The Security and Exchange Commission’s Office of Compliance Inspections and Examinations (the “OCIE”) recently announced its 2015 Cybersecurity Examination Initiative, which describes the focus of the OCIE’s examination of cybersecurity practices within the securities industry and “encourage[s] registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity.”
The Cybersecurity Examination Initiative provides guidance as to the key topics that the OCIE will evaluate in the course of its examinations, as follows: governance and risk management (general information security practices, enterprise efforts to address information security, role of information security leadership), access rights and controls (what personnel have access to what information), data loss prevention (adequacy of efforts to prevent unauthorized access or misuse), vendor management (diligence in selection, contingency, and change management plans), training (employees and other personnel having access to information), and incident response (handling of past incident and plan to handle future incidents). The announcement also provides a helpful checklist of documents that would likely be requested in connection with a cybersecurity review.
Just a week after the Cybersecurity Examination Initiative announcement, the SEC instituted a settled administrative proceeding (In re R.T. Jones Capital Equities Mgmt., No. 3-16827 (SEC Sep. 22, 2015)) ordering an investment advisor to cease and desist insufficient information security practices in the wake of an information security breach. The SEC’s pursuit of a proceeding againstR.T. Jones underscores the SEC’s interest in this topic and provides additional guidance as to what the SEC may look for with respect to information security, including, in R.T. Jones’s case, alleged failures to implement appropriate written policies, employ a firewall to protect customer information, encrypt customer information, and establish procedures to respond to a security incident. The SEC’s order found that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933. Presumably because R.T. Jones had actually acted with a fair amount of diligence in handling the security incident, and there was no indication of financial harm, the matter was settled with a fairly small penalty of $75,000.
Separately, in a more generally-applicable context, the SEC recently released guidance titled “Navigating the Digital Age – The Definitive Cybersecurity Guide for Directors and Officers” (the “Cybersecurity Guide,” available here), noting that “No issue today has created more concern within corporate C-suites and boardrooms than cybersecurity risk.” The Cybersecurity Guide provides nearly 300 pages of guidance and materials for directors and officers seeking to understand how to improve their companies’ cybersecurity practices, drawing on the expertise of an impressive array of industry players. At the end of the day, however, this guide is just another example of regulators’ and the public’s expectation that companies will give cyber risk their full attention and address it commensurate with other risks to company assets and operations. The risks of digital data and digital systems are pervasive.
Responsibly assessing and addressing cyber risks is vital to protecting ongoing business operations and digital assets, and is an accepted requirement in order to avoid significant liabilities for misuse or inadequate security of legally protected data. Matters of such importance cannot be ignored or simply delegated to a company’s information technology department.