The Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) recently issued a National Exam Program Risk Alert entitled OCIE Cybersecurity Initiative (the “Risk Alert”). The Risk Alert follows on the heels of the SEC’s recent Cybersecurity Roundtable at which SEC Chair Mary Jo White, in her Opening Statement, underscored the importance of cybersecurity to “the private data of the American consumer” as well as to the financial markets and other risks.
The substance of the Risk Alert consists of a seven page sample cybersecurity document request (the “Sample Document Request”). The Risk Alert characterizes the Sample Document Request as intended “to empower compliance professionals with questions and tools they can use to assess their respective firms’ cybersecurity preparedness…” Lest there be any doubt among SEC-regulated financial service firms of the necessity for such an assessment, the Risk Alert also announced that OCIE will be conducting cybersecurity focused examinations of more than fifty registered broker-dealers and registered investment advisers.
Examination Risk. In the Risk Alert, OCIE characterizes its cybersecurity initiative, which includes its upcoming examinations, as “designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.” The Risk Alert also states that the planned examinations “will help identify areas where the Commission and the industry can work together to protect investors and our capital markets from cybersecurity threats.”
Notwithstanding these seemingly benign objectives, it would be a mistake for firms to view these examinations as low risk and as little more than an opportunity to partner with OCIE in the sharing of information. Regulated financial service firms should not underestimate the possibility of serious regulatory findings from a cybersecurity examination. Rather, these examinations should be viewed as carrying the same risk of serious regulatory findings as any other OCIE examination. As discussed further below, these risks include a host of possible legal and regulatory violations at both the federal and state level.
Underlying Regulatory Obligations. Any assessment of a broker-dealer or investment adviser’s regulatory risk related to cybersecurity must start with Section 30 of Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information (17 CFR §248.30). Section 30 of Regulation S-P requires brokers, dealers, investment companies, and investment advisers to adopt written policies and procedures to safeguard customer records and information. Regulation S-P requires that financial institutions set appropriate standards relating to administrative, technical, and physical safeguards for protecting customer records and information. These policies must, for example, “protect against any anticipated threats or hazards to the security or integrity of customer records and information” and “protect against unauthorized access to or use of customer records or information.” It should be considered that appropriate standards are likely to change rapidly to reflect changes in technology and newer cybersecurity threats.
Broker-dealers that access the markets through their own market participant identifier (“MPID”), i.e., that are exchange members, ATS subscribers or ATS operators with non-broker-dealer subscribers, must also be mindful of Securities Exchange Act Rule 15c3-5: Risk Management Controls for Brokers or Dealers with Market Access. As noted by the SEC in its order against Knight Capital Americas LLC, Rule 15c3-5 requires brokers or dealers with market access to:
- establish, document, and maintain a system of risk management controls and supervisory procedures reasonably designed to manage their financial, regulatory, and other risks;
- maintain systematic financial risk management controls and supervisory procedures that are reasonably designed to prevent the entry of erroneous orders and orders that exceed pre-set credit and capital thresholds in the aggregate for each customer and the broker or dealer; and
- establish, document, and maintain a system for regularly reviewing the effectiveness of their risk management controls and supervisory procedures.
Notably, Rule 15c3-5 also requires a broker-dealer’s chief executive officer to review and certify that the controls and procedures comply with subsections (b) and (c) of the rule, the requirements of which are set out at the first two bullets above.
Advisers should consider their obligation under Section 206(2) of the Advisers Act of 1940, as amended, to make full and fair disclosure of all material facts to their clients. In its order involving AXA Rosenberg, the SEC characterized Section 206(2) as prohibiting “any investment adviser from engaging in any transaction, practice or course of business which operates as a fraud or deceit upon any client or prospective client. Pursuant to Section 206(2), investment advisers have a fiduciary duty that requires them to act in the best interests of their clients and to make full and fair disclosure of all material facts.”
Additional regulatory concerns include compliance with:
- Identity Theft Red Flag Rules;
- suspicious activity reporting requirements;
- books and records requirements;
- requirement relating to reasonable policies and procedures; and
- state and federal requirements relating to data breach notifications.
Conducting an Assessment. We recommend that all registered broker-dealers and investment advisers undertake an assessment of their cybersecurity preparedness using OCIE’s Sample Disclosure Request. While the scope of this undertaking will vary greatly depending upon a firm’s business model, this undertaking should be meaningful for the vast majority of registered broker-dealers and investment advisers. Many firms should be able to draw upon previous assessments, in which case the Sample Disclosure Request may be best used as a means of identifying issues or concerns that might have been missed previously. For firms that have not previously conducted such an assessment, the Sample Disclosure Request should provide a useful checklist.
With respect to all firms, assessments should not be conducted merely by going through each question in the Sample Disclosure Request in turn. Instead, we recommend that firms begin with a focus on understanding their risk assessment process. A strong process, i.e., one composed of participants that, collectively, have the independence, expertise, standing and authority necessary to the task, is likely to lead to a program that is robust and comprehensive and appropriate for the firm and its risk profile. A review of process should also illuminate how the pieces that form the overall program fit together. This understanding will assist in both the overall assessment process and, importantly, in the firm’s ability to present its program to OCIE should the need arise.
Firms should also give careful attention to the additional steps or processes taken to complement and support their risk programs. These steps are likely to mirror those generally taken to support a firm’s compliance program.
Some questions to ask in this regard include whether the relevant risk assessment programs:
- are complemented by an effective training program;
- involve appropriate control functions such as legal, compliance, and audit;
- have the attention and focus of the firm’s senior management and board of directors or similar function;
- include effective supervisory involvement and monitoring;
- include controls over changes to existing business lines and operations, including the introduction of new technology or software; and
- protect against inappropriate incentives.
Of course, as suggested by Question 6 of the Sample Disclosure Request, a firm’s cybersecurity risk assessment program should also address the firm’s processes and procedures for responding to an incident should one occur.
Armed with a deep understanding of the firm’s process and overall cybersecurity program, the firm should then make its way through each of the questions asked by the Sample Disclosure Request. In responding to these questions, firms should realize that not every question will apply to every firm and even where a question applies its importance may vary significantly from firm-to-firm.
Documentation. Firms should document their assessment. Appropriate documentation will create a record that the firm has proactively engaged in the assessment process. Documentation will also facilitate future updates as well as the ability to gather relevant information and documents.
Improvements. As part of their assessments, firms should identify any needed improvements, prioritize such improvements, and develop and document a plan to implement and test them. As with any fix to a risk assessment or compliance program, this plan should identify the person or persons primarily responsible for the development and implementation of any improvements while also providing for oversight as to its timely completion and testing.
Disclosures. Advisers should also consider whether their assessment of their cybersecurity preparedness is generally consistent with their client disclosures.