On August 30, the US Securities and Exchange Commission
(SEC) announced three
cybersecurity-related enforcement actions relating to eight
different firms. The actions arose from what appear to be routine
examinations of registered investment advisers and broker-dealers.
This post provides some high-level takeaways for companies to
consider in the wake of these actions. Tomorrow, we will dive into
the actions and rules violated.
As brief background, the SEC's examination priorities have
included a focus on cyber- and information security since at
least 2015. As Kristina
Littman, chief of the SEC's cyber unit, warned in the press
release announcing the actions: "It is not enough to write a
policy requiring enhanced security measures if those requirements
are not implemented or are only partially implemented, especially
in the face of known attacks." Moreover, beyond the SEC, other
regulators are focused on companies' cybersecurity policies.
For example, FINRA recently published guidance on
cloud computing and vendor management, which reminds firms to
include vendor management in their "reasonably designed
cybersecurity programs and controls consistent with their risk
profile, business model, and scale of operations."
In the wake of these recent orders, and the continued focus of
regulators in this area, companies would be well-served to review
and update their policies and procedures relating to information
security, consider whether technology enhancements are required
(and swiftly implement them), and ensure that individuals are
complying. Additionally, as one of the orders illustrates,
companies cannot merely send out form notifications in the event of
a cybersecurity breach, as they may prove to be inaccurate
especially if they are sent out at different times. Instead,
companies should re-evaluate communications each time they are sent
in order to make sure that they accurately reflect both the timing
of when an issue was identified and the nature of what
occurred.
As this area continues to be a focus for all regulators, the
costs of compliance can seem daunting. Given this, registered
investment advisers and broker-dealers should consider taking the
following steps now:
- Confirm that your written cyber- and information security
policies are reasonably designed and tailored to the needs and
sophistication of your business, and that sufficient and reasonable
safeguards are in place with respect to protecting personal
information. What is considered sufficient and reasonable in the
realm of information security constantly evolves. This may require
more frequent policy reviews than those that occur in other areas,
especially if you experience any type of cybersecurity attack or
breach. - Confirm that your policies and procedures have been
implemented, which will likely require frequent discussion and
contact with your Information Technology and Data Security
teams. - Confirm that, in addition to your employees, any independent
contractors and individuals located offshore are implementing your
policies and procedures. - Conduct a cybersecurity risk assessment to ensure that you are
meeting all of your legal requirements to protect data under the
SEC Safeguards Rule and otherwise. - Implement the findings from the risk assessment! If there is a
determination not to implement findings from the risk assessment,
document the reasons why not and the alternative measure(s)
taken. - Ensure written policies and procedures are robust and updated
and include new findings from the assessment. - Practice your incident response process. Practice makes
perfect, and failing to practice can lead to failure to comply in
the moments when faced with a real crisis (ransomware or
otherwise).
Check back tomorrow for an in-depth discussion of the precise
rules implicated by these orders. For questions about requirements
for cybersecurity incident notices, please see our previous Advisory discussing banking
agencies' updated vendor management guidance or contact the
authors of this post.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
Gloss