In August 2017, the SEC’s Office of Compliance Inspections and Examinations issued a Cybersecurity risk alert directed at financial advisory firms. As part of the SEC’s 2014 Cybersecurity Initiative, seventy-five firms, including broker-dealers, financial advisors, and funds, were audited between September 2015 and June 2016 in order to assess their Cybersecurity preparedness.
The assessment focused on six pillars of Cybersecurity: (1) company policies and procedures; (2) access rights and controls; (3) data loss prevention; (4) vendor / third party management; (5) training; and (6) incident response. The results were astonishing.
While most firms had Cybersecurity-specific policies and incident response plans, many did not enforce their policies, procedures, and practices. For example, most firms had policies which required annual protection reviews and ongoing supplemental security protocol reviews. Many firms, however, administered reviews once and did not conduct annual or routine reviews as required by their governance.
Similarly, most firms had policies that required employee Cybersecurity training; however many employees did not complete mandatory training once (much less complete ongoing training). This reflects a fundamental problem with how Cybersecurity prevention is viewed—it is not one-time box that must be checked. This is akin to having a policy of counting the money out of the till every day at closing but only doing it once (and telling your employees the day that you are counting). Data should be viewed as money in a cash drawer, and then perhaps robust Cybersecurity prevention and response policies will be executed.
Diligent Cybersecurity prevention requires ongoing review and training. In many jurisdictions, the standard for breach liability is whether the business implemented “reasonable data security practices” or used “best efforts.” See, e.g., FTC v. Wyndham Hotels, 799 F.3d 236 (3d Cir. 2015) (requiring “reasonable and appropriate data security” for consumer data); Patco Constr. Co. Inc. v. People’s United Bank, 684 F.3d 197 (1st Cir. July 2012) (requiring “commercially reasonable” security practices). Most of the firms that participated in the SEC’s Cybersecurity assessment likely failed the test.