SEC's New Cybersecurity Appointment And What It Tells Us

Transcription

1 Portfolio Media. Inc. 111 West 19 th Street, 5th Floor New York, NY Phone: Fax: SEC's New Cybersecurity Appointment And What It Tells Us Law360, New York (July 6, 2016, 12:02 PM ET) -- The U.S. Securities and Exchange Commission announced last month both the creation of a new position senior adviser to the chair for cybersecurity policy as well as the first incumbent of that role Christopher R. Hetner. Amid increasing global concerns over data privacy and security practices, and frequent indications from the SEC that cybersecurity remains a priority, this move comes as no surprise, but will likely impact the financial industry. In his capacity as senior adviser, Hetner will report directly to SEC Chairwoman Mary Jo White on all matters related to cybersecurity policy. The SEC press release described Hetner s senior adviser responsibilities as threefold: (1) coordinating efforts across the SEC to address cybersecurity policy, (2) engaging with external stakeholders, and (3) further enhancing the commission s mechanisms for assessing broad-based market risk.[1] Hetner has more than 20 years of experience in information technology and security. In addition, he holds several industry-leading certifications, including the CISSP (Certified Information Systems Security Professional), the NSA INFOSEC (National Security Agency Information Security) Assessment Certification, and the CISM (Certified Information Security Manager). He is not a lawyer, and is thus representative of the broader trend within the commission of hiring substantive subject-matter experts (such as economic analysts and experts in complex financial products) who can assist others, including enforcement attorneys, in identifying potential areas of investigation. Phyllis Sumner Matt Baughman The creation of the cybersecurity policy senior adviser position, coupled with Hetner s substantial industry experience, will almost certainly affect SEC-regulated entities with respect to enforcement actions. The SEC will also likely undertake housekeeping measures to strengthen commission information security policies, practices and infrastructure both internally and externally, further altering the landscape for financial firms. Implications for the Financial Industry Nick Oldham The creation of the new senior adviser for cybersecurity policy at the SEC will likely have significant and immediate consequences for the financial industry, including an uptick in the number of cybersecurity investigations pursued by the SEC, as well as the nature of those investigations. In light of increased

2 scrutiny on SEC-regulated entities, it is also possible that the commission will issue further cybersecurity guidance. Increased Cybersecurity Enforcement Activity The SEC, along with other governmental agencies, is increasingly focused on cybersecurity issues in the financial industry. About two weeks ago, White described cybersecurity as one of the greatest risks facing the financial services industry and will be for the foreseeable future in testimony before the Senate Appropriations subcommittee.[2] She also told the subcommittee that the SEC would continue to bolster its risk-based approach to examinations of registered entities, including broker-dealers and investment advisers. Lest you think the commission will not make good on its promise to crack down on cybersecurity violators, consider this: when the SEC makes a point of putting its considerable resources to work for a particular end, and takes concrete steps in that direction, the commission tends to get results. Take the SEC Office of the Whistleblower, for example. For some 20 years, the SEC operated the precursor to today s whistleblower program, the much more limited Bounty Program, which resulted in few whistleblower tips to the commission and even fewer monetary payments to individuals. With the advent of a new SEC whistleblower program in 2010, put in place as a result of the Dodd-Frank Wall Street Reform and Consumer Protection Act, the SEC prioritized the collection of information from whistleblowers, as well as financially rewarding those whistleblowers whose tips pay off in the form of million-dollar-plus enforcement actions. Although some criticized the commission for what they argued was a slow start after the creation of the new whistleblower program, the Office of the Whistleblower is now active and has achieved significant results. A quick look at the office s web page reveals numerous splashy news titles of recent whistleblower awards, including the largest such award ever distributed by the commission that soar into the many millions of dollars.[3] Some might argue that the commission has gotten a slow start in the cybersecurity sphere as well. However, the SEC has already been ramping up cybersecurity enforcement over the past few years and is quickly gaining momentum. In 2015, for example, the SEC s Office of Compliance Inspections and Examinations conducted its second cybersweep, in which it examined 57 broker-dealers and 49 investment advisers for compliance with relevant legal and regulatory cybersecurity requirements. And White indicated that the commission is already building off the success of that cybersweep: she told the Senate Appropriations subcommittee that [t]his year s efforts will involve more testing to assess firms' preparedness and implementation of firms procedures and controls. In fact, just days after publicizing Hetner s appointment, the SEC announced Morgan Stanley s agreement to pay a $1 million penalty to settle charges related to the company s failures to protect confidential customer information in violation of the Safeguards Rule.[4] There is no doubt that the new emphasis on cybersecurity at the commission will lead to more numerous and larger investigations of SEC-regulated entities that focus on cybersecurity issues. Where regulatory resources lead, enforcement activity is sure to follow. SEC Cybersecurity Guidance For public company issuers, the SEC s Division of Corporation Finance first sought to clarify the disclosure requirements of securities issuers related to cybersecurity risks and incidents in 2011.[5]

3 Notably, the 2011 guidance is considered the most concrete action taken by the commission staff to put issuers on notice that cybersecurity breaches could and often do trigger a duty to disclose. Despite the 2011 guidance, public companies still struggle with disclosure requirements almost five years later. One potential result of the new senior adviser position would be the issuance of additional guidance from the staff in this area, which many would welcome. During the 2015 calendar year, the commission staff issued additional guidance to registered investment advisers and investment companies. The SEC s Division of Investment Management released a cybersecurity guidance update in April 2015 that contained measures for consideration by advisers and funds to address cybersecurity risk.[6] In addition to formal guidance issued to registered broker-dealers, the OCIE s 2014 and 2015 cybersweeps provide insight into the commission s cybersecurity examination priorities as well as the weaknesses identified by OCIE staff across the financial sector. The 2015 cybersweep, for example, revealed that 84 percent of broker-dealers, and a paltry 32 percent of investment advisers, perform cybersecurity risk assessments of vendors with access to the firms networks. SEC-registered entities would be wise to take notice of the findings from the cybersweeps, and confirm their own compliance where relevant. Changes to SEC Security Practices The timing of Hetner s appointment does not appear to be coincidental. The SEC announced its new senior adviser for cybersecurity policy position only a month after an April 2016 Government Accountability Office report highlighted continuing weaknesses with the security of the SEC s financial data.[7] The GAO determined that the SEC resolved five of 20 previously reported information security control deficiencies. However, the report also found that, despite progress, the SEC had yet to fully address the remaining 15 previously reported weaknesses. As a result of the audit, the GAO recommended that White direct the SEC s chief information officer to take six actions to better manage the Commission s information security program: (1) Review and appropriately update information technology and guidance consistent with SEC policy; (2) Document artifacts that support recommendation closure consistent with SEC policy; (3) Document a comprehensive physical inventory of the systems and applications in the production environment; (4) Review and update current configuration baseline settings for the operating systems; (5) Provide personnel appropriate access to continuous monitoring reports and tools to monitor, evaluate and remedy identified weaknesses; (6) Institute a process and assign the necessary personnel to review information produced by the vulnerability scanning tools to monitor, evaluate and remedy identified weaknesses. Given the potential consequences of mismanaged information security at the commission and in an effort to avoid repeated chastising for failure to resolve identified IT security weaknesses the SEC will certainly continue to address these deficiencies. The GAO directed the content of its report primarily

4 toward the SEC s chief information officer; but, of course, the senior adviser for cybersecurity policy did not exist at the time of the report s release. One can assume that, given Hetner s expertise, he will also play a key role in strengthening the commission s internal and external information security programs. Conclusion It is clear that the 21st century SEC is here to stay. The commission has invested substantial resources into the creation of state-of-the-art information gathering and data analytics systems that are used to flag suspicious trading, identify problematic accounting practices, and focus on investments yielding outlier results. Cybersecurity is a natural investigatory focus for the commission staff, not just for registered entities but also for public companies whose cybersecurity practices the staff is increasingly scrutinizing. At the same time, criticisms of the commission s own IT infrastructure have particular bite, if only because the commission has placed such a high priority on formulating sophisticated methods of slicing and dicing the huge amounts of potentially sensitive financial information collected from public companies, registered entities and exchanges. Whether to put its own house in order, or to further its investigatory aims, the SEC is certain to stay focused on cybersecurity issues for the foreseeable future. And that focus will doubtless lead to increased investigations and enforcement activity in this developing space. By Phyllis Sumner, Matt Baughman, Nick Oldham and Bailey Langner, King & Spalding LLP Phyllis Sumner is a partner in King & Spalding's Atlanta office and leads the firm s data, privacy and security practice. She is a former assistant U.S. attorney for the Northern District of Illinois and the Northern District of Georgia. Matt Baughman is a partner in the firm's Atlanta office and a former SEC enforcement attorney. Nick Oldham is a counsel in King & Spalding's Washington, D.C., office. He is a former counsel for cyberinvestigations for the DOJ s National Security Division and a former assistant U.S. attorney in the Northern District of Georgia. Bailey Langner is an associate in the firm's San Francisco office. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice. [1] SEC Names Christopher Hetner as Senior Advisor to the Chair for Cybersecurity Policy, Press Release, June 2, 2016, available at [2] Chair Mary Jo White, Testimony on Oversight of the U.S. Securities and Exchange Commission, before the Committee on Banking, Housing, and Urban Affairs, United States Senate (June 14, 2016), available at [3] See Welcome to the Office of the Whistleblower, Latest News, U.S. Securities and Exchange Commission, (last visited June 22, 2016). [4] SEC: Morgan Stanley Failed to Safeguard Customer Data, Press Release, U.S. Securities and Exchange Commission (June 8, 2016), available at

5 [5] CF Disclosure Guidance: Topic No. 2 Cybersecurity ( 2011 SEC Guidance ), U.S. Securities and Exchange Commission, Division of Corporate Finance (Oct. 13, 2011), available at [6] Cybersecurity Guidance ( 2015 SEC Guidance ), Guidance Update, U.S. Securities and Exchange Commission, Division of Investment Management (April 2015), available at [7] Information Security: Opportunities Exist for SEC to Improve Its Controls over Financial Systems and Data, Report to the Chair, U.S. Securities and Exchange Commission, U.S. Government Accountability Office, April 2016, available at Security. All Content , Portfolio Media, Inc.