Over the last several months, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has been conducting a “sweep examination” of over 70 broker-dealers and investment advisers to assess their cybersecurity policies and procedures.  https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.  In particular, OCIE looked at their preparedness regarding governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response.

For the most part, OCIE found policies and procedures in place, and these firms did, in fact, conduct penetration tests and vulnerability scans; used a system to prevent data loss; installed software patches; adopted response plans; and conducted vendor risk assessments.  However, all the news was not good.  OCIE believes that these firms should have better tailored policies and procedures; conduct enhanced employee training; replace outdated systems; and make sure that various vulnerabilities were addressed in a timely fashion.  OCIE also informed these firms that it will continue to be vigilant in the cybersecurity sphere in both its examinations and testing.

In sum, with the exception of tweets from the White House, no area is getting more attention from the public and the government than cybersecurity precautions and detection.  It is critical that senior management and compliance at broker-dealers and investment advisers take this threat seriously or there could be serious repercussions if their business is attacked.

The recent cyberattacks across the globe have caused the  SEC’s Office of Compliance Inspections and Examinations (“OCIE”) to issue an alert and highlight certain best practices for firms to handle these ransomware attacks.

The OCIE staff based this guidance on its review of various firms, concluding that these firms should perform a cyber-risk assessment; conduct penetration and vulnerability tests; and ensure software maintenance such as updates and software patches if applicable.  The OCIE staff found that many firms had deficiencies.  Further, according to the OCIE staff, firms should develop contingency plans in the event a cyberattack were to be successful.

Finally, the securities industry is not immune from these cyberattacks, and firms need to take precautions.  Essentially, this is no longer just a compliance issue, but an entire firm issue, and those executives need to take notice because the next time it happens your firm may not be so lucky.

On March 1, New York will go live with cybersecurity rules for financial service providers such as banks, insurance companies and others subject to the Department of Financial Services’ jurisdiction. At its core, the rules require these entities to have cybersecurity programs directed to consumer protection.

New York firms must now have written policies and procedures, as well as a designated chief information security officer to oversee, train, enforce the program and report hacking to the state. Any report of hacking must take place within 72 hours of the hack, where the hack has a reasonable likelihood to impact firm operations.

This program will necessarily create new costs for these companies. Specifically, there is a cost in finding an adequately trained and certified individual to serve in the role of chief information security officer. Additional costs will arise from the mandate that firms monitor all data leaving it and to have email systems that block certain forms of information like Social Security numbers.27782265_s

With this cost, however, will come added protection for consumers and, in turn consumer confidence in their financial institutions. This one of a kind program is likely not to be the only one in the coming years.

More and more states will implement such data security protocols for the purpose of consumer protection.   Are you doing enough now in the absence of regulation to protect consumer information?

A recent Investment News article highlighted a burgeoning market for financial advisors looking to protect their practices; namely, data breach insurance. Although such insurance seems like a great idea, you need to exercise due care when purchasing such insurance.19196909_s

According to the article, more and more firms are buying this insurance to supplement any gaps that may exist in regular D&O insurance. After all, the typical D&O insurance policy either does not cover or provides little coverage for the harm caused by a data breach.

Although this may make it seem as though data breach insurance is the easy answer, it may not be. For one, this insurance has historically been fairly expensive when compared to D&O insurance. In addition, data breach insurance often has many exclusions that can limit the coverage your purchase. So what should you look for in such insurance.

According to the article, you want a policy that covers as many of the following business expense as possible:

  • Lost data restoration.
  • Repairing or replacing damaged software or hardware.
  • Hiring public relations firms to address reputational damage.
  • Compensating clients for credit monitoring services.
  • Forensic investigators to investigate the incident.
  • Civil lawsuits, regulatory fines and penalties.
  • Lost profits caused by fraudulent wire transfers.

This list runs the spectrum, but are things you should consider before leaping into a cybersecurity insurance policy. Otherwise, you may not get what you pay for.

A broker-dealer recently agreed to pay a $650,000 fine after an OSJ’s cloud vendor failed to adequately protect customer information. Apparently, an outside hacker was able to gain access to non-public personal information about the firm’s customers.27782265_s

This breach and resulting fine should certainly serve as a wake-up to all firms, but, in particular, to smaller firms. These firms are those who are more likely to use outside vendors to maintain cost, but are at greater risk.

If anything, this fine only enhances the fact that firms are responsible for the vendors that they hire. A partner of mine taught me long ago that you can always delegate the task, but not the responsibility. The same holds true here.

It is perfectly fine to use a cloud vendor or some other third-party for your firm operations, but you must, at the same time, engage in heightened diligence. You must do more to protect yourself.

Although you cannot rid yourself of the responsibility to protect client information, you could assign the risk of loss to the other firm. In other words, the other firm would have to indemnify you for any fines if their system is breached.

At the same time, part of your due diligence when hiring a firm must include asking tough questions. Like, have you ever sustained a breach. And, if so, have you had another one since.

In short, go ahead and outsource, but make sure you know who you are using. Ask the hard questions, and protect yourself with negotiated terms in your contract.

Consistent with the ongoing guidance/requirements from the SEC and FINRA, all firms must have and enforce data security policies and procedures.  Even the best policies and procedures may, however, not protect the firm in every instance.  So what do you do if there is a breach?19196909_s

One of the most important things to determine is what law governs.  In other words, if you have clients in all 50 states, it is possible that there are 50 different data breach laws that may be implicated.  Fox Rothschild LLP has a free app, Data Breach 411, which provides an overview of state data breach laws.

Knowing what you need to know is imperative when assessing a data breach.

 

 

The SEC recently created a new position associated with cybersecurity; senior adviser to the chair for cybersecurity (Christopher R. Hetner). Mr. Hetner has an extensive background in information technology and, in particular, cybersecurity.

19196909_sAccording to the SEC, Mr. Hetner will be responsible for (i) coordinating cybersecurity efforts across the SEC; (ii) engaging with external stakeholders; and (iii) enhancing SEC mechanisms for assessing broad-based market risk. This appointment could have a wide-ranging on the industry.

As we know, the SEC has made cybersecurity an exam priority over the last few years. The SEC is also actively conducting cybersecurity investigations and undertaking enforcement actions where appropriate. According to Chairperson White, the SEC is looking to bolster its risk-based approach. So what does this mean on a day-to-day basis?

Understand that the SEC has just upped the stakes. By retaining an industry expert who is solely focused on data-security related issues, the industry must be prepared for the SEC and FINRA to come after firms regardless if the firm sustains a breach or clients suffer harm as a result. Firms with weak or no data-security programs will surely be targeted.

Are you prepared to handle this even more focused mission of the SEC? If not, you need to more fully review you systems and procedures, both internally and externally facing. Are you testing your systems and procedures on a regular basis? If not, you better start.

The SEC is prepared; are you?