Continuing their heightened focus on the information security practices of regulated fi rms, both the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) released reports on February 3, 2015, summarizing the results of cybersecurity examination sweeps they had conducted since last year.1 Speaking at the SIFMA/FINRA Cybersecurity Conference the following day in New York, Vincente Martinez, the Chief of the Offi ce of Market Intelligence in the SEC’s Enforcement Division confi rmed that, relying in part on the information in the reports, the SEC is actively examining both how its existing authorities can be used to bring more enforcement actions when fi rms fail to provide suffi cient protection for the confi dentiality and integrity of customer information and how those authorities might be broadened and strengthened. FINRA, too, can be expected to increase its scrutiny of fi rms’ data security practices. Th e sweeps reports off er fi rms glimpses of the SEC’s and FINRA’s likely enforcement priorities and confi rm that cybersecurity should be a high priority for investment advisers in 2015. SEC Risk Alert Th e SEC’s cybersecurity risk alert reports the results of examinations of 57 registered brokerdealers and 49 registered investment advisers undertaken since April 2014. Th e examinations were based on a long questionnaire addressing topics such as risk assessment, corporate governance, intrusion detection, vendor management, and funds transfer fraud detection.2 Th e questionnaire also asked registered entities for a detailed list of data security incidents they had experienced since January 1, 2013, ranging from incidents involving malware and network breaches to hardware/software malfunctions and other security incidents. For each incident, the entity was asked to explain if it reported the incident to law enforcement, the Financial Crimes Enforcement Network (FinCEN) (through the fi ling of a Suspicious Activity Report), FINRA, a state or federal regulatory agency, or an industry or public-private organization facilitating the exchange of information about cybersecurity incidents and risks. At the SIFMA/FINRA Cybersecurity Conference, Martinez stressed that the alert is not intended REGULATORY MONITOR SEC Update Wilmer Cutler Pickering Hale and Dorr LLP Washington, DC —By Jonathan G. Cedarbaum, Yoon-Young Lee, Matthew Chambers, and Benjamin A. Powell VOL. 22, NO. 4 • APRIL 2015 2 THE INVESTMENT LAWYER Copyright © 2015 by CCH Incorporated. All Rights Reserved. as a best practices guide, but instead as a resource for the SEC to inform its enforcement eff orts and policy development. It therefore may provide some insight into SEC priorities. Martinez identifi ed as particularly notable the variation seen in policies and practices concerning vendor management and other third-party relationships and in fraud avoidance and loss allocation policies with respect to funds transfers. Th ose areas thus may attract particular attention from the SEC. In many of the areas scrutinized in the sweep, signifi cantly higher percentages of broker-dealers than investment advisers had desired policies in place. Nearly all the broker-dealers surveyed (93 percent), for example, conduct periodic risk assessments on a fi rm-wide basis to identify cybersecurity risks, vulnerabilities, and potential business consequences, while only 79 percent of investment-advisers do. A substantial majority of broker-dealers (84 percent) require vendors to undertake such risk assessments, but only 32 percent of advisers do. Similarly, nearly nine in ten (88 percent) of broker-dealers reported relying on external standards, such as the National Institute of Standards (NIST) Cybersecurity Framework, in developing their information security processes, but only about half (53 percent) of advisers did.3 Perhaps most striking, 72 percent of broker-dealers incorporate provisions relating to cybersecurity risk into their contracts with vendors and business partners, while only 24 percent of advisers surveyed do the same. Whether these contrasts will lead the SEC to pay particularly close attention to investment advisers’ data security practices remains to be seen. FINRA Report Th e FINRA report, unlike the SEC risk alert, not only describes the results of FINRA’s 2014-2015 sweep (as well as of a sweep undertaken in 2011), but also off ers an array of “principles and eff ective practices” that provide a guide for regulated fi rms to use in assessing and improving their own information security activities. Th ose principles include: Governance and risk management: “establish[ing] and implement[ing] a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks,” including engaging the board and senior management; Risk assessment: undertaking regular, enterprisewide assessments of assets and threats, with an eye toward prioritizing remediation eff orts; Technical controls, such as identity and access management, encryption, and penetration testing, creating a defense-in-depth strategy: Incident response planning: establishing policies and procedures and defi ning roles and responsibilities for a coordinated, fi rm-wide response to data security breaches; Vendor management: ensuring careful lifecycle scrutiny of vendors’ cybersecurity practices; Training: carrying out regular training of staff on cybersecurity “hygiene,” that is, day-to-day habits that are essential to protecting information systems; Cyber intelligence and information- sharing, including participating in informationsharing forums such as the Financial Services Information Sharing and Analysis Center (FS-ISAC); and Cybersecurity insurance: evaluating the utility of cyber insurance as a way to transfer some of the risk of cyber incidents. Th e report notes that while sophisticated threats are becoming more frequent, “most successful attacks take advantage of fairly basic control weaknesses.” It emphasizes that “[w]hat is required is rigorous attention to detail and execution.” FINRA, the report explains, “expects that fi rm management will make cybersecurity a priority” and will “review this report to assess what aspects of the principles and eff ective practices … could help them build or improve their cybersecurity readiness.” Th e report also holds up the NIST Cybersecurity Framework as an essential guide. VOL. 22, NO. 4 • APRIL 2015 3 Copyright © 2015 by CCH Incorporated. All Rights Reserved. Further Initiatives Th ese SEC and FINRA reports—and the examination sweeps behind them—are just the latest steps in what will undoubtedly be both bodies’ ongoing increased attention to regulated fi rms’ information security practices. At the SIFMA/FINRA Cybersecurity Conference, Martinez echoed statements by SEC Chair Mary Jo White at the SEC’s March 2014 cybersecurity roundtable that the SEC views information security as crucial to protecting market-related systems and thus investors. In addition to Regulation S-P and FINRA Rule 2010, he identifi ed several other sources of authorities the SEC and FINRA may rely on in order to exercise a heightened data security enforcement role, including the recently issued Regulation SCI, which he said the SEC is considering developing an analogue of for broker-dealers; Investment Advisers Act Regulation 206(4), and Securities Exchange Act § 15B as a basis for scrutinizing credit rating agencies.4 With the increasing importance of and regulatory attention to data security, fi nancial institutions can expect the pace of regulatory—and perhaps even legislative—activity to continue to increase. Regulated fi rms, for example, also need to ensure that they are complying with their obligation—under the Fair Credit Reporting Act, as amended, and its implementing “red fl ag” rules and guidelines—to have a board-approved identity theft program in place. Th e Dodd-Frank Act moved responsibility for enforcement of these obligations for brokerdealers, investment advisers, and investment companies to the SEC, which (in collaboration with the Commodity Futures Trading Commission) promulgated new rules and guidance in 2013.5 On February 13, 2015, President Obama convened a White House Cybersecurity Summit at Stanford University. He is pressing for a package of laws designed to encourage cybersecurity information-sharing, to establish a uniform federal standard for data breach notifi cation, and to strengthen law enforcement tools against cyber criminals. In just the last six months he has issued two executive orders addressing aspects of the cybersecurity landscape, and more presidential directives can be expected. President Obama has repeatedly described cyber threats as “one of the most serious economic [and] national security challenges that we face as a nation.”6 Regulatory attention to data security is increasing almost as rapidly as the threat environment is evolving. Investment advisory fi rms would be wise to make cybersecurity one of their highest priorities in 2015.