Purpose:
Broker’s cybersecurity failure results in SEC fine, despite lack of damages to customers.
Welcome Message:
My name is Steve Hart, and I am a contributing journalist for Compliance Mitigation. I am a Partner at Conformity 360, a compliance consulting firm, serving as the resident subject matter-expert in buy-side Compliance. Prior to joining Conformity360, I was Chief Compliance Officer (“CCO”) for the prestigious firm Allen & Company, and prior to that, served as the Global Chief Administrative Officer for Compliance at BlackRock, the world’s largest asset management company. I hold an Investment Adviser Core Certification, an M.S. in Banking and Financial Services from Boston University and a B.A. in Political Science from the University of Pennsylvania.
Having worked as the CCO for Registered Investment Advisers (“RIAs”), I have been through numerous regulatory audits and examinations. Experience gives me insight into how the SEC conducts investigations and attempts to obtain enforcement actions.
Objectives:
After completing this case study, the participants will be able to:
- Define Cybersecurity.
- Explain cybersecurity’s mission critical function for Financial Services firms.
- Understand what prompts the SEC to bring enforcement actions against RIAs concerning the lack of safeguards in protecting of customer records.
- Understand the importance of third-party due diligence of vendors performing mission critical functions.
- Understand best practices on how to implement cybersecurity.
Common Terms:
Cybersecurity, Personally Identifiable Information, Third-Party Due Diligence, Red Flag, Safeguards Rule
Current State:
The SEC brings enforcement actions against firms that fail to protect client’s PII. Notably, even if no harm is done, the SEC will still bring an enforcement action. Many firms must therefore retain a full-time Chief Information Security Officer (“Cybersecurity Officer”) to address these concerns. Year after year, Cybersecurity appears on the SEC Exam Priority List. A strong cybersecurity program must now be part of any adequate compliance program.
The SEC filed an enforcement action against R.T. Jones Capital Equities Management (“R.T. Jones”), an RIA. The enforcement action relates to the firm’s failure to “establish the required cybersecurity policies and procedures in advance of a breach that compromises the PII of approximately 100,000 individuals, including the firm’s clients.” The R.T Jones matter is the first enforcement action that the SEC brings against a regulated entity for a cybersecurity-related violation.
Future State:
“Every broker, dealer, and investment company, and every investment adviser registered with the SEC must now adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. Cybersecurity is the future of compliance programs, and likely many SEC enforcement actions. These policies and procedures must be reasonably designed to ensure the security and confidentiality of customer records and information.
Situation:
R.T. Jones fails, over a four-year period, to adopt written cybersecurity policies and procedures “reasonably designed to protect customer records and information,” as required by the federal securities law under the Investment Advisers Act of 1940. This failure becomes evident when, after R.T. Jones stores sensitive PII of clients and others on its third party-hosted web server for four years, this server is “attacked in in the fourth year by an unknown hacker who gains access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.”
Background:
The SEC imposes a financial penalty of $75,000 on R.T. Jones, although there is no evidence that any client / investor was defrauded or harmed by the incident. The SEC states that R.T. Jones fails to comply with the “safeguards rule” which requires firms to adopt written policies and procedures reasonably designed to protect customer records and information.
This serves as the SEC’s first enforcement action in the cybersecurity arena. The SEC fines R.T. Jones for failing to establish the required cybersecurity policies and procedures in advance of a breach that compromises the PII of over 100,000 individuals for a four-year period until the RIA discovers the breach.
Personally Identifiable Information “includes any representation of information that permits the identity of an individual to whom the information applies to be reasonably inferred by either direct or indirect means.” This case study demonstrates why companies must consider the regulatory compliance implications that these threats give rise to as well as the direct business, financial and reputational risks they present.
Analysis:
Although there is no evidence of any clients’ suffering financial harm, and despite the fact that R.T. Jones takes prompt remedial efforts and cooperates with the SEC, the SEC explains that “[a]s we see an increasing barrage of cyber-attacks on financial firms, it is important to enforce the safeguards rule even … when there is no apparent financial harm to clients.”
The remediation efforts that R.T. Jones take following the breach, including “the appointment of an information security manager, the implementation of a written information security policy that establishes a more secure data storage system, the retention of a cyber-security advisory firm, and free identity monitoring for individuals whose data was compromised,” are useful examples of cyber-security measures that all companies can and should take going forward.
All Financial Services firms must determine the particular cybersecurity rules that apply to them based on the type of personal data they maintain and the corresponding rules and regulations.
Recommendations:
For example, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) observes, during recent examinations, an increase in the number of cyber-attacks against SEC-registered investment advisers and brokers and dealers using “credential stuffing, a method of cyber-attack to client accounts that uses compromised client login credentials, resulting in the possible loss of customer assets and unauthorized disclosure of sensitive personal information.” The failure to proactively mitigate the risks of credential stuffing significantly increases various risks for firms, including but not limited to financial, regulatory, legal, and reputational risks.
OCIE encourages firms to review their customer account protection safeguards, identity theft prevention programs and consider whether updates to such programs or policies are warranted to address given risks. RIAs must critically conduct due diligence on any third party providing a mission critical function to an RIA involving cybersecurity in any way. Such third-party vendor due diligence includes obtaining SOC-1 or SAS 70 reports, as applicable. SOC-1 reports and SAS 70 reports evidence testing of the third-party’s cybersecurity program, including but not limited to penetration testing, firewall testing, etc.
Cybersecurity testing measures how effective a firm’s strategy manages a potential attack. Services like red team assessments and penetration testing let certified professionals comb through a firm’s digital infrastructure to identify threats that are both commonly overlooked and difficult to find.
When a firm spots a “Red Flag,” or an issue of concern through its cybersecurity testing, it must be prepared to respond appropriately. The response will depend on the degree of risk posed. It may need to accommodate other legal obligations, like laws about providing and terminating service.
“These guidelines offer examples of some appropriate responses, including:
- monitoring a covered account for evidence of identity theft
- contacting the customer
- changing passwords, security codes, or other ways to access a covered account
- closing an existing account
- reopening an account with a new account number
- not opening a new account
- not trying to collect on an account or not selling an account to a debt collector
- notifying law enforcement
- determining that no response is warranted under the particular circumstances”
The facts of a particular case may warrant using one of these options, several of them, or another response altogether. Firms must consider whether any aggravating factors raise the risk of identity theft. For example, a recent breach that resulted in unauthorized access to a customer’s account records called for a stepped-up response because the risk of identity theft rises, too.
Sources:
- https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf
- https://www.sec.gov/litigation/admin/2015/ia-4204.pdf
- https://www.sec.gov/exams/announcements
- https://vcheckglobal.com/services/third-party-due-diligence
- https://www.ftc.gov/tips-advice/business-center/guidance/fighting-identity-theft-red-flags