United States: SEC Brings First Cybersecurity Enforcement Proceeding In Wake Of Risk Alert

Highlights Areas of High Risk and Examination Priorities for Financial Industry Firms

On September 15, the U.S. Securities and Exchange Commission's (SEC's) Office of Compliance, Inspections and Examinations (OCIE), issued new guidance outlining areas of cybersecurity risk to be addressed by registered broker-dealers and investment advisers in their systems and procedures. The guidance, issued in the form of a "Risk Alert," sets forth examination priorities to be used by SEC examiners, in upcoming examinations of these firms. Just one week later, the SEC's Division of Enforcement filed its first enforcement action in the cybersecurity arena, against St. Louis investment adviser R.T. Jones Capital Equities Management, for violations surrounding an incident of hacking that exposed the firm's customers to risk of identity theft. Matter of R.T. Jones Capital Equities Management, Inc., Admin. Proc. File No. 3-16827, SEC Investment Advisers Act Release No. 4204 (Sept. 22, 2015). Although the case settled and R.T. Jones neither admitted nor denied the SEC's findings, the case underscores the need for financial industry firms to have robust written procedures and systems to detect, prevent, and respond to instances of cybercrime and other breaches.

Summary of Key Issues

  • A new round of SEC examinations, focusing specifically on cybersecurity, will begin soon
  • Broker-dealers and registered investment advisors now have an opportunity to assess, and if necessary improve, their systems, practices, and written policies and procedures in the following key areas:

    • Governance and risk assessment
    • Access rights and controls
    • Data loss prevention
    • Vendor management
    • Training
    • Incident response
  • The SEC has signaled that it will not hesitate to sanction firms for deficient written policies and procedures, even in cases where firms are victims of cybercrime and have responded promptly and effectively to the incident

The September 15th Risk Alert

The September 15th Risk Alert comes on the heels of a number of cybersecurity initiatives by the SEC in 2014, as well as earlier this year. The Alert draws on concepts and findings reflected in the SEC's March 2014 Cybersecurity Roundtable, its April 2014 Risk Alert, announcing a "sweep" examination for cybersecurity preparedness, and its February 2015 report of observations from that sweep. Further, the SEC also included cybersecurity topics in its 2015 Examination Priorities letter, issued January 13, 2015.

OCIE indicated that this second round of examinations, to be known as the "Cybersecurity Examination Initiative," will "involve more testing to assess implementation of firm procedures and controls." These examinations will build on the earlier round. In sum, the September 15 Alert is a straightforward announcement of the SEC's expectations in this area, and firms would be wise to take advantage of this "heads up" in preparing for the upcoming examinations.

What Was the SEC's Intent in Issuing its Risk Alert?

The best statement of the SEC's intent regarding the Alert is found in a post-script, in which the SEC noted:

This Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor.

As such, it seems clear that the SEC expects all firms subject to its examination jurisdiction to review their systems and procedures and make any necessary changes before the examiners arrive. The Alert provides a general overview of the six main cybersecurity compliance topics that will be the subject of the upcoming examinations. These topics are listed below. With such topics articulated in the Alert, it will be difficult for firms to defend the adequacy of their systems or procedures if they lack attention to each of these topics.

Secondly, the SEC is allowing firms to prepare themselves for the examination itself, by providing an advance copy of a lengthy and detailed set of information and document requests, which are attached as an appendix to the Alert.

The Alert provides little guidance, however, as to the substance of how the goals reflected in the six main topics are to be implemented. Thus, the OCIE examiners will likely see wide variation in how firms deal with the topics articulated in the Alert. For example, the Alert speaks broadly about user access rights and controls and prevention of data loss, but does not mention any specific requirement that electronic communications or devices be encrypted. Some firms may choose to employ encryption, while others may choose to safeguard information through a variety of other layers of protection, while not employing encryption. Under the unique circumstances faced by an individual firm, either approach may be deemed adequate.

The Alert hastens to caution, however, that neither the topics discussed in the Alert, nor the information and document requests are, in and of themselves, rules or SEC requirements of any sort, although they may reflect requirements that arise out of the SEC's rules and governing statutes. The overall approach of the Alert makes it clear that the specific facts and circumstances relevant to each firm are to be considered in assessing the adequacy of the firm's systems and procedures, and that such systems and procedures should be tailored to each firm's business.

That said — returning to the encryption example — the information and document request attached to the Alert do request documents relating to any encryption requirements firms may have for firm-issued or personal devices. The fact that OCIE is making such a request may reflect the staff's view that, at least in some instances, encryption is required. A less likely, but possible, reason for such a request might also be to allow OCIE to survey how many firms are using encryption and whether it has become a best practice in the industry regarding cybersecurity. Dozens of other documents requests are equally specific, and because they are obviously designed to cover the waterfront of known cybersecurity challenges facing broker-dealers and investment advisers generally, many of the requests may not even apply to some firms.

How Will the SEC Examine Firms for Compliance?

The Alert announced that that the SEC will examine registered broker-dealers and investment advisers, as part of its Cybersecurity Examination Initiative, focusing on "key topics" including:

  • Governance and risk assessment
  • Access rights and controls
  • Data loss prevention
  • Vendor management
  • Training
  • Incident response

The OCIE examiners will review each firm's written policies and procedures with respect to cybersecurity, and will request documents and information in accordance with the form requests attached as an appendix to the Alert.

The R.T. Jones Case

R.T. Jones' Systems "Hacked" by Unknown Assailant

According to the Order Instituting Administrative and Cease-and-Desist Proceedings, Making Findings, and Imposing Remedial Sanctions and a Cease-and-Desist Order issued against R.T. Jones on September 22, 2015 (the Order), in July 2013, R.T. Jones' third-party web server was attacked by an unauthorized intruder, whose identity was never discovered, but was determined to originate from multiple IP addresses in China. The intruder gained access rights and copy rights to nearly four years of personally identifiable information (PII) of customers and third parties. The stored information was not encrypted, but the firm restricted access to two individuals who held administrator status. As a result of the attack, the SEC alleged that "the PII of more than 100,000 individuals, including thousands of R.T. Jones's clients, was rendered vulnerable to theft."

Upon learning of the breach, the firm promptly hired multiple cybersecurity consulting firms to investigate and assist the firm. The consultants could not assess the full extent of the breach because the log files had been destroyed in the attack by the intruder. Another cybersecurity consultant unsuccessfully attempted to determine if any of the PII stored on the server had been accessed. The firm provided notice of the breach to all individuals whose PII may have been compromised and offered to provide free identity monitoring services. More than two years have passed since the breach occurred, and the firm has not been informed that any client has suffered financial harm stemming from the breach.

The SEC's Charges Against the Firm

The SEC charged R.T. Jones with violations of Rule 30(a) of SEC Regulation S-P, 17 C.F.R. § 248.30(a), which is known as "the Safeguards Rule." As summarized in the Order, the Safeguards rule requires that:

Every investment adviser registered with the Commission adopt policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

In its 2005 amendments the Safeguards Rule, the SEC required that such policies and procedures be in writing.

The SEC alleged that R.T. Jones did not have written policies and procedures that were reasonably designed to safeguard its clients' PII. While the SEC acknowledged that the firm did have some written procedures for protecting its clients' information, such procedures did not include such items as:

  • Conducting periodic risk assessments
  • Employing a firewall to protect the web server on which client PII was stored
  • Encrypting client PII stored on that server

In addition, the firm lacked any written policies or procedures for responding to a cybersecurity incident.

Sanctions

The firm was censured, ordered to Cease and Desist from future violations of Rule 30(a) or Regulation S-P, and pay a fine of $75,000. It is noteworthy that the SEC did not impose a requirement that the firm retain an independent compliance consultant to review the firm's procedures and recommend any necessary improvements.

Conclusions and Compliance Strategy

1. Steps to Safeguard Data

The specific steps to be taken by any individual firm must be tailored to the business and circumstances of each firm. It is interesting that in the R.T. Jones case, the SEC cited the firm for failing to provide for encryption of customer PII on its third-party hosted web server, yet in the Alert, there is no mention of encryption as a topic to be addressed by broker-dealers and investment advisers generally. Perhaps the SEC wishes to avoid pronouncing an encryption requirement, while nevertheless concluding that under the facts of R.T. Jones, it was unreasonable not to encrypt. This tension is illustrative of the difficulty that firms are likely to have in assessing the level of security required to satisfy the SEC's examiners. Based on the SEC's assertions, as well as enforcement actions taken by the Federal Trade Commission and the Federal Communications Commission, we believe encryption of sensitive personal information is becoming the de facto standard and therefore firms should seriously review whether encryption should be adopted in their cybersecurity systems and procedures.

In the face of such uncertainty, we believe the best approach a firm can take is to create a robust process for assessing all known risks, addressing them through responses that the firm concludes are reasonable, providing appropriate training to its employees, and — importantly — periodically repeat the process of assessment and response to assure that the firm's approach is up-to-date and commensurate with industry standards, both in terms of the current risk environment, but also in the application of the most current and efficient technologies available for response. The use of outside counsel or an independent cybersecurity consultant not only adds to the quality of the assessment and problem solving beyond the capabilities of whatever in-house staff the firm may have, but serves as additional proof that the firm takes its cybersecurity responsibilities seriously.

2. Written Policies and Procedures

The requirement that a broker-dealer or investment adviser have written policies and procedures to address Cybersecurity risks can be traced to various sources. Most directly, SEC Regulation S-P requires such firms to maintain procedures to protect the security and confidentiality of customer information and records. In addition, both the Securities Exchange Act of 1934 and the Investment Advisers Act of 1940 effectively require firms to maintain written supervisory procedures. In addition, broker-dealers who are Financial Industry Regulatory Authority (FINRA) members have a specific requirement under FINRA Rule 3130 to maintain procedures to supervise their employees and their business. (Notably, the FINRA Report on Cybersecurity Practices, issued in February 2015, contains a very detailed and substantive discussion of data protection issues, while expressly recognizing that there is no "one size fits all" approach when it comes to cybersecurity, especially as concerns the use of generally recognized frameworks and standards. The Report is a good resource even for firms that are not FINRA members.)

It is important that the firm's written procedures address each topic articulated in the SEC Alert, as well as other issues unique to the firm regardless of whether they are mentioned in the Alert. Everything that the firm does in this area should be documented as a written policy or procedure. While a significant part of the examination will be establishing that the written policies and procedures are, in fact, being performed, the converse is often overlooked by firms — i.e., that a firm is, in fact, performing a process (and even doing so effectively), cannot cure the omission of that process from its written procedures.

The R.T. Jones case presents a good example of this. Although the firm (a) promptly engaged consulting firms to determine the extent of the attack; (b) implemented measures to prevent such an attack from reoccurring; and (c) took steps to alert all persons whose private information was compromised (including offering free identity theft monitoring), the firm was nevertheless disciplined. The SEC noted that the sanctions would have been more severe had such prompt remedial steps (which, we emphasize, were accomplished in spite of the absence of any written procedures) not been taken.

The procedures should not simply be a listing of principles or rules, but should be process-oriented. For example, they should identify, by title, individuals within the organization who have responsibility for ensuring compliance, the manner in which they are expected to do so, the training regarding cybersecurity they received, how such activities are to be documented, and should specify a system of follow-up and review (i.e., audit) to ensure that the designated individuals are performing their responsibilities in an effective manner.

For example, an effective procedure to guard against data loss by employees might be a real-time alert that notifies a designated supervisor in the event that an employee attempts to download firm data to a thumb or flash drive, or emails an unusual amount of data to an outside email address. But such a procedure may be seen as deficient if it is not adequately documented, including specifying the response steps to be undertaken by the supervisor if such suspicious activity is detected.

The Alert also telegraphs the SEC's obvious desire that firms involve senior management in cybersecurity issues. That too should be reflected in the written procedures.

We recommend as a baseline that organizations address the following areas in their cybersecurity policies:

  • Cybersecurity Governance and Risk Management — Each organization should adopt a framework for internal investigation, decision-making and escalation within the organization to identify and manage cybersecurity risks
  • Cybersecurity Risk Assessment — Firms should conduct periodic risk assessment to identify cybersecurity risks relating to firm technology, information access and vendor compliance, and to prioritize remedial activities and initiatives
  • Technical Controls — Organizations should implement and maintain technical controls to protect information assets and technology, such as access management and control, data encryption and penetration testing
  • Incident Response Planning — Firms should establish written procedures and guidance for preparing for and responding to security breaches and other cybersecurity incidents, including designation of an incident response team and roles and responsibilities
  • Vendor Management — With the tremendous move to the use of cloud based software and data solutions, firms should proactively manage cyber-risks associated with its vendor relationships, including vendor due diligence and appropriate contractual protections
  • Staff Training — Employees are critical to a successful cybersecurity risk management program. Thus, firms should include regular training for information security professionals, as well as the workforce as a whole on issues such as incident response, good security practices and anti-phishing education
  • Cyber Intelligence and Information Sharing — Responsibility should be assigned to one or more individuals for remaining current on the constantly evolving cyber threats and risks, and communicating those threats and risks throughout the organization
  • Cyber-Risk Insurance — Recognizing that no firm will always maintain 100 percent security, firms should consider the use of cyber-risk insurance as another way of mitigating losses and exposure from security breaches and other cybersecurity incidents

3. Preparation for Upcoming OCIE Examinations

The Alert plainly states that the information and document requests, which are attached as an appendix to the Alert, are "to be used" in the Cybersecurity Examination Initiative. Thus, firms should begin to assess whether they are in possession of documents, or have accessible information, relevant to each of the requests. It may well be most efficient to gather and segregate responsive documents as they are located, even before the firm receives a formal request from the OCIE examiners. Another reason to do this ahead of time is because in some cases documentation may be missing, and efforts to recover or locate the documentation can be undertaken without the urgency of a pending request from the regulator.

Of course, perhaps the most valuable part of the Alert is the opportunity to review and revise written procedures before the staff asks for them as part of the examination. While it will be obvious, and should be transparent, if the firm has made changes between September 15 and the date of the eventual examination, firms are much better off making the changes on their own, rather than being prompted by deficiencies noted in the examination.

Some firms will decide to employing counsel with experience in cybersecurity issues to review and assist in the revision of written procedures, and assess the adequacy of the prospective responses to the document and information requests. Outside counsel can view the firm with more objectivity — even as an examiner would — in order to allow the firm to make better-informed decisions regarding possible changes and initiatives.

4. Responses to Breaches

As noted above, effective security breach incident response is critical to every cybersecurity management program. In the R.T. Jones case, the firm's response appears to have been immediate, and it notified customers promptly that a breach had occurred. The SEC's focus was not, therefore, on the firm's response, but rather its lack of written procedures. A portion of the violations enumerated in the SEC's order were based on the firm's failure to document its response plan, even though the response appears to have been executed quite successfully. In other words, a firm that successfully navigates it way though a cyber-breach incident "on the fly," even in the absence of any damage to the firm or harm to its customers, will not be able to escape regulatory scrutiny if it does not have a well-documented response plan. Moreover, the failure to have such a well-document response plan may also be the focus of any civil litigation which may follow a breach.

Financial services firms doing business in California should also review new requirements for responding to data breaches signed into law on October 6th. Read more about these requirements in our next Cybersecurity Alert, available here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Kramer Levin Naftalis & Frankel LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Kramer Levin Naftalis & Frankel LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions