September 2017 saw no respite from the relentless pace of cyber developments, not only from the perspective of rapidly evolving attacks, but also from the perspective of dynamic federal and state regulatory moves. In particular, on September 25, 2017, the Securities and Exchange Commission (SEC) announced a new enforcement initiative to address growing cyber-based threats and protect retail investors.1 The initiative established a Cyber Unit to target misconduct, a move that could place further pressure on broker-dealers and investment advisers already feeling the heat from an uptick in cyber-related exams and the relentless onslaught of cyber intrusion attempts. Second, a day earlier, the North American Securities Administrators Association (NASAA) announced that state securities examiners conducted over 1,200 coordinated examinations of state-registered investment advisers between January and June 2017, finding 698 cybersecurity-related deficiencies.2
Given the advancing threats and the increasing regulatory scrutiny, broker-dealers and investment advisers should consider acting with increased urgency to further prepare themselves, focusing in particular on having written cyber policies that are regularly updated to account for the latest threats. The severity and frequency of attacks are only growing, while the tolerance among regulators for failing to take sufficient preventive steps is only diminishing. Against both attackers and regulators, the best offense truly is a good defense, and regulators are strongly indicating that it is not enough to simply have a defense; but rather, that defense must also evolve to keep pace with the rapidly evolving offense.
What the Cyber Unit Will Do
With the creation of the Cyber Unit, the SEC is beefing up its technical expertise and demonstrating that it too will evolve and adapt as cybersecurity threats become more advanced. The agency is making it increasingly clear that it expects those it regulates to up their games as well.
The unit will function as part of the SEC’s Enforcement Division to target misconduct along six cyber-related priority areas:
- Market manipulation schemes involving false information spread through electronic and social media;
- Hacking to obtain material nonpublic information;
- Violations involving distributed ledger technology and initial coin offerings;
- Misconduct perpetrated using the dark web;
- Intrusions into retail brokerage accounts; and
- Cyber-related threats to trading platforms and other critical market infrastructure.
By examining each of these areas in depth, this Alert tries to discern the SEC’s key concerns and suggests issues that firms may want to consider addressing, before facing the SEC in an examination or in an enforcement action.
Market Manipulation Schemes
With the spread and growing influence of “fake news” to manipulate political outcomes (and with further proof of intentional nation-state involvement in spreading such false stories),3 it is no surprise that the SEC is concerned about the use of targeted misinformation via social media to manipulate market outcomes.
The SEC will likely be on the lookout for companies hoping to turn an illicit profit by creating or spreading known misinformation via the internet. The SEC could bring fraud cases against those who disseminate false information to manipulate the market, and aiding and abetting cases against those who negligently spread the false information. In fact, the SEC has already started. In 2015, the SEC filed securities fraud charges against a Scottish trader whose false tweets caused sharp drops in the stock prices of two companies and triggered a trading halt in one of them.4
In light of the growing prevalence of intentionally fake stories, it may be prudent for firms to have proactive policies in place that not only explicitly prohibit the dissemination of knowingly false information, but that also require some form of verification before sharing certain market-related news with clients and prospective clients.
Hacking to Obtain Material Nonpublic Information
The SEC’s new enforcement unit will be on the lookout for hackers that infiltrate broker-dealers and investment advisors to trade on nonpublic information or try to manipulate the market, something from which even the SEC is not immune.5 While firms are victims of a cyberattack, the SEC may nonetheless bring “strict liability” enforcement actions against them if they had deficient proactive policies or procedures in place. While not a market manipulation case per se, in September 2015 the SEC brought an enforcement action against an investment adviser that had been breached, compromising the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients (although there was no evidence that any of the information was used).6 The SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure security of 100,000 individuals’ personally identifiable information. The “Safeguards Rule” in Rule 30(a) of Regulation S-P requires certain policies and procedures for financial institutions to put into place to ensure confidentiality of their client’s information.7 Similarly, in April 2016, the SEC brought an action against a dually registered broker-dealer/investment adviser that had an employee impermissibly access and transfer data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties.8 The SEC alleged that the firm failed to adopt written policies and procedures reasonably designed to ensure the security of customer records and information.
Accordingly, to try to avoid future enforcement actions, broker-dealers and investment advisors may want to focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques. Cyber is a dynamic, if not volatile, environment—the best laid plans of last year may not mean much this year.
Violations Involving Distributed Ledger Technology and Initial Coin Offerings
The SEC is signaling that it will not allow distributed ledger technology (DLT) or cryptocurrency to be used in a way that evades regulations, results in market manipulation, or is used to perpetrate frauds on investors. Unlike China, which has outright banned cryptocurrency—a move that has further a black market of cryptocurrency trading9—the SEC is indicating more of a desire to focus on regulating it.
On September 29, for example, the SEC brought its first enforcement action involving two Initial Coin Offerings (ICOs) for “defrauding investors” by selling these “unregistered securities” purportedly backed by investments in real estate and diamonds.10
At this juncture, however, it remains unclear whether the SEC will mandate that all or some ICOs be registered as securities.
Misconduct Perpetrated Using the Dark Web
As part of its effort to keep up with the rapidly evolving techniques to engage in insider training and market manipulation, the SEC is now putting potential bad actors on notice that it will be shining the light on the so-called dark web, where bad actors have traditionally gone to anonymously buy and sell improperly obtained information and tools to conduct nefarious cyber activity. Therefore, if firms are not periodically—either themselves or through third parties—monitoring the dark web for stolen firm information that could impact their business or clients, it is possible that the SEC may focus on that failure.
Intrusions Into Retail Brokerage Accounts
The SEC is also calling out the practice of hacking retail brokerage accounts to manipulate markets. By making certain trades, the hacker can try to inflate the prices of holdings that he or she possesses or decrease prices to facilitate successful short selling. In 2016, the SEC charged a man from the UK with breaking into numerous accounts and placing unauthorized trades, ultimately leading to profits within minutes of trading the same stocks within his own account.11 While the broker-dealer was not charged in that case, it is possible that in future cases, the SEC could charge the firm for allowing the hack to take place.
In another case, a dually registered broker-dealer/investment adviser had experienced a series of computer system security breaches in which an unauthorized person or persons had accessed and traded, or attempted to trade, customer accounts.12 The SEC alleged that the firm had failed to implement increased security measures and adopt policies and procedures reasonably designed to safeguard customer information as required by Regulation S-P. Thus, broker-dealers and investment advisers may want to consider assessing what the scope of their data is and adopt procedures to attempt to prevent intrusions, and to respond to an intrusion if one takes place.
Cyber-Related Threats to Trading Platforms and Critical Market Infrastructure
The SEC is warning that hackers exploit blind-spots and nodes where they can have out-sized effects, so that those entities, such as trading platforms that may think they have low risk of attack, may consider taking more appropriate precautions. For example, instead of bringing down one website, hackers in 2016 launched a DDOS attack via simple devices like connected coffee pots to attack the internet itself.13 The hack took control of Internet of Things (IoT) devices with lax security protocols and used these devices to overload an internet infrastructure company’s servers with bogus internet traffic. The attack successfully brought the company to its knees and took down several websites belonging to some of the internet’s largest household names for the better part of a day.
Accordingly, the SEC is sounding the alarm that trading platforms and stock exchanges are vulnerable to attacks of this nature and should, therefore, consider taking proactive, risk-based steps to prevent system-side failures due to cyberattacks. The SEC could possibly bring cases against firms with trading platforms, or even stock exchanges, if they have inadequate cybersecurity system, policies and procedures.
Like the SEC, the states are also focused on what proactive steps should be taken—and they are finding that a number of state-registered investment advisers have not taken those steps. On September 24, 2017, NASAA issued a report based on over 1,200 examinations of such firms. NASAA noted that state securities regulators found 698 deficiencies that involved cybersecurity. The top five deficiencies were: inadequate or no cybersecurity insurance; no testing of cybersecurity vulnerabilities; a lack of procedures regarding securing and/or limiting access to devices; no technology specialist or consultant on staff; and a lack of policies and procedures regarding hardware and software updates or upgrades.
NASAA used the data to generate a list of cybersecurity best practices for investment advisers. NASAA encouraged investment advisers to: prepare and maintain records by backing them up; maintain client information; revise Form ADV and disclosure brochures; implement safeguards through cybersecurity policies and measures; and prepare a written compliance and supervisory procedures manual.
NASAA found policies and procedures to be adequate when they, for example, require and enforce frequent password changes, locking of devices, reporting lost devices, and creating specific roles and responsibilities for people to assess these requirements on a frequent basis. To minimize threats posed by data breaches, firms may want to consider routinely backing up devices and storing the underlying data in a separate, remote location. Firms may also want to consider regularly testing backup procedures to ensure their suitability. Similarly, firms may want to consider whether email communications should be sent securely, especially where they involve identifiable information regarding a client. Firms also may want to review training of their employees and registered persons to try to ensure that each person understands her role and responsibility.
As the virulence and prevalence of cyberattacks increase, regulators at both the federal and state levels are looking to enforce sound cyber hygiene on the front end, and they are increasingly requiring that proactive plans and policies be updated regularly to account for the rapidly evolving threats. The SEC’s creation of the Cyber Unit coupled with an uptick in exams and the relentless onslaught of cyber intrusion attempts should put broker-dealers and investment advisers on notice that what they do and do not do before any breach is what matters most. Accordingly, firms and funds should remain proactive and place continued emphasis on maintaining—and regularly updating—their cybersecurity readiness. Attackers are evolving, and so too must the defenders.