issued an Alert in connection with the OCIE’s Cybersecurity Examination Initiative to assess cybersecurity preparedness in the securities industry, including firms’ ability to protect broker-dealer and investment adviser customer information. This Alert precedes the OCIE’s second round of cybersecurity investigations, and provides additional information on criteria:
- Cybersecurity Governance and Risk Assessment processes in place, including the involvement of senior management and boards of directors in assessing controls and risk assessment procedures
- Access Rights and Controls designed to prevent unauthorized access to systems or information, such as multifactor authentication, user credentials, authentication and authorization methods
- Data Loss Prevention including the transfer of information outside the firm to third parties, how firms monitor potentially unauthorized data transfers and verification of customer requests to transfer funds
- Vendor Management and due diligence including selection, monitoring and oversight of third-party vendors, which has become increasingly important in the wake of recent hackings of third-party vendor platforms
- Employee and Vendor Training to create awareness of and responsiveness to potential data breaches
- Incident Response Plan in the event of a cybersecurity attack or data breach.
While the OCIE’s initiative is focused on the securities industry, the guidance is relevant and beneficial to any entities that obtain, store, process and/or transfer data.
SEC Enforces Cybersecurity Compliance
On September 22, 2015, the SEC issued a Cease and Desist Order against R.T. Jones Capital Equities Management, Inc. (RT Jones), a registered investment adviser, in connection with a potential cybersecurity breach.
RT Jones stored customer personally identifiable information (PII), including social security numbers, on a third-party hosted web server. In July 2013, the firm’s web server was attacked by an unauthorized, unknown intruder that gained access rights to the data on the server, including the PII of as many as 100,000 individuals. RT Jones retained a cybersecurity consulting firm that traced the hacker attack to China. RT Jones also notified each of the persons whose PII may have been compromised. To date, RT Jones is not aware of any indication that a client has suffered any financial harm as a result of the attack.
Notwithstanding the lack of financial harm, the SEC determined that RT Jones had willfully violated Rule 30(a) of Regulations S-P (17 C.F. R. §248.30(a)), the “Safeguards Rule” that applies to all registered investment advisers and broker-dealers. As explained in the SEC Order, the Safeguards Rule requires that registered investment advisers and broker-dealers adopt written policies and procedures reasonably designed to (1) ensure the security and confidentiality of customer records and information, (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information, and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The SEC noted that RT Jones failed to adopt any written policies and procedures reasonably designed to safeguard its clients’ PII, in violation of the Safeguards Rule. The SEC also observed that RT Jones’s policies and procedures for protecting client information were deficient insofar as the firm did not adopt the following cybersecurity measures:
- Conduct periodic risk assessments
- Employ a firewall to protect the web server containing the PII
- Encrypt client PII
- Establish procedures for responding to a cybersecurity incident.
The SEC imposed a $75,000 civil money penalty on the firm for violating the rule.
SEC Investor Alert: Identity Theft, Data Breaches
Also on September 22, 2015, the SEC issued an Investor Alert titled “Identity Theft, Data Breaches and Your Investment Account.” The SEC alert highlighted various steps investors can take if they suspect or know they have been the victim of a data breach or identity theft, including the following:
- Contact your investment firm and other financial institutions immediately. This may include banks, credit card companies or insurance companies. The SEC also cautioned investors to “document any conversations” with these institutions in writing.
- Change your online account passwords. Investors are encouraged to promptly change their passwords for any accounts that have been compromised. The SEC recommends that individuals use “strong passwords” (i.e., consisting of at least eight characters, including symbols, numbers, and both upper- and lowercase letters).
- Consider closing compromised accounts.
- Activate two-step verification if available. Under this procedure, any attempt to log on to an account through an unrecognized device should prompt the firm to send a unique code to the individual’s email or cell phone that must be entered to gain access to the account.
- Monitor your investment accounts for suspicious account activity and immediately report it to the investment firm.
- Place a fraud alert on your credit file by contacting any one of the three credit bureaus (Experian, Transunion or Equifax).
- Monitor your credit reports.
- Consider creating an Identity Theft Report by (1) completing the Federal Trade Commission’s (FTC’s) online complaint form or obtaining an FTC Identity Theft Affidavit form; (2) contacting the local police department about the identity theft and providing the police with a copy of the FTC Identity Theft Affidavit; and (3) making sure the Affidavit is attached to the police report.
Given the numerous high-profile data breaches that have impacted public companies, banks and other entities in the past few years, it is not altogether surprising that the SEC has taken a greater interest in protecting investors’ and customers’ personal information. As one of the premier financial regulators in the nation, the SEC’s words of wisdom and caution should not be taken lightly. Companies within and outside the financial and securities industries should take heed and be proactive in assessing their cybersecurity risks and designing and implementing appropriate cyber risk mitigation policies and procedures – ideally, before an incident occurs. Companies that fail to do so might risk the wrath of the SEC or any of a number of other regulators that have been at the forefront of protecting individuals’ data security and privacy rights.