Why it matters
Signaling that it will continue to increase its scrutiny of firms' cybersecurity readiness, the Office of Compliance, Inspections and Examinations of the Securities and Exchange Commission (SEC) issued a Risk Alert emphasizing that upcoming examinations of registered broker-deals and investment advisers will include review and testing of firms' data security controls. The Risk Alert lists key areas that examiners will review and includes a sample document request list.
Separately, just a few days later, the SEC confirmed its focus on cybersecurity by announcing a settlement with a St. Louis-based investment adviser who it charged with failing to establish appropriate cybersecurity policies and procedures.
The message to covered entities is loud and clear: Broker-dealers and investment advisers must have appropriate practices, policies, and procedures in place with respect to cybersecurity. Other firms subject to SEC scrutiny, such as public reporting companies, should also note the agency's increasing attention to data security issues preparedness.
Cybersecurity continues to be a major focus for the Securities and Exchange Commission (SEC). The SEC sponsored a roundtable emphasizing the importance of cybersecurity last year, which was followed by a Risk Alert announcing a series of examinations aimed at identifying cybersecurity risks and assessing preparedness in the securities industry.
The SEC shared key findings from those exams in a report published earlier this year. The SEC also announced that cybersecurity compliance and controls would be part of its 2015 Examination Priorities.
Building on this momentum, on September 15, 2015, the agency's Office of Compliance, Inspections and Examinations issued a new Risk Alert providing guidance for its next round of cybersecurity examinations. The examination initiative will focus on broker-dealers' and investment advisors' readiness to protect client data. The exam will focus on six key areas:
- Governance and Risk Assessment. Are firms periodically evaluating cybersecurity risks and are their controls and risk assessment processes tailored to their business? In addition to asking these questions, examiners will review the level of communication to, and involvement of, senior management and boards of directors.
- Access Rights and Controls. Failure to address even basic controls—such as neglecting to update access rights after a personnel or system change, for example—presents the risk of a data breach. Firms should be prepared to explain how they control access to various systems or data with the use of user credentials, authentication, and authorization methods, as well as the controls associated with other means of access, such as customer logins, passwords, network segmentation, and remote access.
- Data Loss Prevention. SEC examiners will assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, whether via e-mail attachments or uploads. The exam will review how firms monitor for the potential of unauthorized transfers and verify the authenticity of a customer request to transfer funds.
- Vendor Management. "Some of the largest data breaches over the last few years may have resulted from the hacking of third-party vendor platforms," the SEC noted. As a result, examiners may consider the firm's practices and controls related to vendors (due diligence with regard to selection, monitoring and oversight, and contract terms) and how vendor relationships fit into the firm's ongoing risk assessment.
- Training. To avoid a data breach resulting from unintentional employee actions (lost laptops or opening an attachment from an unknown source, for example), the training of employees and vendors "can be the firm's first line of defense," the SEC said. The agency will evaluate how training is tailored to specific job functions and if response to cyber incidents is integrated into regular training.
- Incident Response. Finally, the second round of cybersecurity exams will assess "whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events," including a determination of which firm data, assets, and services require the most protection to help minimize the harm caused by an attack, the SEC said.
The Risk Alert noted that examiners may review additional areas based on risks identified in the course of their examinations.
To help firms prepare, the Risk Alert includes an appendix with a sample information and documents request list, which includes such things as board minutes and briefing materials, policies related to data mapping and data classification, vendor contracts, written training guidance or materials, and any information about cybersecurity insurance coverage, including claims filed related to cyber events.
A week after issuing the Risk Alert, the SEC announced the settlement of an enforcement action against an investment adviser that arose out of a security breach. The SEC found that St. Louis-based R.T. Jones Capital Equities Management violated the SEC's "safeguards rule" by failing to adopt any written policies and procedures to ensure the security and confidentiality of clients' personally identifiable information. According to the SEC, the firm failed to conduct periodic risk assessments, use a firewall to protect its web server, encrypt client information or establish procedures for responding to a cybersecurity incident.
A breach of the firm's third-party-hosted web server in 2013 compromised the personally identifiable information of approximately 100,000 individuals, including clients and potential clients, the SEC charged. A forensic firm retained by R.T. Jones traced the breach to mainland China. While the intruder is believed to have gained full data on the firm's server, the intruder destroyed the log files for the period of the intrusion so the extent of the intruder's activities is unknown. R.T. Jones has received no indication that any client has suffered financial harm as a result of the cyber attack.
In an order, the SEC found that R.T. Jones violated Rule 30(a) of the agency's Regulation S-P. Although the firm neither admitted nor denied the SEC's findings, it agreed to pay a $75,000 penalty and to cease and desist from future violations as well as an SEC censure.
"As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients," Marshall S. Sprung, Co-Chief of the SEC Enforcement Division's Asset Management Unit, said in a statement. "Firms must adopt written policies to protect their clients' private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs."
To read the SEC's Risk Alert, click here.
To read the order in In the Matter of R.T. Jones Capital Equities Management, click here.