On February 3, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert that summarizes the OCIE’s observations from its recent examinations of registered broker-dealers and investment advisers. The observations were conducted under the OCIE Cybersecurity Examination Initiative, which was announced on April 15, 2014. In 2014, the OCIE examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory and compliance issues associated with cybersecurity. The OCIE staff reviewed documents and conducted interviews with key personnel regarding each firm’s business and operations, detection and impact of cyber attacks, preparedness for cyber attacks, training and policies relevant to cybersecurity and protocols for reporting cyber breaches.
The examination’s findings were as follows:
- Written Plans; Limited Client Protection: The majority of broker dealers and advisers have written plans that address how to mitigate the effects of cyber attacks or intrusions and how to recover from them. Most of these plans rely on external sources, such as the National Institute for Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity and the International Standards Organization. However, only a small minority of the written plans reviewed contain any provisions addressing how to determine whether the adviser or the broker-dealer is responsible for client losses associated with cyber incidents or which security guarantees may be provided to clients to protect them against cyber-related losses.
- Risk Assessments: The majority of examined firms conduct periodic risk assessments, on a firmwide basis, to identify cybersecurity threats, vulnerabilities and potential business consequences.
- Third-Party Engagements: Many advisers do not incorporate requirements relating to cybersecurity risk into their contracts with vendors and business partners. Furthermore, many firms do not require cybersecurity risk assessments of vendors with access to their networks, nor do they maintain policies and procedures related to information security training for vendors and business partners authorized to access their networks.
- Cyber-Related Incidents Not Reported to Regulators: Most of the examined firms reported that they have been the subject of a cyber-related incident, whether caused by fraudulent emails seeking to transfer client funds or malware. In more than 25% of these cases, losses incurred from the fraudulent email attacks were caused by employees who did not follow a firm’s identity authentication procedures. Most of these incidents were not reported to regulators or law enforcement but were, however, reported to the Financial Crimes Enforcement Network (FinCEN) by filing a Suspicious Activity Report.
- Information Sharing: Many examined firms identify best practices through information-sharing networks, including the Financial Services Information Sharing and Analysis Center (FS-ISAC).
- Encryption: Almost all the examined broker-dealers and advisers make use of encryption in some form.
- Technology Mapping: The vast majority of examined firms report conducting firmwide inventorying, cataloguing or mapping of their technology resources, including physical devices and systems, software platforms and applications, network resources, connections, data flows, connections to firm networks from external sources, hardware, data and software and logging capabilities and practices.
- Information for Customers: Many examined firms, especially those with retail customers that offer online access, provide their clients with suggestions for protecting their sensitive information, including certain steps that can be taken to reduce cybersecurity risks when conducting business with the firm. The information may be directly addressed to clients on an adviser’s website or in periodic email or postal distributions (e.g., newsletters or bulletins).
- Information Security Officers: Approximately two-thirds of the broker-dealers examined, and fewer than one-third of the advisers examined, have an individual who is explicitly assigned as the firm’s chief information security officer (CISO). The advisers often direct their chief technology officers to take on the responsibilities typically performed by a CISO or they assign another senior officer (e.g., the chief compliance officer, the chief executive officer or the chief operating officer) to liaise with a third-party consultant who is responsible for cybersecurity oversight.
- Cybersecurity Insurance: More than half of the broker-dealers maintain insurance for cybersecurity incidents, and a small number of the advisers maintain insurance that covers losses and expenses attributable to cybersecurity incidents.
The OCIE’s findings were set forth in the form of a Risk Alert, the purpose of which is (1) to highlight for broker-dealers and advisers risks and issues that the staff has identified in the course of its examinations and (2) to describe factors that firms may consider to assess their supervisory, compliance and/or other risk management systems related to cybersecurity risks and to make any changes, as appropriate, in order to address or strengthen such systems. Although the OCIE clearly stated that the factors noted are not exhaustive, and will not constitute a safe harbor, it is clear that addressing all of these factors will put firms in a better position when facing a future OCIE examination with respect to cybersecurity. This is further reinforced by the fact that the Financial Industry Regulatory Authority (FINRA) issued a Report on Cybersecurity Practices, which sets forth parallel points with respect to the areas that could be improved.
It is likely that future examinations will focus on the areas that the OCIE Risk Alert flagged as lacking. Broker-dealers and advisers should focus, assess and improve, where necessary, their preparedness with respect to the following key issues:
- Third-Party Provider Management: Third-party vendors are often the weakest links in the cybersecurity chain and, thus, are most often manipulated by hackers. As is now well known, the Target data breach in December 2013 was the result of vulnerabilities originating with Target’s HVAC provider. If there is any vulnerability in a third-party provider who has access to a broker-dealer’s system or an adviser’s system, any measures taken by the broker-dealer or the adviser to protect their own system will be rendered meaningless, as they would still be held liable for such vulnerability. Third-party providers must be closely researched and assessed before they are selected. Contractual engagements with them must be carefully drafted to include sufficient protective provisions; and periodic audits should be taken in order to ensure that contractual provisions are followed. Guidance on this topic has been provided by various financial regulators1 and can serve as a starting point for discussions with legal counsel.
- Cyber Incident Reporting: A significant part of the information collected and maintained by broker-dealers and advisers is “personally identifiable” information. As such, it is subject to a “patchwork quilt” of laws in 47 states with respect to reporting a data breach. Firms should seek legal counsel to assess which laws in which jurisdictions apply to the data they collect and process and to formulate a clear written plan for responding to and reporting breach incidents, not only to FinCEN and law enforcement, but also to regulators, to the individuals whose data may have been compromised and to anyone else to whom they may be required to report by law or under their cybersecurity insurance policies.
- Cybersecurity Insurance: Increasingly, insurance providers are shying away from providing coverage for cyber incidents under general liability insurance policies. Broker-dealers and advisers should acquire policies that are tailored to their size and their needs to ensure that they are covered when an incident occurs.