On September 22, 2015, the Securities and Exchange Commission (SEC) issued a press release announcing that it settled charges against an investment adviser that failed to establish cybersecurity policies and procedures prior to a data breach that compromised personally identifiable information (PII) of thousands of its clients. Over a four-year period, the investment adviser failed to adopt written policies and procedures regarding data security and protection of PII. After its third-party-hosted server was hacked, rendering thousands of clients’ unencrypted PII vulnerable, the investment adviser promptly retained consulting firms to confirm and trace the attack. Further, the investment adviser promptly reached out to clients and offered to provide identity theft monitoring services. Despite the after-the-fact efforts to mitigate potential damages and that no financial harm had been reported by any clients, the investment adviser agreed to be censured and pay a $75,000 penalty.
This enforcement action represents further evidence of the seriousness with which the SEC is approaching cybersecurity issues, and was issued within one week of the SEC's Office of Compliance Inspections and Examination (OCIE) issuing the latest guidance under its Cybersecurity Initiative.
OCIE 2015 Cybersecurity Initiative
On September 15, 2015, the OCIE published a Risk Alert to provide investment advisers and broker-dealers with additional information on the focus areas for its second round of cybersecurity exams. The cybersecurity exams are a part of the SEC’s Cybersecurity Initiative, a broad effort by the SEC to identify risks, assess preparedness, and increase protection of electronic data within the securities industry.
The OCIE announced that its second round of examinations will focus on the following areas:
Governance and Risk Assessment
OCIE examiners may assess the cybersecurity governance and risk assessment processes as they relate to the announced focus areas, whether firms are periodically evaluating cybersecurity risks, and whether their controls and risk assessment processes are tailored to their businesses. The examiners may also review the level of communication and involvement of senior management and boards of directors.
Access Rights and Controls
To determine how firms control access to various systems and data through their management of user credentials, authentication, and authorization methods, examiners may review controls associated with remote access, customer logins, passwords, firm protocols to address login issues, network segmentation, and tiered access.
Data Loss Prevention
Exams may include assessments of how firms monitor the volume of content transferred outside of the firm by employees or through third parties, e.g. email attachments or uploads, and how firms monitor for potentially unauthorized data transfers. Examiners may also review how firms verify the authenticity of customer requests to transfer funds.
Examiners may focus on firm practices and controls related to vendor management, such as due diligence in vendor selection, monitoring and oversight of vendors, and contract terms, and assess how vendor relationships are considered within the firm's ongoing risk assessment process. Examiners may also assess how firms determine the appropriate level of due diligence to conduct on vendors.
Recognizing that employees and vendors can be the first line of defense, exams may focus on how training is tailored to specific job functions and how it is designed to encourage responsible behavior. Further, examiners may review how cyber incident response plan procedures are integrated into the regular personnel and vendor training.
Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. As part of this assessment, examiners may assess which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm.
The OCIE has indicated that while the foregoing areas are the primary focus of the exams, examiners may select additional areas based on risks identified during the course of examinations.
Also on September 22, 2015, the SEC's Office of Investor Education and Advocacy issued an Investor Alert to provide information to investors regarding suggested actions to take if they ever become victims of identity theft or data breach. The alert focused on those who believe their personal financial information has already been compromised due to a data breach or identify theft. The alert provided information and a number of useful links related to the following suggested actions:
- Contact your investment firm and other financial institutions immediately;
- change your online account passwords;
- consider closing compromised accounts;
- activate two-step verification, if available;
- monitor your investment accounts for suspicious activity;
- place a fraud alert on your credit file;
- monitor your credit reports;
- consider creating an Identity Theft Report; and
- document all communications in writing.
Given the regular attention cyber-based threats receive, both in the news and by regulators, it is crucial that investment advisers and broker-dealers carefully review their policies and procedures regarding cybersecurity, data protection, and PII to ensure compliance with the priorities discussed above and other applicable rules and regulations.