714887111.23 Legal Update March 25, 2015 OCIE and FINRA Announce the Results of Cybersecurity Initiatives On February 3, 2015, the Office of Compliance Inspections and Examinations (“OCIE”) of the US Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”) announced the results of their cybersecurity examination initiatives.1 Other financial services regulators have undertaken similar examination initiatives as cybersecurity has become one of the leading concerns for the financial services industry.2 Beginning in 2013 and over a one-year period,3 OCIE examined 57 broker-dealers and 49 investment advisers,4 focusing on: (1) identification of cybersecurity risks; (2) cybersecurity governance and policies and procedures; (3) network protection (e.g., external frameworks and standards, training, certain technical controls, certain metrics, training, and incident response plans (“IRPs”)); (4) remote access to client information and fund transfer requests (e.g., informational material for client cybersecurity awareness and policies for addressing clients’ cyber-related losses); (5) vendors and third-parties; and (6) detection of unauthorized activity (including technical controls for that purpose).5 It has been reported that OCIE plans to begin “Phase 2” of its cybersecurity examination initiative in fiscal year 2016, during which it will conduct on-site reviews of advisers and broker-dealers.6 FINRA’s examination initiative consisted of: (1) a survey of 224 broker-dealers in 2011; (2) on-site reviews of broker-dealers in 2010 and 2011; and (3) targeted-examination letters (i.e., the sweep survey) that were sent to brokerdealers in 2014.7 FINRA’s cybersecurity initiative focused on the following topics: (1) cybersecurity governance (including written policies and procedures) and risk management; (2) cybersecurity risk assessments; (3) technical controls; (4) incident response planning; (5) vendor management; (6) staff training; (7) cyber intelligence and information sharing; and (8) cybersecurity insurance.8 OCIE reported the results of its cybersecurity initiative in a “risk alert,” which offers observations of industry cybersecurity practices (without any recommendations), which investment advisers and broker-dealers can use to review and enhance their cybersecurity programs. FINRA’s report on its cybersecurity initiative provides observations regarding broker-dealers’ current cybersecurity practices, as well as recommendations from FINRA regarding effective cybersecurity practices for broker-dealers. This update begins with a discussion of OCIE and FINRA’s views regarding the prevalence of cyber attacks. Next, we review the regulators’ observations and recommendations concerning: (1) cybersecurity policies and procedures; (2) cybersecurity governance; (3) frameworks and standards; (4) metrics; (5) identification of risks; (6) technical controls; (7) responding to cybersecurity incidents; (8) vendor management; (9) staff training; (10) promoting 2 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives client cybersecurity awareness; (11) cyber intelligence and information sharing; and (12) cybersecurity insurance. Prevalence of Cyber Attacks In the OCIE Risk Alert, OCIE observed that most of the examined advisers and broker-dealers had been cyber attacked, either directly or through a vendor, or through the use of malware or fraudulent e-mails,9 at some point since January 1, 2013.10 From FINRA’s perspective, common cyber attacks targeted at the broker-dealers that participated in the initiative included Distributed Denial of Service (“DDoS”) attacks, malware infections, insider threats, and cyber-enabled fraudulent wire transfers.11 Other financial services firms have also faced the same types of cyber attacks, prompting regulatory guidance aimed at the identification of the risks presented and the possible ways to mitigate these risks.12 OCIE observed that almost half of the examined advisers and broker-dealers received fraudulent e-mails requesting the transfer of client funds.13 Of those broker-dealers that received fraudulent e-mails, one-quarter reported losses exceeding $5,000 and one-quarter of the broker-dealers that lost funds due to fraudulent e-mails attributed the losses to employees deviating from the identity authentication procedures. One adviser, which was part of OCIE’s sweep examination, reported losing more than $75,000 due to such an e-mail, for which it made the client whole. The adviser attributed this loss to employees who had deviated from the adviser’s identity authentication procedures. OCIE found that two-thirds of the examined broker-dealers that received fraudulent e-mails reported the emails to Financial Crimes Enforcement Network (“FinCEN”) and very few reported the e-mails to other regulators or to law enforcement, while examined advisers generally did not report fraudulent e-mails.14 Although examined advisers and broker-dealers identified authorized-user misconduct as a significant cybersecurity risk, OCIE found that very few advisers and broker-dealers reported misconduct by employees or authorized users that resulted in misappropriated funds, confidential information, or network damage. Cybersecurity Policies and Procedures OCIE observed that a majority of the examined investment advisers and broker-dealers have written cybersecurity policies and procedures.15 OCIE also observed that a majority of the examined advisers and most of the examined broker-dealers conduct periodic audits to evaluate compliance with their cybersecurity polices and procedures.16 FINRA recommended generally that brokerdealers maintain policies and procedures that are appropriate for broker-dealers’ size and risk exposure, and that address how cybersecurity risks and controls are managed. Further, FINRA recommended that broker-dealers’ policies and procedures articulate the roles and responsibilities of their cybersecurity personnel. More specifically, FINRA believes that effective cybersecurity policies and procedures should enable broker-dealers to: (1) identify cyberrelated risks; (2) estimate the severity of each identified cyber risk; and (3) determine appropriate risk-mitigating steps.17 As discussed below, conducting ongoing assessments to identify existing and new risks is one of the key aspects of an effective cybersecurity program. FINRA recognized, however, that implementing a cybersecurity program could pose a “significant governance challenge” and recommended that broker-dealers consult with and obtain the views of their business, IT, risk management, and audit departments. FINRA suggested that broker-dealers assign cybersecurity-related responsibilities to each of these departments. Thus, the business or IT unit should select and maintain the cybersecurity controls (e.g., identity access management, encryption, or testing), while risk management should formulate the monitoring standards, and 3 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives audit should assess the effectiveness of the cybersecurity program (e.g., evaluating whether the cybersecurity controls are functioning as expected). Cybersecurity Governance OCIE observed that one-third of the examined advisers have a Chief Information Security Officer (“CISO”), while two-thirds of the examined broker-dealers have a CISO. OCIE also observed that most examined advisers assign cybersecurity responsibilities (i.e., oversight of the implementation, management, and enforcement of the cybersecurity program)18 to a Chief Technology Officer or to a third-party consultant that reports to the Chief Compliance Officer, Chief Executive Officer, or Chief Operating Officer.19 FINRA observed that examined broker-dealers who emphasized the importance of the role of the board of directors in a cybersecurity program also had an actively engaged board and an adequately resourced cybersecurity program. FINRA also observed that many of the examined broker-dealers’ boards of directors were informed of cyber-related matters through reports on a quarterly, annual, or ad hoc basis. As with existing privacy-related compliance programs under Regulations S-P and S-ID, involvement by the board is an important aspect of an effective cybersecurity program. FINRA stated its view that active involvement by senior-level management and leadership by the board is essential for effective governance of cyber risks.20 Citing a National Association of Corporate Directors publication, FINRA recommended that broker-dealers’ boards of directors: (1) treat cybersecurity as an enterprise-wide risk management issue, not an issue for IT, and should set the expectation that management will establish an enterprisewide cybersecurity risk management framework that is adequately staffed and resourced; (2) understand the legal implications of cyber risks; (3) have access to cybersecurity expertise and allot adequate time for cybersecurity-related discussions at board meetings; and (4) discuss cybersecurity issues (e.g., cybersecurity insurance) with management. Frameworks and Standards Cybersecurity frameworks and standards are published by organizations like the National Institute of Standards and Technology (“NIST”), the System Administrator, Audit, Networking, and Security Institute (“SANS”), and the International Organization for Standardization (“ISO”). These frameworks and standards can be used by firms when developing their own information security architectures (“ISAs”), which set the roadmap for firms’ cybersecurity controls and help ensure that firms’ controls provide comprehensive coverage of their cybersecurity risk exposures.21 While the adoption of these frameworks by financial services firms is generally voluntary, they are often considered best practices by the regulators and, at a minimum, are useful in evaluating existing or new practices. OCIE found that half of the examined advisers and a majority of the examined broker-dealers develop their ISA with reference to external cybersecurity risk standards.22 During its 2014 sweep examination, FINRA observed that nearly all of the examined brokerdealers use external frameworks and standards to develop their ISA. Of these broker-dealers, FINRA observed that some firms had explicitly modeled their ISA after a framework or standard, while others had used the framework or standard as a reference point to assess their ISA. In FINRA’s view, broker-dealers should use an external framework or standard when developing their ISA.23 According to FINRA, the benefit of developing the ISA after an external framework or standard is that it provides a “tested approach” for effective cybersecurity practices that should help broker-dealers identify any gaps in their ISAs and establish a 4 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives common vocabulary for cybersecurity controls amongst other broker-dealers and industry participants. Metrics “Metrics” refers to measurements of data (e.g., measurements of the number of cyber attacks, encryption coverage, Microsoft patch coverage, anti-virus coverage, and employee training). During its 2014 sweep examination, FINRA observed that nearly all of the examined brokerdealers use metrics to monitor the performance of their cybersecurity programs. FINRA also observed that examined broker-dealers use metrics to measure nearly every aspect of their cybersecurity programs,24 but that smaller broker-dealers’ use of metrics was more limited than their larger counterparts. FINRA recommended that broker-dealers: (1) develop metrics tailored to their business and cybersecurity risks (see Cybersecurity Risk Assessments below); (2) set performance thresholds to assess whether those metrics have been achieved; and (3) establish appropriate policies and procedures that document the foregoing and establish an escalation process for cases where the thresholds have not been met. Each is discussed further below. Developing Metrics. FINRA stated that broker-dealers should develop metrics that track important (or, even, nearly all) aspects of their cybersecurity program. Without a strong understanding of baseline data, it is difficult to identify anomalies or abnormal cyber activities. According to FINRA, metrics can be used to monitor cyber attacks (e.g., by tallying the number of DDoS attacks), to monitor endpoints (e.g., patches, anti-virus software, and encryption), and to ensure cybersecurity awareness (e.g., frequency of employee training).25 Establishing Performance Thresholds. FINRA recommended that broker-dealers establish a threshold that defines the target level of performance (as indicated by metrics) to be achieved. For example, FINRA stated that a threshold might have a target that at least 95% of broker-dealers’ computers have up-to-date Microsoft patches. In such a case, explained FINRA, the failure to achieve that target means that the threshold has not been met and, thus, the matter should be escalated for review. Policies and Procedures; and Escalation. FINRA recommended that broker-dealers establish policies and procedures that address which metrics to track, set the performance thresholds for those metrics, and identify the persons within the organization who are responsible for reviewing escalated matters (e.g., unmet thresholds) and monitoring the effectiveness and continued appropriateness of the metrics and thresholds.26 FINRA noted that senior IT, risk, or business personnel may be well suited to review matters that have been escalated. According to FINRA, if a broker-dealer makes limited use of metrics, then it may have a weak cybersecurity program, because management would not be able to evaluate effectively the performance of the cybersecurity program (based in part on the broker-dealer’s cybersecurity risk assessment, discussed below) or identify the program’s vulnerabilities. Identification of Risks According to the NIST, risk assessments are conducted to “discern the likelihood of a cybersecurity event and the impact that the event could have on the organization.”27 FINRA recognized that risk assessments can be a “potentially useful starting point for [brokerdealers] embarking on the establishment of a cybersecurity program.”28 OCIE observed that most of the examined advisers and nearly all of the examined brokerdealers conducted firm-wide cybersecurity risk assessments and considered the results of such assessments when establishing their 5 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives cybersecurity policies and procedures.29 OCIE also observed that most examined advisers and broker-dealers inventoried their physical devices and systems, software platforms, and applications, and mapped (i.e., identified) network resources, data flows, and external network connections (as discussed further below, FINRA considers inventorying and mapping an important element of a risk assessment program). During its 2014 sweep examination, FINRA observed that most of the examined brokerdealers have cybersecurity risk assessment programs and, of those, many had relied on certain cybersecurity frameworks and standards30 to develop their risk assessment program.31 FINRA recommended that brokerdealers establish written risk assessment policies and procedures that include the following elements: Inventory of Assets. FINRA recommended that broker-dealers create an inventory of their assets that are network accessible and assign to each identified asset a measure of importance from both a business perspective and a legal/regulatory perspective.32 Threat and Vulnerability Evaluation, and Risk Remediation. FINRA recommended that, for each identified asset, broker-dealers evaluate and identify potential internal or external threats to the asset and the asset’s vulnerabilities, and identify risk remediation actions. FINRA observed that the type, level, and frequency of potential threats could be assessed by inputs from the broker-dealer itself, intelligence from other broker-dealers, or intelligence from information sharing organizations like the Financial Services Information Sharing and Analysis Center (“FSISAC”).33 Risk Level Assignments. FINRA recommended that broker-dealers determine and assign a level of risk (e.g., critical, high, medium, or low risk) to each asset, based upon the above identified threats and vulnerabilities. Escalation and Mitigation. FINRA also recommended that broker-dealers establish an appropriate escalation process for each risk level so that the firm can decide whether the risk should be accepted or mitigated. Technical Controls “Technical controls” refers to those measures that are used to “detect, prevent, respond [to], and mitigate damage” from cyber attacks.34 OCIE observed that nearly all of the examined advisers and broker-dealers use encryption, a type of technical control. 35 FINRA observed that many examined broker-dealers apply a defensein-depth strategy, which involves layering multiple independent security controls strategically throughout broker-dealers’ IT systems.36 FINRA recommended two specific practices for effective cybersecurity technical controls (i.e., those controls necessary to protect firm software, hardware, and data). First, brokerdealers should implement a defense-in-depth strategy, which helps them select the cybersecurity controls best suited to their IT infrastructure. A defense-in-depth strategy entails the use of multiple independent cybersecurity controls at different “layers” in an organization’s IT infrastructure (e.g., an applications layer, server layer, and data layer).37 Second, broker-dealers should select controls that are appropriate to the technologies they use and their threat environment. As a general matter, FINRA also recommended that broker-dealers consider implementing, at a minimum, the following technical controls: Identity and access management, which limits and monitors users’ access to broker-dealer systems and data; Encryption, which protects the confidentiality of data by ensuring that only approved users can view the data; and 6 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives Third-party penetration testing, which simulates an actual cyber attack, so as to give the broker-dealer the cyber attacker’s perspective of its cybersecurity weaknesses.38 FINRA stated that a successful defense-in-depth strategy will depend upon the selection and use of controls that are tailored to broker-dealers’ cyber risk profile. While many of these technical controls focus on protecting IT infrastructure against external cyber risks, effective identity and access management controls also protect against internal cyber risks. An important example of identity and access management includes the immediate elimination of an employee’s access to information when his or her job changes or upon his or her termination. Responding to Cybersecurity Incidents OCIE observed that slightly more than half of examined advisers and a majority of examined broker-dealers have provisions in their business continuity plans that address mitigation of and recovery from a cyber attack.39 OCIE also observed that few examined advisers and broker-dealers have policies and procedures for determining the responsibility for a client’s cyber-related losses and even fewer offer their clients guarantees to protect against such losses. FINRA recommended that broker-dealers develop IRPs, which are written policies and procedures that address how broker-dealers plan to react to cybersecurity incidents. FINRA stated that IRPs should be designed to mitigate, contain, and eradicate cyber threats. According to FINRA, broker-dealers’ IRPs should outline a response to those cyber attacks that are most likely to occur. Further, FINRA stated that IRPs should identify the person(s) with incident response capabilities and suggested that broker-dealers either maintain an in-house cybersecurity incident response team or outsource such responsibilities to a vendor. FINRA recommended that IRPs provide for the rapid containment and mitigation of cyber attacks, such as the shutting down of the system or the disconnecting of the attached network devices, and for the prompt recovery and restoration of systems to normal operations. FINRA mentioned that, in an enforcement matter, a factor considered by FINRA was the “firm’s failure to rapidly remediate a device the firm knew was exposing [client] information to unauthorized users.”40 FINRA stated that IRPs should provide for damage assessments and outreach processes and, if appropriate, outline measures for restoring clients’ confidence in broker-dealers. FINRA noted that clients often lose confidence in broker-dealers when a cyber attack results in the release of clients’ personal information or money. Thus, to help restore such confidence, FINRA suggested that broker-dealers offer to clients affected by a cyber attack free credit monitoring services and reimbursements for stolen funds.41 FINRA also stated that broker-dealers must conduct a timely investigation of cybersecurity incidents to determine the extent of data and monetary loss and to notify any parties (e.g., clients) affected by the cyber attack.42 In the event of unauthorized access to the personal information of clients (or employees), notification is generally required by the data breach laws enacted in 47 states and the District of Columbia.43 Broker-dealers and investment advisers should have a data breach response plan outlining the procedures for investigating and responding to an incident resulting in unauthorized access to personal information. The plan should identify the internal person(s) responsible for leading the investigation and include a list of third-party providers who would potentially assist with the investigation and response. This list of third-party providers typically includes: (1) a company able to perform any required forensic analysis; (2) legal counsel to advise on the mitigation of legal risks; (3) a public relations company to assist with communications concerning the incident; and 7 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives (4) a vendor to provide credit monitoring or other identity theft prevention services. FINRA reminded broker-dealers of their reporting obligations under FINRA Rule 4530(b). Rule 4530(b) requires broker-dealers to report to FINRA within 30 calendar days after they have concluded, or reasonably should have concluded, that they or an associated person have violated, among other things, any securities, commodities, financial, or investment-related laws.44 The Rule 4530(b) reporting obligation is triggered when the violative conduct has or could have a widespread impact or has a significant monetary result on the broker-dealer, clients, or markets, or when there are multiple instances of any violative conduct.45 Vendor Management OCIE observed that few examined advisers, but most examined broker-dealers, incorporated cybersecurity provisions into their contracts with vendors and business partners.46 OCIE also observed that very few of the examined advisers and half of the examined broker-dealers have policies and procedures addressing cybersecurity training requirements for vendors and business partners who have access to their networks.47 Further, OCIE observed that onethird of examined advisers and a majority of examined broker-dealers included vendors with access to their networks in their risk assessments.48 FINRA observed that examined broker-dealers with effective vendor management policies have a vendor management team comprised of members from the business, legal, IT, and risk management departments.49 This team is responsible for assessing vendors’ internal controls to protect broker-dealers’ information (including client information). FINRA also observed that many examined broker-dealers set the level of cybersecurity-related due diligence (e.g., questionnaires, reviews, and third-party control assessments) they perform on vendors based on the level of cybersecurity risk the vendor relationship creates. FINRA recommended that broker-dealers’ contracts with vendors address, among other things, the sensitivity of data to which the vendor has access (e.g., confidentiality agreements), use of subcontractors, and vendor obligations regarding the safekeeping or removal of broker-dealer and client data from vendors’ systems upon contract termination.50 FINRA suggested that broker-dealers perform due diligence on prospective vendors as well as their current vendors throughout the relationship, and should avoid vendors with inadequate security standards. FINRA also cited the NIST Framework, suggesting that broker-dealers ensure that their vendors undertake cybersecurity training.51 Vendor management and oversight is extremely important for advisers, broker-dealers, and other entities maintaining sensitive personal information. Many of the largest and most costly security breaches have been traced back to vendors, because vendors provide an easy access point for third parties seeking sensitive information. With respect to those vendors handling client or other sensitive information, the failure to conduct initial due diligence and to audit regularly the information security practices of vendors (or to receive third-party audits from vendors) presents significant risks to advisers and broker-dealers. Such risks include unauthorized access to customer information and financial harm to customers. Staff Training Although OCIE did not report its findings with respect to staff training by the examined advisers and broker-dealers, FINRA observed that many examined broker-dealers require cybersecurity training for their staff and emphasize to staff the importance of such training.52 8 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives FINRA highlighted three practices for effective staff cybersecurity training programs. First, broker-dealers should clearly define their cybersecurity training needs. Second, brokerdealers should identify appropriate cybersecurity training update cycles, such as offering training on a periodic basis (e.g., annually), tied to milestones (e.g., promotions), and/or provided on an ad hoc basis. Third, broker-dealers should deliver interactive training that has been tailored to their history of cybersecurity incidents, risk assessments, and cyber intelligence. Generally, FINRA recommended that broker-dealers consider whether the staff training will be mandatory or optional and whether the training will be tailored towards a target audience, such as general topics for the entire firm and specific topics for management.53 Promoting Client Cybersecurity Awareness OCIE observed that most examined advisers and broker-dealers who offered their retail clients online account access also provided the clients with information about measures that such clients can take to reduce cybersecurity risks.54 Further, OCIE observed that examined investment advisers often addressed this information directly to clients through website postings, e-mails, newsletters, or bulletins. Similarly, FINRA recommended that brokerdealers provide their clients with resources, such as advice on the creation of secure passwords or suggestions for detecting online fraud. The SEC has published an Investor Bulletin that informs investors of ways they can protect their online accounts from cyber criminals and online fraud. The Investor Bulletin recommended, among other things, practices for password selection and securing mobile devices and suggested using extra caution with links in email messages and regularly checking account statements.55 Investment advisers and brokerdealers may want to consider this Investor Bulletin when drafting cybersecurity awareness materials for investors. Cyber Intelligence and Information Sharing OCIE observed that almost half of the examined broker-dealers used information sharing networks, such as FS-ISAC, to identify best practices for cybersecurity.56 OCIE observed that most of the examined advisers do not use information sharing networks and instead rely on discussions with industry peers, conferences, and independent research to identify best practices for cybersecurity. During its 2014 sweep examination, FINRA observed that examined broker-dealers rely on an array of sources to obtain cyber intelligence, although most reported FS-ISAC as the primary source for information sharing.57 FINRA found that examined broker-dealers (especially the smaller firms) often engage third-party service providers to assist in their cyber threat intelligence analysis. FINRA noted that these service providers often provide a range of services, such as assisting in vulnerability analysis, network monitoring for suspicious activities, and penetration testing (described above). FINRA highlighted four practices for effective cyber intelligence gathering and information sharing: Broker-dealers should assign responsibility for cyber intelligence gathering and analysis to an in-house group or department and should take advantage of third-party service providers’ specialized expertise. FINRA noted that some smaller broker-dealers rely on third-party service providers for this cyber intelligence gathering. Broker-dealers should establish mechanisms to disseminate cyber intelligence and analysis to appropriate persons within the firm (e.g., risk management or cybersecurity staff). Broker-dealers should evaluate cyber intelligence from perspectives that are tactical 9 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives (i.e., the analysis of and response to specific threats and vulnerabilities) and strategic (i.e., the analysis of and response to incident or threat trends).58 FINRA explained that a tactical use of cyber threat intelligence might entail adjusting firewall settings to block an IP address or updating anti-virus software to capture newly identified viruses. FINRA also explained that a strategic use of cyber threat intelligence might entail modifications to broker-dealers’ cybersecurity policies and procedures for the mitigation of threats. Similarly, cyber threat intelligence might be used strategically to assess whether brokerdealers’ cybersecurity infrastructure should be upgraded. Broker-dealers should participate in information sharing networks. According to FINRA, information sharing is a form of “collaborative self-defense” that advances “cybersecurity for the community as a whole.”59 Information sharing typically occurs over information sharing networks, such as the FS-ISAC, National Cyber Forensics and Training Center, and Red Sky Alliance. Through FS-ISAC, financial services firms can share cyber-threat intelligence anonymously and use the intelligence to develop effective cybersecurity practices. FINRA stated that the type of information that could be shared over an information sharing network includes domain names, IP addresses, e-mail headers, the files themselves, and any other cyber threat indicators.60 FINRA indicated, however, that this information should be scrubbed to remove confidential information or other personal identifying information. Recognizing brokerdealers’ concerns that information sharing may subject them to regulatory scrutiny, FINRA directed broker-dealers to a policy statement published by both the US Department of Justice (“DOJ”) and the Federal Trade Commission (“FTC”) and a white paper published by the DOJ.61 In their policy statement, the DOJ and FTC stated that the sharing of cyber-threat information “would not be likely to raise antitrust concerns.”62 The DOJ stated, in its white paper, that certain organizations (e.g., network operators and telecommunication carriers) can share cyber threat information with governmental entities without violating privacy laws (e.g., the Stored Communications Act and the Telecommunications Act of 1996), so long as such information is not client-specific and is aggregated (e.g., information about Internet traffic flow patterns, which can indicate a pending cybersecurity incident).63 Of particular relevance to financial services companies, the DOJ noted that other federal regulatory agencies have also interpreted provisions aimed at protecting consumers (e.g., the Gramm-LeachBliley Act) as excluding aggregate or blind data from the general disclosure restrictions.64 The potential risks from the sharing of cyber-threat information could be further mitigated if Congress were to enact comprehensive cybersecurity legislation expressly authorizing this type of sharing.65 At this point, it remains uncertain whether a legislative solution can gather enough bi-partisan support for enactment. Cybersecurity Insurance OCIE observed that few examined advisers and more than half of examined broker-dealers maintain insurance that covers losses and expenses arising from cyber attacks.66 OCIE also observed that, of the examined advisers and broker-dealers, only one adviser and one brokerdealer had reported filing a claim under their policies. FINRA reported that examined broker-dealers had identified three types of cybersecurity insurance: (1) standalone cybersecurity insurance polices; (2) cybersecurity riders added to broker-dealers’ existing insurance polices; and (3) existing errors and omissions policies, which offered limited coverage for cybersecurity incidents. During the 2014 sweep examination, FINRA observed that a majority of examined broker-dealers (most of which were large firms) 10 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives have a standalone cybersecurity insurance policy, while very few broker-dealers (mostly small and mid-size firms) have cybersecurity riders. FINRA also observed that approximately one-third of examined broker-dealers did not have any cybersecurity insurance at the time of the 2014 sweep examination. FINRA recommended that broker-dealers that already have cybersecurity insurance periodically assess the adequacy of their insurance coverage.67 FINRA suggested that, when making their assessments, broker-dealers consider their existing insurance coverage, the events to be insured against, cost, and the adequacy of existing risk management approaches. For broker-dealers that do not have cybersecurity insurance, FINRA recommended that they monitor the cybersecurity insurance market to determine how such insurance can enhance their ability to manage the fallout from a cyber attack. Conclusion Cybersecurity issues continue to receive increased attention from the SEC and other financial services regulators.68 For example, cybersecurity was addressed in OCIE’s 2015 exam priorities and was the subject of an SEC roundtable in 2014. Furthermore, OCIE appears set to begin a second phase of cybersecurity sweep examinations in FY 2016 that will consist of on-site examinations.69 Although the SEC and FINRA have not proposed rules that formalize cybersecurity standards or requirements, they may do so in the near future.70 Investment advisers and broker-dealers who have not yet developed and implemented a comprehensive cybersecurity program (including related policies covering information security and data breach responses) should consider doing so now. The development of this program should involve all of the relevant stakeholders within the organization, including legal, information security, compliance IT, and human resources. Not only could such a program help protect them against and mitigate the damage from a cyber attack, it will also establish the infrastructure and processes that could be mandated under possible future cybersecurity rules. Furthermore, the adoption and implementation of a comprehensive cybersecurity program will help mitigate certain legal and regulatory risks in the event of a data breach involving personal information. When developing and implementing a comprehensive cybersecurity program, advisers and brokerdealers should be aware of the extent to which their cybersecurity program may be similar to and share operational aspects with their existing compliance programs under other regulatory regimes (e.g., Regulation S-ID, Regulation S-P, disaster recovery/business continuity plans, and AML programs). To the extent practicable, advisers and broker-dealers should coordinate their cybersecurity programs with these other existing compliance programs. For more information about the topics raised in this Legal Update, our Investment Management practice, Broker-Dealer practice, Privacy & Security practice or the FSRE practice, please contact any of the following lawyers. Amy Ward Pershkow +1 202 263 3336 email@example.com Jeffrey P. Taft +1 202 263 3293 firstname.lastname@example.org Jerome J. Roche +1 202 263 3773 email@example.com Leslie S. Cruz +1 202 263 3337 firstname.lastname@example.org Andrew D. Getsinger +1 202 263 3325 email@example.com 11 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives Endnotes 1 OCIE, National Exam Program, Risk Alert: Cybersecurity Examination Sweep Summary (Feb. 3, 2015) [hereinafter OCIE Risk Alert], available at http://www.sec.gov/about/offices/ocie/cybersecurityexamination-sweepsummary.pdf?_cldee=aGFubmFoLndlaW5zdG9jay1nYWx sYWdoZXJAY29yZGl1bS5jb20%3D&urlid=1; FINRA, Report on Cybersecurity Practices (2015) [hereinafter FINRA Report], available at https://www.finra.org/web/groups/industry/@ip/@reg/ @guide/documents/industry/p602363.pdf. For FINRA’s news release announcing the results from its cybersecurity initiative, see FINRA Issues Report on Cybersecurity Practices, Cybersecurity Investor Alert, FINRA (Feb. 3, 2015), https://www.finra.org/Newsroom/NewsReleases/2015/P6 02385. These initiatives were announced in early 2014. For the SEC’s announcement of the cybersecurity initiative, see OCIE, National Exam Program, Risk Alert: Cybersecurity Initiative (Apr. 15, 2014), available at http://www.sec.gov/ocie/announcement/Cybersecurity+R isk+Alert++%2526+Appendix+-+4.15.14.pdf. For FINRA’s announcement of the cybersecurity sweep exams, see Targeted Examination Letters: Cybersecurity, FINRA (Jan. 2014), http://www.finra.org/Industry/Regulation/Guidance/Tar getedExaminationLetters/P443219. 2 See, e.g., FFIEC, Cybersecurity Assessment General Observations, available at http://www.ffiec.gov/press/PDF/FFIEC_Cybersecurity_A ssessment_Observations.pdf (last visited Mar. 23, 2015) (discussing cybersecurity examination of over 500 community banks); NY Dep’t of Fin. Servs., Report on Cyber Security in the Banking Sector (May 2014), available at http://www.dfs.ny.gov/about/press2014/pr140505_cyber _security.pdf; NY Dep’t of Fin. Servs., Report on Cyber Security in the Insurance Sector (Feb. 2015), available at http://www.dfs.ny.gov/reportpub/dfs_cyber_insurance_r eport_022015.pdf. 3 For broker-dealers, the review period covered calendar year 2013; for advisers, the review period covered early 2013 through April 2014. See OCIE Risk Alert, at 1 n.3. 4 For investment advisers, OCIE’s examinations generally concentrated on advisers with assets under management of greater than $400 million that had large concentrations of retail clients and custody of client assets. See id. app. B. 5 Id. at 1. 6 Expect OCIE to Release Sample Document Request Letter for Next Cybersecurity Sweep, IA WATCH, Mar. 9, 2015. 7 FINRA Report, at 3. FINRA’s cybersecurity sweep exam focused on, among other things, broker-dealers’: (1) approaches to cybersecurity risk assessments; (2) organizational structures and reporting lines; (3) assessments of the impact of cyber attacks over the preceding twelve months; and (4) training programs. See Targeted Examination Letters: Cybersecurity, FINRA (Jan. 2014), http://www.finra.org/Industry/Regulation/Guidance/Tar getedExaminationLetters/P443219 (a general description of the cybersecurity sweep exam questions). FINRA’s 2011 survey on cybersecurity likely covered the preceding twelve-month period (i.e., calendar year 2010), given that the 2014 Risk Control Assessment survey asked about current cybersecurity practices, but tied other questions to circumstances in 2013. See FINRA Risk Control Assessment (2014), available at https://www.finra.org/web/groups/industry/@ip/@reg/ @guide/documents/industry/p478730.pdf. It is possible that FINRA’s on-site examinations covered a period longer than twelve months, because FINRA examiners typically explain the nature and scope of the exam during the initial meeting. See Preparing for a FINRA Cycle Examination, at 4, FINRA, available at http://www.finra.org/web/groups/industry/@ip/@edu/d ocuments/education/p038336.pdf (last visited Mar. 24, 2015). 8 FINRA Report, at 3. 9 OCIE Risk Alert, at 2–3. 10 In its risk alert announcing the cybersecurity sweep examination results, OCIE did not state the time period for which it had sought information from firms concerning cybersecurity incidents (e.g., information about the number of DDoS attacks since “X” date); however, based upon the sample cybersecurity sweep examination questions provided by OCIE, it is likely that OCIE had asked firms to report about cybersecurity incidents since January 1, 2013. See OCIE, National Exam Program, Risk Alert: Cybersecurity Initiative, at 6–7 (Apr. 15, 2014), available at http://www.sec.gov/ocie/announcement/Cybersecurity+R isk+Alert++%2526+Appendix+-+4.15.14.pdf (asking “Since January 1, 2013, has your Firm experienced any of the following types of events?” and listing malware, DDoS, fraudulent e-mails, etc.). 11 FINRA Report, at 23. In its cybersecurity report, FINRA did not identify the time period during which these common attacks were observed to have occurred. However, it is likely that such period was 2013–2014. See Targeted Examination Letters: Cybersecurity, FINRA 12 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives (Jan. 2014), http://www.finra.org/Industry/Regulation/Guidance/Tar getedExaminationLetters/P443219 (requesting that broker-dealers provide an “assessment of the impact of cyber-attacks on the [broker-dealer] over the past twelve months”). 12 See, e.g., FFIEC, Joint Statement on Distributed Denial-ofService Cyber Attacks, Risk Mitigation, and Additional Resources (Apr. 3, 2014), available at http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joi nt%20Statement.pdf. While generally applicable to banks and other depository institutions, the FFIEC statement provides helpful guidance for any organization facing a DDoS attack. 13 OCIE Risk Alert, at 3. 14 Broker-dealers are required to file suspicious activity reports (“SARs”) and, thus, may be required to file SARs for fraudulent e-mails where the amount involved exceeds $5,000. See 31 C.F.R. § 1023.320(a)(2); In re Oppenheimer & Co., Release Nos. 33-9711, 34-74141, at 9 (Jan. 27, 2015), available at http://www.sec.gov/litigation/admin/2015/33-9711.pdf. Investment advisers do not have SAR filing requirements, although they may voluntarily file a SAR. See FinCEN, The SAR Activity Review: Trends, Tips, and Issues, at 10 n.5 (2009), available at http://www.fincen.gov/news_ room/rp/files/sar_tti_15.pdf. 15 OCIE Risk Alert, at 2. 16 Id. 17 FINRA Report, at 6. 18 See SANS Inst., Implementing an Effective IT Security Program, at 8, available at http://www.sans.org/readingroom/whitepapers/bestprac/implementing-effectivesecurity-program-80 (last updated Mar. 25, 2015). 19 OCIE Risk Alert, at 4–5. 20 FINRA Report, at 7. 21 See SANS Inst., Information Systems Security Architecture: A Novel Approach to Layered Protection, at 5 (Sept. 9, 2004), available at http://www.sans.org/readingroom/whitepapers/auditing/information-systemssecurity-architecture-approach-layered-protection-1532. 22 OCIE Risk Alert, at 2. OCIE did not specify whether the examined advisers and broker-dealers had explicitly modeled their cybersecurity programs after a framework or standard or had used the framework or standard as a reference point to assess their own cybersecurity programs. 23 FINRA Report, at 9. FINRA did not recommend which framework or standard broker-dealers should use, and FINRA did not suggest whether broker-dealers should explicitly model their policies and procedures after a framework or standard, or whether they should use the framework or standard as a reference point. Id. at 9–10. 24 Id. at 10. 25 Id. at 11. 26 Id. 27 NIST, Framework for Improving Critical Infrastructure Cybersecurity, at 13–14 (Feb. 12, 2014) [hereinafter NIST Cybersecurity Framework], available at http://www.nist.gov/cyberframework/upload/cybersecuri ty-framework-021214.pdf. 28 FINRA Report, at 13. Similarly, the NIST and the FFIEC suggest that risk assessments be considered during the establishment of the compliance program. See NIST Cybersecurity Framework, at 14; see also FFIEC, Bank Secrecy Act/Anti-Money Laundering Examination Manual, at 23, app. I. (2014), available at http://www.ffiec.gov/bsa_aml_infobase/documents/BSA _AML_Man_2014.pdf (according to FFIEC, risk assessments help identify the risk profile, and management then develops internal controls (e.g., policies and procedures, and technical controls) that are tailored to that risk profile). 29 OCIE Risk Alert, at 2. 30 See supra Frameworks and Standards. 31 FINRA Report, at 14. 32 See id. at 12. FINRA observed that, from a business and regulatory perspective, a critical asset for broker-dealers would include a database with client information. The same is true for investment advisers. 33 FS-ISAC was launched in 1999 and was established by the financial services sector in response to Presidential Directive 63. FS-ISAC is “the global financial industry’s go to resource for cyber and physical threat intelligence analysis and sharing . . . . The FS-ISAC also provides an anonymous information sharing capability across the entire financial services industry.” See About FS-ISAC, FSISAC, https://www.fsisac.com/about (last visited Mar. 25, 2015). 34 Council on Cybersecurity, SANS Inst., The Critical Security Controls for Effective Cyber Defense, at 4, available at https://www.sans.org/media/critical-securitycontrols/CSC-5.pdf (last visited Mar. 25, 2015). 35 OCIE Risk Alert, at 4. 36 FINRA Report, at 16. 37 Defense in Depth, OWASP (May 12, 2013), https://www.owasp.org/index.php/Defense_in_depth; see also FINRA Report, at 16. 38 FINRA Report, at 16. 13 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives 39 OCIE Risk Alert, at 2. 40 FINRA Report, at 24. 41 Id. at 25. 42 Id. at 24. 43 Currently, Alabama, New Mexico, and South Dakota are the only states without a data breach notification requirements. 44 Rule 4530 Events, FINRA, http://www.finra.org/industry/compliance/regulatoryfilin gs/customercomplaints/P291715 (last visited Mar. 25, 2015). 45 FINRA Rule 4530.01. For example, in a Letter of Acceptance, Waiver, and Consent (“AWC”), FINRA noted that the member firm had reported, pursuant to Rule 4530(b), its failure to review a substantial number of emails caused by errors in the e-mail supervisory system (a violation of FINRA’s requirement that broker-dealers establish and maintain systems and procedures that are reasonably designed to comply with broker-dealers’ obligation to review and retain e-mail). FINRA charged the member firm with rule violations for making material misstatements in its responses to FINRA’s follow-up inquiry concerning the initial Rule 4530(b) report. See LPL Financial LLC, Letter of AWC No. 2012032218001, at 6–7 (May 21, 2013); see also Wells Fargo Advisors, LLC, Letter of AWC No. 2012034123501 (Dec. 18, 2014) (FINRA noting favorably that the broker-dealer had submitted a Rule 4530(b) report to disclose certain violations of the broker-dealer’s Customer Identification Program (which verifies the identity of each client opening a new account) that were caused by a design flaw in the broker-dealer’s proprietary system). In a recent Letter of AWC, Scottrade Inc. was found to have violated Regulation S-P and FINRA Rules 3010 and 2010 for improperly disclosing its clients’ private personal information to third-parties and for failing to implement written policies and procedures reasonably designed to insure the security and confidentiality of clients’ information. See Scottrade Inc., Letter of AWC No. 2012031796401 (Jan. 21, 2015). 46 OCIE Risk Alert, at 4. 47 Id. 48 Id. at 2. 49 FINRA Report, at 27. 50 Id. at 26–29. FINRA recommended that, upon termination of the vendor relationship, broker-dealers continue to focus on protecting their and clients’ data to which vendors had access by, for example, requesting a written confirmation from vendors that the data has been deleted from vendors’ systems. 51 Id. at 31. 52 Id. 53 Id. at 31–32. 54 OCIE Risk Alert, at 4. 55 See SEC, Investor Bulletin: Protecting Your Online Brokerage Accounts from Fraud, INVESTOR.GOV (Feb. 3, 2015), http://investor.gov/news-alerts/investorbulletins/investor-bulletin-protecting-your-onlinebrokerage-accounts-fraud; see also FINRA Report at 32. 56 OCIE Risk Alert, at 3–4. Also, see above discussion of FSISAC. 57 FINRA Report, at 35. 58 Id. at 35–36. 59 Id. at 35. 60 Id. 61 Id. at 36. 62 Dep’t of Justice & Fed. Trade Comm’n, Antitrust Policy Statement on Sharing of Cybersecurity Information (Apr. 10, 2014), available at http://www.justice.gov/atr/public/guidelines/305027.pdf. 63 Dep’t of Justice, White Paper: Sharing Cyberthreat Information under 18 U.S.C. § 2702(a)(3) (May 9, 2014) [hereinafter DOJ White Paper], available at http://www.justice.gov/criminal/cybercrime/docs/guidan ce-for-ecpa-issue-5-9-2014.pdf. 64 Id. at 6. 65 For an example of such legislation, see the Cybersecurity Information Sharing Act of 2014, which was introduced by Senator Dianne Feinstein on July 10, 2014. See Cybersecurity Information Sharing Act of 2014, S. 2588, 113th Cong. § 4(c)(1) (2014), available at https://www.congress.gov/113/bills/s2588/BILLS- 113s2588pcs.pdf (“[A]n entity [(e.g., a private entity)] may, consistent with the protection of classified information, share with, or receive from, any other entity or the Federal Government cyber threat indicators and countermeasures.”). 66 OCIE Risk Alert, at 5. 67 FINRA Report, at 37. 68 Press Release, NY Dep’t of Fin. Servs., NYDFS Announces New, Targeted Cyber Security Assessments for Insurance Companies (Feb. 8, 2015), http://www.dfs.ny.gov/about/press2015/pr1502081.htm; see also Press Release, NY Dep’t of Fin. Servs., NYDFS Issues Examination Guidance to Banks Outlining New Targeted Cyber Security Preparedness Assessments (Dec. 10, 2014), http://www.dfs.ny.gov/about/press2014/pr1412101.htm. 14 Mayer Brown | OCIE and FINRA Announce the Results of Cybersecurity Initiatives 69 See Expect OCIE to Release Sample Document Request Letter for Next Cybersecurity Sweep, IA WATCH, Mar. 9, 2015. 70 See, e.g., Chair White, Remarks at the SEC’s Cybersecurity Roundtable: Opening Statement at SEC Roundtable on Cybersecurity (Mar. 26, 2014), http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/ 1370541286468 (highlighting the SEC’s recent rulemaking concerning cybersecurity, such as Regulation SCI, Regulation S-ID, and Regulation S-P, and noting that the SEC staff continues to focus on cybersecurity issues); Comm’r Aguilar, Remarks at the SEC’s Cybersecurity Roundtable: The Commission’s Role in Addressing the Growing Cyber-Threat (Mar. 26, 2014), http://www.sec.gov/News/PublicStmt/Detail/PublicStmt/ 1370541287184 (“As many of you know, in 2011 the staff issued guidance to public companies about their disclosure obligations with respect to cybersecurity risks and cyber incidents . . . However, the increased pervasiveness and seriousness of the cybersecurity threat raises questions about whether more should be done to ensure the proper functioning of the capital markets and the protection of investors.”). Mayer Brown is a global legal services organization advising many of the world’s largest companies, including a significant portion of the Fortune 100, FTSE 100, DAX and Hang Seng Index companies and more than half of the world’s largest banks. Our legal services include banking and finance; corporate and securities; litigation and dispute resolution; antitrust and competition; US Supreme Court and appellate matters; employment and benefits; environmental; financial services regulatory & enforcement; government and global trade; intellectual property; real estate; tax; restructuring, bankruptcy and insolvency; and wealth management. Please visit our web site for comprehensive contact information for all Mayer Brown offices. www.mayerbrown.com Any advice expressed herein as to tax matters was neither written nor intended by Mayer Brown LLP to be used and cannot be used by any taxpayer for the purpose of avoiding tax penalties that may be imposed under US tax law. If any person uses or refers to any such tax advice in promoting, marketing or recommending a partnership or other entity, investment plan or arrangement to any taxpayer, then (i) the advice was written to support the promotion or marketing (by a person other than Mayer Brown LLP) of that transaction or matter, and (ii) such taxpayer should seek advice based on the taxpayer’s particular circumstances from an independent tax advisor. Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the “Mayer Brown Practices”). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated legal practices in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. Mayer Brown Consulting (Singapore) Pte. Ltd and its subsidiary, which are affiliated with Mayer Brown, provide customs and trade advisory and consultancy services, not legal services. “Mayer Brown” and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions. This publication provides information and comments on legal issues and developments of interest to our clients and friends. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek legal advice before taking any action with respect to the matters discussed herein. © 2015 The Mayer Brown Practices. All rights reserved.