Last week, in a press release innocuously headlined “SEC Chairman Clayton Issues Statement on Cybersecurity,” the Securities and Exchange Commission disclosed that, last month, it discovered that its Electronic Data Gathering, Analysis and Retrieval system (EDGAR) was hacked during 2016, and that persons may have profited from trading on unauthorized information obtained through such intrusion.
(EDGAR is used by the SEC to collect submissions by companies and foreign governments required to periodically file certain information with it.)
The SEC noted, however, that it does not believe that the hacking resulted in the compromise of personally identifiable information. The SEC said that the hacking occurred through the test-filing component of the EDGAR system and was patched “promptly after discovery.”
Just last month, the SEC’s Office of Compliance Inspections and Examinations issued a report saying that while firms have “increased cybersecurity preparedness” since 2014, broker-dealers’, investment advisers’ and investment companies’ cybersecurity policies and procedures are not uniformly tailored to their business because they are too vague or general and are not always followed or enforced.
Moreover, the SEC has brought two enforcement actions against registrants for failing to comply with Regulation S-P over the past two years. Under this regulation, registered broker-dealers, investment advisers and investment companies must adopt written policies to help protect customer records and information. The rule addresses administrative, technical and physical safeguards regarding such information. (Click here for further information on the OCIE’s recent report and the SEC’s enforcement actions in the article “SEC Watchdog Finds Cybersecurity Policies Better But Not Always Enforced” in the August 13, 2017 edition of Bridging the Week.)
My View: In June 2016, the SEC’s Office of the Inspector General issued a report criticizing the agency’s handling of information security. Among other things, the OIG said that the SEC’s Office of Information Technology did not “effectively” monitor the risks of system authorizations. (Click here for further information in the article “SEC Inspector General Criticizes Agency’s Sensitive Information Security” in the June 19, 2016 edition of Bridging the Week.) Two month’s later, the SEC’s Inspector General announced that it issued a report to Congress related to the security of confidential personally identifiable information collected and retained by the Commission. However, because “this report contain[ed] sensitive information about the SEC’s security program,” the Inspector General declined to publicly release the report or even a high-level summary. This seemed odd at the time; it seems even odder under current circumstances. Perhaps at least some sanitized version of this report should be issued now. (Click here for background in the article “Don’t Ask, Don’t Tell: SEC Issues Secret Report on Its Cybersecurity” in the August 21, 2016 edition of Bridging the Week.) This is particularly important as the SEC continues to oversee the development of a single consolidated audit trail (known as “CAT”) to track all equities and options trading on US markets. The temptation to hack such a centralized and rich database might be very high for nefarious persons and, as a result, protections and governance around CAT must be exceptionally strong. (Click here for background in the article “SEC Seeks Views on Whether Proposal for Single Consolidated Audit Trail of All Equity and Equity Options Trading Is CAT’s Meow” in the May 1, 2016 edition of Bridging the Week.)
Compliance Weeds: Unfortunately, as I have frequently written previously, there are only two types of financial services firms: those that have experienced cybersecurity breaches and addressed them, and those that have experienced cybersecurity breaches and did not know. (I will now add government agencies to my frequent statement.) By this time, all financial service firms and government agencies—no matter what size—should have assessed or be in the process of assessing or reassessing the scope of their data (e.g., customer information, proprietary), potential cybersecurity risk, protective measures in place – including ongoing testing, consequences of a breach and cybersecurity governance (e.g., how would they react if a breach occurred) in order to evaluate their cybersecurity needs and develop a robust protective program. (Click here for a dated but still useful discussion of cybersecurity and a comprehensive checklist of practical measures in the June 24, 2015 Advisory entitled “Cyber-Attacks: Threats, Regulatory Reaction and Practical Proactive Measures to Help Avoid Risks” by Katten Muchin Rosenman LLP.)