On September 22, 2015, the Securities and Exchange Commission (“SEC”) announced (here) that R. T. Jones Capital Equities Management, an investment adviser, agreed to settle charges that it failed to establish required cybersecurity policies and procedures before its web server was attacked by a hacker (traced to China). The breach resulted in the compromise of personally identifiable information (“PII”) of 100,000 persons, including thousands of the firm’s clients.
The adviser was alleged to have violated the “safeguards rule” (here) which requires investment advisers to adopt written policies and procedures designed to protect customer information. Here, the adviser stored sensitive PII on a server hosted by a third party and the adviser failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on the server, and maintain a response plan in case of cyberattacks.
After the attack, the adviser notified each individual whose PII was compromised and offered free identity theft monitoring. Although the adviser received no reports of a client suffering financial harm from the breach, the SEC faulted the adviser for failing to adopt written policies and to have clear procedures in place before a breach occurs as required by the safeguards rule. The Co-Chief of the SEC’s Enforcement Division stated “[I]t is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients.”
The SEC’s focus on cybersecurity is reflected in the results of a Cybersecurity Examination Sweep Survey (here) by its Office of Compliance Inspections and Examinations (“OCIE”). This survey was designed to inform the SEC’s Staff about the level of preparedness of the broker-dealers and investment advisers that were examined. Among other things, the OCIE survey showed that:
- A significant majority of the broker-dealers and advisers have adopted written information security policies and conduct periodic risk assessments to identify cybersecurity vulnerabilities.
- Most of the examined firms have been the subject of a cyber-related incident, and about a quarter had sustained losses caused by employees not following authentication procedures for fraudulent emails seeking to transfer funds.
- The firms’ cybersecurity risk policies for their vendors varied in implementation. While most incorporate some form of requirements in their vendor contracts, a much smaller number provide training for vendors and business partners authorized to access their networks.
- Just over a majority of broker-dealers, and only a small number of advisers, have insurance for cybersecurity incidents.
We anticipate that the SEC’s interest in the management of cybersecurity risk will increase among firms in the business of holding and managing clients’ information, such as broker-dealers and investment advisers, and will also spread laterally to other entities whose activities are covered by SEC regulation:
- Cybersecurity threats — whether from nation-state actors, criminal organizations or competitive businesses — are not likely to abate in the future. In order to maintain competitive advantage as a good business partner as well as to avoid or mitigate potential liability, it will become increasingly important for companies to demonstrate that they have sound and constantly updated policies in place. As the R. T. Jones enforcement action demonstrates, having and following a reasonable cybersecurity policy can be as important as the consequences of an actual data breach.
- The data elicited from the OCIE survey indicates that, for the industry segment covered, practices are moving toward a number of common elements. This reflects an emerging “standard of care” that will inform regulatory expectations and trends in private litigation for information security breaches.
- Cybersecurity policies should cover security practices, asset management and data flow. They should be designed to identify the business’ systems and needs, develop and implement safeguards, detect security threats and events, respond to events with an action plan, and restore normal operations after an incident.
- The standard of care will constantly evolve as the threats become more sophisticated. In the future, cybersecurity is likely to become predictive based on hacker behavior, rather than reactive by adjusting to past threats.
- Covered firms should explore insurance options for covering cybersecurity risks.
- While the OCIE survey was confined to covered broker-dealers, the SEC appears to be directing increased attention to public companies in certain industries that have been targeted by hackers seeking material non-public information on which to trade. While regulatory action specifically directed to cybersecurity risks for public companies in general does not appear imminent, any cybersecurity vulnerabilities that a public company generating material non-public news has may expose it to investigations for insider trading. If those vulnerabilities compromise the company’s financial reporting functions, there may also be exposure to claims of inadequate financial controls, deficient disclosure in management’s discussion and analysis, and scrutiny of the adequacy of financial reserves for contingencies.