In September 2015, the Securities and Exchange Commission took two separate but significant actions related to cybersecurity in the securities industry. Because they occurred so close together, the actions had some people wondering whether they were linked, suggesting an imminent increase in enforcement actions by the agency. Both actions are important, not only to securities firms in particular, but to anyone interested in understanding the agency’s viewpoint when it comes to cybersecurity. But, when viewed in context, the SEC’s recent actions do not appear to signal any meaningful shift in agency behavior. Notwithstanding, they should serve as a reminder to everyone regulated by the SEC of the necessity of acting with care when it comes to data security.
It should come as no surprise that attention to cybersecurity at the SEC generally and, specifically, in its Office of Compliance Inspections and Examinations has picked up lately. Last year, for example, OCIE undertook cybersecurity examinations at more than 50 registered broker-dealers and registered investment advisers. Then, on September 15 this year, OCIE issued its 2015 Cybersecurity Examination Initiative. The document’s Appendix is “a resource for registered entities” that lists categories of information OCIE “may review in conducting examinations of registered entities regarding cybersecurity matters.” Or, put another way, the SEC and OCIE are saying: “here are some things you should be doing, because if our agency needs to look over your shoulder and finds that you weren’t doing them, things will likely be worse for you.”
The Appendix includes six categories: Governance and Risk Assessment; Access Rights and Controls; Data Loss Prevention; Vendor Management; Training; and Incident Response. Every category is important. But to highlight just a few, the agency indicates it wants to see board meetings and briefing materials regarding response planning for cybersecurity incidents. It notes the agency’s interest in “[i]nformation regarding the firm’s process for conducting tests or exercises of its incident response plan, including the frequency of, and reports from, such testing.” It also notes that the agency wants to know whether a firm had cybersecurity insurance coverage, and if so, the details of the coverage. And the agency is interested in “[i]nformation regarding the firm’s Chief Information Security Officer (or equivalent position), and other employees responsible for cybersecurity matters.” Although they do not appear to impose any unexpected or extraordinary burden, the 2015 Cybersecurity Examination Initiative and its Appendix are documents that demand attention.
Exactly one week after issuing its Cybersecurity Examination Initiative, the SEC took action against R.T. Jones Capital Equities Management, Inc. The SEC acted based on R.T. Jones’s failure “to adopt any written policies and procedures reasonably designed to safeguard its clients’ PII as required by [17 C.F.R. § 248.30(a)].” For some perspective on this action by the SEC in September 2015, it’s important to go back to June 2000.
Google hadn’t yet had its initial public offering. Facebook was years away from its launch. But the SEC was already thinking about cybersecurity and protecting personally identifiable information. On June 29, 2000, the SEC issued a final rule on the privacy of consumer financial information, and it added a Safeguards Rule to the Code of Federal Regulations. It read:
Every broker, dealer, and investment company, and every investment adviser registered with the Commission must adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. These policies and procedures must be reasonably designed to: (a) Insure the security and confidentiality of customer records and information;
(b) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(c) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The rule was updated, effective January 2005, with one significant change: no longer did the rule require the adoption merely of “policies and procedures,” but rather “written policies and procedures.”
According to the SEC, from at least September 2009 through July 2013, R.T. Jones stored PII—names, DOBs, and social security numbers—on its third party-hosted web server without adopting written policies and procedures regarding security or confidentiality. In July 2013 the firm’s web server was breached by Chinese attackers who gained full access to the data stored on the server. Although R.T. Jones did a lot of things right after the breach, such as appointing an information security manager and adopting and implementing a written information security policy, and no one presented any information that any client of R.T. Jones suffered any financial harm as a result of the cyber attack, the SEC nonetheless fined the company $75,000.
In its action against R.T. Jones, the SEC explicitly noted four deficiencies with the company’s policies and procedures: the company’s failure to (1) conduct periodic risk assessments; (2) employ a firewall to protect the web server containing client PII; (3) encrypt client PII stored on that server; and (4) establish procedures for responding to a cybersecurity incident. Going forward, it seems unlikely that a firm can be found to have reasonable policies and procedures to safeguard PII if it does not adhere to at least these four pillars.
Some have taken the temporal proximity of the issuance of the 2015 Cybersecurity Examination Initiative and the action against R.T. Jones to suggest the imminence of some sort of SEC-on-steroids regarding cybersecurity enforcement. That seems like a stretch. The agency is not looking to push anyone into radical behavior. It’s merely seeking prudence. Taking action for a firm’s failure to have a written policy, as was required ten years ago, does not portend any significant change. But firms need to know the rules—all of them—and implement the necessary policies and procedures now. The agency is watching firms carefully, and if it is going after relatively small violations with no clear harm, it is likely signaling that it is ready to go after all violations.