In the wake of numerous cyberattacks aimed at companies spanning various industries, it is no surprise that yet another federal agency—this time the SEC—is stressing the importance of proper cybersecurity protocols for the entities it regulates. Broker-dealers, investment advisors, and others in the securities industry often have access to some of the most sensitive client and consumer financial information, making data security a high priority for the SEC.
In January of 2014, the SEC’s Office of Compliance Inspections and Examinations (OCIE), announced that its examination priorities for 2014 would include a focus on cybersecurity preparedness in the securities industry.1 In April 2014, OCIE announced that it would begin its cybersecurity initiative by conducting examinations of registered broker-dealers and investment advisors to assess the existence and efficacy of their cybersecurity protocols.2 In January of 2015, OCIE announced its examination priorities for 2015, again identifying cybersecurity as a priority, and indicating that OCIE would expand its reviews to include transfer agents.3 In February 2015, OCIE published the results of this first round of examinations, highlighting legal, regulatory, and compliance issues.4 Among other things, the report noted that the vast majority of the 106 firms reviewed had suffered a cybersecurity incident, had adopted written information security policies, and had conducted periodic risk assessments, but the firms’ policies relating to vendors and business partners varied greatly.5
On September 15, 2015, OCIE announced another round of examinations through a Risk Alert.6 OCIE also provided information on the areas of focus for its second round of examinations.
According to OCIE, the examinations will focus in part on internal policies and procedures aimed at inhibiting attacks, such as governance and risk assessment, access rights and controls, data loss prevention, and the training of employees. Analyzing these internal policies and procedures will allow OCIE to determine, among other things, whether firm-specific controls are tailored to their business, how access to systems and data is managed, whether data monitors for unauthorized data transfers exist, and how employees are trained to engage in responsible and secure behavior.
The examinations will also focus on firm practices and controls related to vendor management. OCIE noted that over the last few years some of the largest data breaches may have resulted from hacking of third-party vendor platforms. Examining vendor involvement and management will allow OCIE to understand a firm’s due diligence policies in selecting vendors, will show the level of oversight with respect to the vendor’s practices, and will show how vendor employees are trained on maintaining a secure database.
Finally, the examinations will also focus on policies and procedures aimed at responding to a breach. OCIE will determine what, if any, firm and vendor action plans exist to respond to potential future breaches and the details of how those action plans will be implemented if or when future breaches occur.
The September 15, 2015, OCIE Risk Alert by no means limits OCIE’s ability to inquire into other aspects of firm cybersecurity protocols, and firms should be ready to lay out their cybersecurity protocols and procedures for OCIE in great detail. To help prepare firms to respond to future OCIE requests for information, OCIE annexed a sample list of the types of documents they will likely seek. These documents include:
- Firm policies and procedures relating to the protection of customer records and information, including patch management practices
- Board minutes and briefing materials on cyber-related risks; cybersecurity incident response planning; actual cybersecurity incidents; and cybersecurity-related matters involving vendors
- Information regarding the firm’s Chief Information Security Officer (CISO) or equivalent position, and other employees responsible for cybersecurity matters
- Information regarding the firm’s organizational structure in regards to the positions and departments responsible for cybersecurity matters
- Information regarding the firm’s periodic risk assessments, including penetration testing, vulnerability scans, and results and remediation efforts
- Policies and procedures regarding access rights and controls, as well as documentation reflecting implementation and compliance
- Firm policies and procedures regarding devices used to access the firm’s system externally (i.e., firm-issued and personal devices), including those addressing the encryption of such devices and the firm’s ability to remotely monitor, track, and deactivate remote devices
- Firm policies and procedures relating to data loss prevention
- Firm policies and procedures relating to third-party vendor management, including documents pertaining to vendor due diligence, contracts, supervision, and risk assessments
- Records of cybersecurity training of employees
- Incident response policies, procedures, reports, and remediation efforts
OCIE has further shown its commitment to cybersecurity by recently taking enforcement action against an entity that it determined had inadequate measures in place to address cybersecurity. Specifically, on September 22, 2015, the SEC announced a settlement with investment advisor R.T. Jones Capital Equities Management based on charges that it had failed to adopt adequate cybersecurity controls. Following an investigation, the SEC determined that R.T. Jones Capital had entirely failed to adopt any written policies or procedures to safeguard consumer information hosted on its third-party web server, which may have led to the compromise of personally identifiable information of over 100,000 individuals.7 The SEC’s press release noted that federal securities laws require registered investment advisors to adopt written policies and procedures reasonably designed to protect customer records and information. Even though no apparent financial harm came to clients of R.T. Jones Capital as a result of a July 2013 hack, the SEC still charged the firm with violating its “safeguards rule.”8 Among other things, the firm failed to conduct periodic risk assessments, implement a firewall, encrypt personal information stored on its servers, or maintain an incident response plan. In addition to agreeing to come into compliance, R.T. Jones Capital agreed to pay a $75,000 penalty as part of the settlement.
Combined, these efforts reflect a commitment by the SEC to ensure that the entities it regulates take data security seriously and implement reasonable policies and procedures to protect against cyberattacks.
3 “Examination Priorities for 2015,” OCIE, January 13, 2015, https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf.
6 “OCIE’s 2015 Cybersecurity Examination Initiative,” OCIE, National Exam Program Risk Alert, Vol. IV, Issue 8, September 15, 2015, https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.
7 In the Matter of R.T. Jones Capital Equities Management, Inc., File No. 3-16827 (September 22, 2015), https://www.sec.gov/litigation/admin/2015/ia-4204.pdf.
8 Marshall S. Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit, commented that “[a]s we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients.” SEC Press Release, “SEC Charges Investment Advisor with Failing to Adopt Proper Cybersecurity Policies and Procedures Prior to Breach,” September 22, 2015, http://www.sec.gov/news/pressrelease/2015-202.html.