The staff of the Investment Management Division of the U.S. Securities and Exchange Commission (“Staff”) recently issued guidance to both registered investment companies (“funds”) and registered investment advisers (“advisers”) regarding the ever present cybersecurity risks these entities face and measures they might adopt to protect the confidential and sensitive information that they collect, maintain, transfer, and destroy. This guidance was developed as a direct result of the Office of Compliance Inspections and Examinations (“OCIE”) report issued on February 3, 2015 which summarized its findings from an initial series of industry examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry along with the Staff’s discussions with boards and senior management during the course of its examinations and monitoring efforts.
A majority of the broker-dealers (88%) and advisers (74%) reported that they had been the subject of a cyber-related incident according to the OCIE report and the majority of these incidents were related to malware or fraudulent emails.
A Second Alert
The OCIE has recently issued a second alert outlining additional information on the areas of focus that the second round of cybersecurity examinations will target. In the upcoming round of examinations, the OCIE will focus on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response plans. Adopting the steps outlined below will assist you in preparing for and successfully passing an examination.
In one very recent case, a St. Louis investment advisor who suffered a China-based cyber attack that compromised the personally identifiable information (“PII”) of over 100,000 individuals (with no indication of a client suffering harm as a result of the disclosure) agreed to be censured and pay a $75,000 fine for violating the “safeguards rule” because the firm failed to adopt written policies and procedures reasonably designed to safeguard customer information (i.e. conduct periodic risk assessments, implement a firewall, encrypt personally identifiable information stored on its server, or maintain a response plan for cybersecurity incidents). Marshall S. Sprung, Co-Chief of the SEC Enforcement Division’s Asset Management Unit said: “As we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients. Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”
The measures that were recommended by the Staff to address cybersecurity risk include:
- Conduct periodic audits and ongoing assessments to identify the nature, sensitivity and location of the data collected, maintained, transferred and destroyed and the technology and information systems utilized. Actionable steps might include:
1) adopting and continuously updating written information security policies and procedures (including employee training on same) as the nature of data and its collection and usage evolve; and
2) utilizing external cybersecurity risk management standards such as the National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”) and the Federal Financial Institutions Examination Council (“FFIEC”); and
3) inventorying, cataloging, mapping and continuously updating technology resources including data flows, hardware systems, physical devices, software platforms and applications, network resources, network connections (both internal and external) and logging capabilities and practices.
- Conduct periodic audits and ongoing assessments of both internal and external cybersecurity threats and vulnerabilities to the information and technology systems. Actionable steps might include:
1) performing periodic risk assessments and deploying software that monitors systems for unauthorized intrusion, loss or exfiltration of data; and
2) conducting effective monitoring, testing and updating of internal perimeter defenses, firewalls, incident detection systems (whether internal or external); and
3) requiring risk assessments of vendors with network access and confirming that vendors’ compliance measures are in place and in conformity with internal compliance measures; and
4) routine testing and updating of data retrieval, storage and destruction capabilities: and
5) collecting information from vendors, third party contractors specializing in cybersecurity, topic-specific publications and conferences; and
6) participating in an information sharing network with other firms to assist in identifying external threats (e.g. Financial Services Information Sharing and Analysis Center).
- Conduct periodic audits and assessments of security controls and processes currently in place. Actionable steps might include:
1) controlling access to various systems and data through two factor authentication, management of authorization levels and user credentials and correspondingly limiting administrative and vendor access; and
2) implementing strong password hygiene; and
3) encrypting data in some form;
4) employing tiered access to sensitive data and network resources and network segregation;
5) removing all non-essential software and services and all unnecessary or outdated usernames and logins; and
6) continuously updating software programs and services.
- Conduct periodic assessments of the enterprise impact should a compromise of the information or technology systems occur. Actionable steps might include creating a written business continuity plan that includes an incident response plan and conducting routine periodic desk top exercises that mimic an actual incident.
- Implement the compliance measures by educating and training officers and employees. Actionable steps might include:
1) designating a Chief Information Security Officer reporting to the board and responsible for managing cybersecurity; and
2) establishing corporate governance procedures for the management of cyber risk which include adoption by the board of the compliance strategy including the policies, procedures, business continuity plan and incident response plan.
- Education of investors and clients about how to reduce their cybersecurity risk might be helpful to reduce exposure of both firms and their clients and investors. Actionable steps might include information on how to reduce the exposure to cybersecurity risk may be directly addressed either on the firm’s website or in periodic email or postal distributions (i.e. newsletters or bulletins).
A Slim Majority Maintain Policies and Procedures
Also noteworthy, the OCIE reported that with respect to vendor management, a slim majority (51%) of the broker-dealers and only 13% of advisers maintain policies and procedures related to information security training for vendors and business partners authorized to access their networks. Funds and advisers that share common networks (either directly or indirectly) should consider whether it is appropriate to assess the entire corporate network. Furthermore, the reporting percentages were similar regarding maintenance of cybersecurity insurance that would cover losses and expenses in the event of a cybersecurity incident.
Of course, there are important business and financial considerations involved in the decision to minimize exposure to cybersecurity risk and every business, large or small, must balance the benefits of status quo continuity with the risk of a cybersecurity incident. However, it is clear that the Staff takes cybersecurity risk seriously and the April 2015 Guidance and the continued OCIE examinations and reporting will undoubtedly translate into routine practice expectations whether during the course of a routine examination or an investigation as a result of a cybersecurity incident.