SECURITIES AND EXCHANGE COMMISSION – CYBERSECURITY UPDATE
On September 15, 2015, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) provided additional guidance regarding its Cybersecurity Examination Initiative (the “Initiative”) in the form of a second Risk Alert focusing on cybersecurity.
As you may recall, OCIE issued its initial cybersecurity Risk Alert on April 15, 2014, putting the industry on notice that cybersecurity and protection of customer data would be an area of concern during SEC examinations. OCIE conducted a study of cybersecurity preparedness among its regulated entities that was published on February 3, 2015. The SEC then put out an Investment Management Guidance Update in April 2015 on cybersecurity guidance. The SEC staff has indicated, in various statements, that additional guidance would be forthcoming and that enforcement actions should be expected.
SECOND CYBERSECURITY RISK ALERT AND EXAMINATION FOCUS
The SEC’s 2015 Exam Priorities publication identified cybersecurity as an area of focus. The Initiative provides additional information on where OCIE will focus its efforts and the type of testing to be conducted in the second round of cybersecurity examinations.
OCIE’s new Initiative will focus on six principal areas within a firm: (i) governance and risk assessment; (ii) access rights and controls; (iii) data loss prevention; (iv) vendor management; (v) training; and (vi) incident response. The Initiative release includes an appendix that provides a sample request for documentation or evidence to satisfy the SEC’s review of each focus area. Below is a summary of what the SEC will look for in each focus area.
Governance and Risk Assessment
When examining a firm’s governance and risk assessment compliance, the SEC will review current cybersecurity policies and procedures for protecting client information and security patches. Board materials and records regarding cybersecurity risks, incident response planning, and third-party vendors will also be subject to review. Further, they will examine details on the Chief Information Security Officer and any other employees responsible for cybersecurity.
Access Rights and Controls
One of the main areas of concern for the SEC is how and who can access personally identifiable information at the firm. Accordingly, examiners will request policies and procedures relating to access to firm networks and devices and unauthorized access, as well as changing access rights depending on employee status or role and how employees gain external access to information (encryption of firm devices, remote monitoring, etc.). Additionally, the SEC will review user authentication procedures and how log-in attempts are controlled. Reinforcing the SEC’s earlier actions regarding verification of electronic requests to transfer funds, examiners will review verification policies and procedures when customers request fund transfers electronically.
Data Loss Prevention
The SEC will examine policies and procedures related to the systems used to prevent, detect, and monitor data loss related to personally identifiable information and access to customer accounts. Examiners will also review how distribution of sensitive information outside of the firm is controlled and monitored.
The SEC understands that not all firms can take on the technological side of data protection functions in-house and will often rely on vendors. Therefore, the SEC will request information on how third-party vendors are assessed and selected and the policies of a firm’s vendors that are intended to provide data protection.
SEC examiners will request information regarding a firm’s cybersecurity training program and how such training programs are conducted by the firm and third-party vendors.
Perhaps the area which could cause the most issues for firms in an exam is their incident response plans and resolutions of past breaches. The SEC will examine business continuity plans that address mitigating cybersecurity incidents, incident response plan and tests conducted, and information regarding incidents of cybersecurity breaches or potential breaches and the remediation efforts taken.
Firms should be aware that the SEC expects to examine these materials in the immediate future. Accordingly, firms should be prepared to provide such information and have all necessary policies and procedures in place before examiners arrive.
SEC CYBERSECURITY-RELATED ENFORCEMENT ACTION
As anticipated, on September 22, 2015, the SEC announced the settlement of charges against a St. Louis-based investment adviser for failing to adopt sufficient cybersecurity policies and procedures before a security breach. The SEC investigation found that R.T. Jones Capital Equities Management (R.T. Jones) violated this “safeguards rule” during a period of approximately four years when it failed to adopt any written policies and procedures to ensure the security and confidentiality of personally identifiable information and protect it from anticipated threats or unauthorized access. This failure to safeguard such information compromised the personal information of thousands of the firm’s clients. The SEC found that the firm had failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information as they are required by law to do. According to the SEC, R.T. Jones had failed to conduct periodic risk assessments, implement a firewall, encrypt personally identifiable information stored on its server, or maintain a response plan for cybersecurity incidents.
The SEC alleged that after R.T. Jones discovered the breach, the firm promptly retained multiple cybersecurity consulting firms to confirm the attack and determine the scope. Subsequent to the attack, R.T. Jones provided notice of the breach to every individual whose personal information may have been compromised and offered free identity theft monitoring through a third-party provider. Although the firm did not find evidence that any client suffered an economic harm as a result of the breach, the SEC nonetheless found that R.T. Jones violated Rule 30(a) of Regulation S-P, and without admitting or denying the findings, R.T. Jones agreed to cease and desist from committing or causing any future violations of Rule 30(a) of Regulation S-P., agreed to be censured, and to pay a $75,000 penalty.
On September 22, 2015, the SEC published an Investor Alert entitled “Identity Theft, Data Breaches, and Your Investment Accounts.” While this is intended as an educational tool for investors and not industry guidance, it is further evidence that the SEC is acutely focused on the cybersecurity dangers facing the investing community.