SEC Announces Second Round of Cybersecurity Examinations for Broker-Dealers and Investment Advisers and Steps Up Cybersecurity Enforcement
On September 15, the Securities and Exchange Commission announced that it will continue its second round of cybersecurity examinations to test registered broker-dealers and investment advisers’ “cybersecurity preparedness” as a part of its Cybersecurity Examination Initiative (Initiative). Demonstrating its intention to take steps to protect customer records and information under the control of broker-dealer and investment advisers, on September 22, 2015, in what might be a first-of-its-kind enforcement action, the SEC settled charges with an investment adviser that allegedly failed to protect its clients’ data properly.
There is little reason to believe that the SEC will not continue to bring charges against broker-dealers and investment advisers it believes are not reasonably protecting customer information. Broker-dealers and investment advisers should carefully review their current cybersecurity and data protection practices, policies and procedures to prepare for the SEC’s upcoming round of examinations and even more importantly, to comply with the evolving landscape of cybersecurity and data protection laws.
The SEC signaled its intention to focus on cybersecurity when it sponsored a Cybersecurity Roundtable in March 2014 to discuss the importance of cybersecurity to the integrity of the global market system and customer data protection.
Just a month later, in April 2014 the Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert announcing upcoming examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry, and included a sample list of requests for information that the OCIE might use in conducting its first round examinations of registered entities, available here.
The OCIE did not waste any time moving forward. It proceeded to examine 57 broker-dealers and 49 investment advisers and issued a summary of its findings in February, less than a year after the release of the Risk Alert. The summary of the findings is available here. In addition to reviewing documents, the staff held interviews with key personnel at each firm regarding: business and operations; detection and impact of cyber-attacks; preparedness for cyber-attacks; training and policies relevant to cybersecurity; and protocol for reporting cyber breaches. The OCIE noted that it will continue to focus on cybersecurity using risk-based examinations and announced the second round on September 15.
Areas of Focus for Second Round of Examinations
The Initiative is designed to build upon the OCIE’s previous examinations, and will focus on the following areas and inquiries (though examiners may select additional areas based on risks identified during the course of the examinations):
- Governance and Risk Assessment. Do firms have governance and risk assessment controls in the key areas of focus set out below, are those controls being periodically evaluated and are they appropriately tailored to the firm’s business? What is the level of communication to, and involvement of, senior management and boards of directors?
- Access Rights and Controls. How do firms control access to various systems and data via management of user credentials, authentication and authorization methods, including controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation and tiered access?
- Data Loss Prevention. How do firms monitor the volume of content transferred outside the firm by its employees or through third parties, such as by email attachments or uploads? How do firms monitor for potentially unauthorized data transfers and verify the authenticity of a customer request to transfer funds?
- Vendor Management. What are the practices and controls related to vendor management, such as due diligence in vendor selection, monitoring and oversight of vendors, and contract terms? How are vendor relationships considered as part of the firm’s ongoing risk assessment process?
- Training. Is cybersecurity training tailored to specific job functions and how is training designed to encourage responsible employee and vendor behavior? How are procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training?
- Incident Report. Do firms have established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible future incidents? This includes determining which firm data, assets and services warrant the most protection to help prevent attacks from causing significant harm.
Included as an Appendix to the Risk Alert, available here, is a sample list of information that the OCIE may request in conducting its examinations, though the OCIE acknowledges examiners may alter requests based on each firm’s business model, systems and IT environment.
Enforcement Action Against Investment Adviser
In an action against R.T. Jones Capital Equity Management Inc. (R.T. Jones), the SEC charged that the investment adviser “failed to adopt written policies and procedures reasonably designed to protect customer records and information” in violation of Section 30(a) of Regulation S-P. R.T. Jones stored customers’ personal identifiable information (PII) on a third-party web server. Although the server was hacked, two cyber security firms were unable to determine if the PII had been accessed or compromised and there was no evidence that any individual had suffered financial harm as a result of the hack. Notably, despite those findings, the SEC determined that R.T. Jones’ policies and procedures “taken as a whole” did not reasonably protect customer records and information in violation of Section 30(a). The SEC censured the firm and imposed a $75,000 sanction.
The OCIE’s announcement of a second round of examinations of registered broker-dealers and investment advisers, together with the charges against R.T. Jones, signals that it continues to assess, test and enforce the “cybersecurity preparedness” of the securities industry as a part of its Initiative.
Conclusion and Recommendations
The SEC has demonstrated that it is serious about cybersecurity and protecting customer information and there is little reason to believe that it will not continue to bring charges against broker-dealers and investment advisers it feels are not reasonably protecting customer information. Clients should carefully review their current cybersecurity and data protection practices, policies and procedures to prepare for the SEC’s upcoming round of examinations and even more importantly, to comply with the evolving landscape of cybersecurity and data protection laws.
Navigating the legal framework related to cybersecurity is difficult and involves an understanding of many different sets of laws in addition to Section 30 of Regulation S-P, including FINRA rules, and state, federal and international data protection laws.