Simons Says: Cyber This, Cyber That,
Here’s Where We’re At…

5x_Simons-Tim-154Background

In January 2014, the National Examination Program (“NEP”) identified the examination priorities for Fiscal Year 2014. Included in the priorities was technology, with the statement that, “The NEP will continue to examine governance and supervision of information technology systems, operational capability, market access, information security, and preparedness to respond to sudden malfunctions and system outages.” These examination goals have been rolled into the term “Cybersecurity.” Although the SEC was talking about cybersecurity in 2011, that was primarily directed at public company disclosure obligations related to cybersecurity risks, not the disclosure obligations of investment advisers.

In March 2014, at the SEC Roundtable on Cybersecurity, SEC Chair Mary Jo White stated that, “Cybersecurity threats come from many sources: criminal and hired hackers, terrorists, state-sponsored intruders, and even misguided computer experts to see what they are able to penetrate, … pose non-discriminating risks across our economy to all of our critical infrastructures, our financial markets, banks, intellectual property, and, as recent events have emphasized, the private data of the American consumer. This is a global threat. Cyber threats are of extraordinary and long-term seriousness…. Jim Comey, director of the FBI, has testified that resources devoted to cyber-based threats are expected ‘to eclipse’ resources devoted to terrorism.”

In April 2014, OCIE announced that it would conduct examinations to identify cybersecurity risks and assess cybersecurity in our industry, “to obtain information about the industry’s recent experiences with certain types of cyber threats.” The goal was to examine more than 50 registered investment advisers and broker-dealers to gather information about their cybersecurity programs.

In February 2015, OCIE gave us the findings of these examinations. Examination staff “examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity….” In the examinations, the staff collected and analyzed information relating to practices for:

  • identifying risks related to cybersecurity;
  • establishing cybersecurity governance, including policies, procedures, and oversight processes;
  • protecting firm networks and information;
  • identifying and addressing risks associated with remote access to client information and funds transfer requests;
  • identifying and addressing risks associated with vendors and other third parties; and
  • detecting unauthorized activity.

The staff also interviewed key personnel at each firm regarding:

  • business and operations;
  • detection and impact of cyber-attacks;
  • preparedness for cyber-attacks;
  • training and policies relevant to cybersecurity; and
  • protocol for reporting cyber breaches.

The February 2015 Risk Alert did provide a summary of the staff’s observations, but the percentage of firms that indicated that they had appropriate policies and procedures in place and were monitoring and testing them, seemed to be a little on the high side. It should also be noted that, “The Staff conducted limited testing of the accuracy of the responses and the extent to which firms’ policies and procedures were implemented. The examinations did not include reviews of technical sufficiency of the firms’ programs.”

The SEC staff visited 106 registered investment advisers and broker-dealers to collect information but did not test the information received to any extent, instead relying on the Firms’ thoughts that adequate procedures were in place. Conclusions reached were not conclusions but the familiar refrain that, “The staff is still reviewing the information to discern correlations between the examined firms’ preparedness and controls and their size, complexity, or other characteristics. As noted in OCIE’s 2015 priorities, OCIE will continue to focus on cybersecurity using risk-based examinations.”

The Present

On September 15, 2015 the SEC issued a Risk Alert, “OCIE’s 2015 Cybersecurity Examination Initiative,” but it’s really a wake-up call for us to focus on cybersecurity issues in Fiscal Year 2016, which started October 1, 2015. In this new Risk Alert, OCIE is providing information on the areas of focus for 2016 cybersecurity examinations, and testing to assess implementation of procedures and controls.

This initiative will focus on the following areas:

  1. Governance and Risk Assessment
    assess whether you are periodically evaluating cybersecurity risks and whether controls in place are tailored to the business
  2. Access Rights and Controls
    assess the risk of failure to implement controls to prevent unauthorized access to systems or information such as updating access rights based on personnel or system changes
  3. Data Loss Prevention
    assess how firms monitor the volume of content transferred outside of the firm by employees or third parties such as vendors, and how you verify the authenticity of a client request to transfer funds
  4. Vendor Management
    assess the risk of breaches due to the hacking of a third party vendor’s platform, and due diligence in the selection and monitoring of third party vendors
  5. Training
    assess the proper training of employees and vendors, tailored to specific job functions and designed to encourage responsible employee and vendor behavior
  6. Incident Response
    assess whether you have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address future events or attacks on your system

Attached as an Appendix to the Risk Alert is a sample list of information the examination staff may request on cybersecurity examinations. The sample of requests includes items from each of the six areas described above. The list of requested items in the sample is fairly lengthy, so we suggest that you sit down with your IT staff or consultant and determine whether you have the ability to provide this information upon the Staff’s request; if so, how long it would take; and, if not, what actions you can take. If the requested information is not obtainable, be prepared to explain that to the SEC.

We’re always gratified when the SEC is willing to let us know what they’re looking for in advance of an examination. Knowing that probably only 10% of the adviser population will be examined in any one year is no guarantee that one of the firms examined will not be yours. It’s always wise to be prepared to the best of your ability, and if that’s not good enough, be prepared to explain why.

As a final note, we’re concerned about the SEC’s Administrative Proceeding against R.T. Jones Capital Equities Management, Inc. (“Jones”) released on September 22 of this year. Jones had personally identifiable information on its third-party-hosted server which was breached in July 2013. When the breach at its third-party-hosted web server was discovered, Jones reacted by bringing in consultants to confirm the attack and assess the scope of the breach. The consultants were unable to determine the extent of the breach because the intruder destroyed the log files surrounding the period of the breach. Jones provided notice of the breach to all of the individuals whose information may have been compromised. To date, Jones has not received any indication that any client suffered any financial harm as a result of the breach.

So, no harm was cause to anyone, action was taken to prevent recurrence of the breach, notification was made to all individuals whose information may have been accessed, and the SEC brought an action against the Firm, censured them and assessed a $75,000 civil money penalty, because “R.T. Jones willfully violated Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)), which requires registered investment advisers to adopt written policies and procedures that are reasonably designed to safeguard customer records and information.”

 

Closing

We’re concerned because the SEC has not typically brought an action against a Firm for inadequate policies and procedures when there has been no harm to any clients and the firm promptly took remedial action to prevent recurrence. Those situations are most often treated in a deficiency letter to the adviser. It appears that evidence of a breach is proof that your policies and procedures are inadequate, which is pretty scary when you consider that we’re being told that every business has the possibility of being breached, including the federal government.

I wanted to leave you with the closing note from the SEC’s September Risk Alert:

This Risk Alert is intended to highlight for firms risks and issues that the staff has identified. In addition, this Risk Alert describes factors that firms may consider to (i) assess their supervisory, compliance and/or other risk management systems related to these risks, and (ii) make any changes, as may be appropriate, to address or strengthen such systems. These factors are not exhaustive, nor will they constitute a safe harbor. Other factors besides those described in this Risk Alert may be appropriate to consider, and some of the factors may not be applicable to a particular firm’s business. While some of the factors discussed in this Risk Alert reflect existing regulatory requirements, they are not intended to alter such requirements. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised here. The adequacy of supervisory, compliance and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances. (Emphasis added.)

 

LinkedIn
Twitter
YouTube
Facebook
Comments are closed.