On January 12, 2017, the Securities and Exchange commission released their Office of Compliance and Inspections Examination (OCIE) priorities for the year. Indicative of the increasing risks that are present in a highly-connected environment, cybersecurity continues to be a top focus for the SEC when examining its registrants. Specifically, the OCIE stated that they “will continue our initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls.” In practical terms, this means that registrants will need to have an active, evolving cybersecurity program with supporting policies in place that can be tested to demonstrate on-goings protections against high-priority threats.
Interestingly enough, despite statistics that indicate that as many as 25% of the SEC’s registrants will suffer some form of cybersecurity breach, many of these organizations continue to underestimate or even ignore the threat associated with cybersecurity. Most notably, many registrants continue to view cybersecurity as a compliance issue associated with an examination, and NOT as an operational requirement that could result significantly or even existentially affect the business.
Assessing your cybersecurity risk will not only contribute to preventive measures of a breach, but also help to avoid any messy issues associated with SEC findings of noncompliance. If you haven’t acted to assess your organization’s cybersecurity risks yet, now is the time to do so.
Regardless of your organization’s size, if you are an SEC registrant and would like to remain compliant, you need to understand that the rules apply to your organization as well.
What is required to implement an SEC compliant cybersecurity program?
The SEC has been very clear with their expectations in response to various cybersecurity breaches by registrants who did not possess or properly implement a cybersecurity program. Specifically, they have referenced the following in conjunction with cybersecurity findings and related fines:
- Regulation SCI
- Regulation S-P
- Regulation SDR
- Exchange Act Rule 13n-6
- Subpart C – Regulation S-ID: Identity Theft Red Flags
- Market Access Rule
- Exchange Act Rule 15c3-5
- Adopting release
- Compliance Rules
- Investment Company Act Rule 38-1
- Investment Advisers Act Rule 206(4)-7
However, the SEC has also been clear in their expectation that registrants follow the recommendations set out by in their Report on Cybersecurity Practices (dated Feb 3, 2015). Most notably, in this document FINRA FINAR recommended that registrants design and implement custom-tailored cybersecurity programs that specifically address the following:
- The cybersecurity program will be approved and reviewed by an executive-level official, and will be monitored and reviewed every 12 months to adjust as needed;
- The cybersecurity program will include a process to provide cybersecurity training to the organization’s staff that is appropriate to the security risks facing the organization;
- The cybersecurity program will utilize an established set of cyber controls (e.g., NIST) to assess the organization’s security controls;
- The cybersecurity program will address risks posed to the organization by its critical third-party service providers;
- The cybersecurity program will address organization-specific cybersecurity risks and link those risks to technical implementation recommendations;
- The cybersecurity program will provide a Breach Response Process for the organization to follow in the event of a cyber breach.
While penetration testing is not specifically addressed by the SEC or FINRA, both regulatory agencies have stated that they also expect technical control testing to be conducted by organizations as a part of their cybersecurity program. At a minimum, we recommend registrants implement an annual program of Penetration Testing. While penetration testing will not only help to demonstrate active compliance to SEC and FINRA cybersecurity program guidelines, it will also provide an exception tool to identify and help remediate security vulnerabilities and weakness that are easily exploited by cyber criminals.
In September of 2015, a St. Louis-based investment adviser, R.T. Jones Capital settled with the SEC due to a violation of Rule 30(a) of Regulation S-P2 for cybersecurity. This rule necessitates that registered broker-dealers, investment companies, and investment advisers must “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.”
Prior to the summer of 2013, R.T. Jones had been storing sensitive information on a third-party server and did not implement a firewall, conduct regular risk assessments, adopt encryption or even create a plan to respond to cybersecurity incidents. After a breach was detected in July of 2013, the SEC fined R.T. Jones a $75,000 penalty for failing to have written policies and procedures reasonably designed to safeguard customer information.
Don’t fall victim for not knowing and avoid the risk of a fine or a breach by taking the next step to ensure the security of you and your clients’ information.
About the contributing author:
For almost 30 years, Michael Brice of BW Cyber Services has been providing technology security solutions across a broad spectrum of public, private and government agency clients including the heavily regulated financial services and healthcare industries.
Michael served as an officer in the US Marine Corps where he received specialized training by the National Security Agency in Signals Intelligence. Following his service to the United States, Michael held executive positions, leading IT strategy and related enterprise software services for various well-known firms, including as Principal at Booz-Allen, Partner for Unisys, and Chief Information Officer at the Industrial Distribution Group, Inc.
Michael’s firm, BW Cyber Services, provides an array of cybersecurity consulting services to numerous SEC and NFA registrants – including some of the world’s largest private fund advisers.
SEC Announces 2017 Examination Priorities. (2017, January 12). Retrieved February 08, 2017, from https://www.sec.gov/news/pressrelease/2017-7.html
SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach. (2015, September 22). Retrieved February 14, 2017, from https://www.sec.gov/news/pressrelease/2015-202.html