Following a year of high-profile data breaches, the Securities and Exchange Commission (SEC) announced on January 13, 2015 that, for the second consecutive year, its Office of Compliance Inspections and Examinations (OCIE) priorities would include a focus on cybersecurity controls.1 The same day, the Obama Administration (Administration) announced two cybersecurity legislative proposals of importance to the financial services industry. Given this expanding focus on cybersecurity, this article: (i) addresses the results of OCIE’s 2014 cybersecurity examination sweep and discusses OCIE’s second wave of cybersecurity exams; (ii) summarizes the Administration's recent legislative proposals; and (iii) suggests questions firms may wish to consider in response to these important developments.
SEC Summarizes Results of First Cybersecurity Examination Sweep
OCIE announced in an April 15, 2014 Risk Alert that it would be conducting examinations of registered broker-dealers and registered investment advisers, and focusing on areas related to cybersecurity.2 The announcement indicated that the SEC wanted to know whether those examined: (i) truly understood their firm’s cybersecurity infrastructure; (ii) had enacted specifically tailored policies and procedures; (iii) could detect – in real time – any unlawful access to their data networks; (iv) were actively monitoring and minimizing the risks associated with third-party vendors and service providers; and (v) could prove that they adhered to and enforced their own policies. For further information regarding this Risk Alert, please refer to DechertOnPoint, SEC Staff to Conduct Broker-Dealer and Investment Adviser Examinations Focused on Cybersecurity.
OCIE disclosed its findings in its February 3, 2015 Cybersecurity Examination Sweep Summary (Summary), which highlights the fact that broker-dealers are significantly more prepared to deal with a cyber-incident than investment advisers.3 For example, while the vast majority of examined firms have adopted written information security policies, far fewer investment advisers (51%) than broker-dealers (82%) discuss how to mitigate the effects of a cybersecurity incident should one occur. Similarly, while 72% of examined broker-dealers incorporate requirements regarding cybersecurity risks into their contracts with vendors and business partners, only 24% of examined investment advisers take that important protective step. Comparable disparities exist between the examined firms when it comes to designating a Chief Information Security Officer (CISO) (68% of broker-dealers have a CISO versus 30% of investment advisers).
The Summary also signaled areas of common weakness. Less than a third of examined broker-dealers or advisers had policies to address how such firms determine whether they are responsible for client losses associated with cyber incidents. Even fewer firms reported incidents in which an employee or other authorized user engaged in misconduct that had negative results – including the misappropriation of funds, securities and sensitive client information.
In the wake of these findings, and in light of OCIE’s indication that it will conduct a second round of cybersecurity exams, industry participants should determine whether their cyber programs are in good shape, need a tune-up or perhaps a complete overhaul. When doing so, they should also consider how the Administration’s new cyber proposals might affect their responses.
What’s Next on the Examination and Legislative Front
There are three cybersecurity developments that will likely impact how industry participants prepare for and respond to cyber incidents: (i) a second round of OCIE examinations on cybersecurity; (ii) the Administration’s proposed legislation on data breach reporting; and (iii) the Administration’s proposed legislation on cybersecurity information sharing.
OCIE Director Discusses Second Round of Cybersecurity Examinations
In a March 9, 2015 interview, Jane Jarcho, the National Associate Director of OCIE’s Investment Adviser/Investment Company examination program, indicated that OCIE’s second phase of cybersecurity examinations will begin as early as this summer, and that examiners – in on-site visits – will drill down on key cyber topics. While Ms. Jarcho indicated that the specific areas of inquiry are still “in flux,” she noted that the examinations will likely focus on firms’ response plans, whether firms scrutinize their vendors’ cyber policies and procedures and monitor their vendors’ performance, and the extent to which senior management and boards play a role in approving their firms’ cybersecurity policies and procedures. Ms. Jarcho also explained that examiners may ask firms how they would detect and limit a breach if hackers were to use an employee’s access to enter a system. While OCIE has not yet issued a risk alert on the second round of exams, Ms. Jarcho indicated that it plans to release a sample document request letter or list of focus areas in advance of the upcoming examinations.
Will We Get a National Data Breach Reporting Act?
President Obama’s proposed Personal Data Notification and Protection Act (Reporting Proposal) contemplates a single federal statute – enforced by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau – that would replace the laws of 46 states (plus the District of Columbia) currently governing data breach reporting.4 Its enactment would streamline the process for when and how industry participants must notify individuals and law enforcement authorities after a breach.
The Reporting Proposal would generally require a business entity that “uses, accesses, transmits, stores, disposes of or collects” the sensitive personally identifiable information (SPII) of more than 10,000 individuals during any 12-month period to notify individuals when the business entity knows or believes that SPII has been wrongfully accessed or acquired.5 The FTC could, however, excuse business entities from providing notice if post-breach risk assessments indicate that the breach did not and would not harm the individuals. Affected individuals would be entitled to notice in writing, and in certain circumstances via phone or email. The Reporting Proposal would also require the relevant business entity to disclose the type of SPII at risk and to identify the entity with which individuals have a direct business relationship. Extensions might be given to business entities that could prove they need more time to determine, for example, the scope of the data breach – but generally notice would be required 30 days after discovery of the breach.
Furthermore, the Reporting Proposal would also require business entities to notify law enforcement authorities if the business entity knew or believed that a breach involved: (i) access to, or the acquisition of, more than 5,000 individuals’ SPII; (ii) a database or other data system that contained more than 500,000 individuals’ SPII nationwide; (iii) databases owned by the federal government; or (iv) the SPII of individuals the business entity knew were employees or contractors of the federal government and who were involved in national security or law enforcement.
Cybersecurity Information Sharing Legislation: A Contentious Proposition
The Administration’s Information Sharing Legislative Proposal (Sharing Proposal) seeks to promote cybersecurity information sharing between the private sector and the government, via the National Cybersecurity and Communications Integration Center (NCCIC), as well as among private entities, via Information Sharing and Analysis Organizations (ISAOs).6 President Obama’s February 13, 2015 Executive Order Promoting Private Sector Cybersecurity Information Sharing (Executive Order) largely tracks the Proposal because it: (i) allows the already-established NCCIC to enter into agreements with ISAOs to promote critical infrastructure security with respect to cybersecurity; (ii) encourages public and private entities to develop ISAOs and share information regarding cyber threats; and (iii) authorizes the federal government to contract with a non-governmental organization to develop voluntary standards for ISAO operation.7 However, the Sharing Proposal contains additional provisions that might make information sharing more palatable to some industry participants.
The key part of the Sharing Proposal is a provision limiting liability, which would at least partially protect an entity from being held civilly or criminally liable for voluntarily disclosing or receiving a lawfully obtained “cyber threat indicator”8 that the entity was not otherwise required to disclose. The limitation on liability would cover the sharing of cyber threat indicators between an entity and the NCCIC or, under certain circumstances, between an entity and an ISAO. The Sharing Proposal would also exempt cyber threat indicators from disclosure under the Freedom of Information Act and similar state laws, and limit the federal government’s use of cyber threat indicators against a disclosing entity in regulatory enforcement actions.
Notwithstanding these limitations on liability, skepticism has been expressed as to whether the federal government is the best clearinghouse for private information. While the Sharing Proposal does contain privacy protections that would require the government to take certain steps in regard to cyber threat indicators – including limiting the acquisition of cyber threat indicators that are reasonably likely to identify specific people, and making efforts to preserve the confidentiality of proprietary information – some critics believe that the Sharing Proposal does not do enough to protect the privacy of business entities or individuals. And, given that both private entities and privacy activists have indicated that they would like to see reforms to the National Security Agency’s personal information collection programs before signing on to share more information with the federal government, the Sharing Proposal faces a number of significant hurdles.9
Questions Industry Participants May Wish to Consider in Response to These Developments
In past years, both the SEC and the Administration have sought to have an open dialogue with industry participants about cybersecurity, with the SEC in particular focusing on industry readiness. Looking ahead, questions remain as to whether and, if so when, the SEC’s focus will shift from readiness to enforcement, and whether the Administration will be able to find the bipartisan support it needs to add to the regulatory framework on cybersecurity. In the meantime, industry participants should take a hard, objective look at their cyber policies and procedures, in an effort to benchmark against the industry as a whole and determine where they still may have areas of weakness. In doing so, industry participants could ask themselves questions including the following:
- Have we enacted specifically tailored policies and procedures? Industry-wide recommendations for best practices are a good starting point, but there is no substitute for adopting policies that address the specific risks that stem from your business.
- Do our policies address how to mitigate the effects of a cyber incident? Developing a response plan now could lessen the impact of a future breach.
- Are we actively minimizing the risks associated with third-party vendors and service providers? Renegotiating third-party vendor and service contracts is an undeniably large undertaking, but one that is necessary in order to hold third parties to the same legal standards applicable to your business.
Do we have one designated person who truly understands our firm’s cybersecurity infrastructure? A designated CISO who knows your industry, your infrastructure and your risks is a necessity for remaining prepared and responsive in an ever-changing cyber environment.
While there may be a feeling among industry participants that a cybersecurity breach is not an “if,” but a “when,” that reality does not mean firms’ responses should be purely reactionary. Firms should instead treat cybersecurity as a top priority – regularly conducting tune-ups and stress tests to boost their preparedness.