1 The Investment Lawyer Covering Legal and Regulatory Issues of Asset Management VOL. 21, NO. 8 AUGUST 2014 Developments in Cybersecurity Law Governing the Investment Industry By Luke T. Cadigan and Sean P. Mahoney Regulatory focus on cybersecurity is intensifying. Unlike other compliance matters, the deterrent effect of enforcement actions following data security breaches may be insufficient to achieve regulators purpose of ensuring that technology platforms are secure before an event occurs. Thus, in the area of cybersecurity, regulators appear to be shunning granular, prescriptive rules and instead insisting upon more holistic management of cybersecurity risk. While regulations and guidance imposing cybersecurity requirements can be difficult to decipher, there are a number of sources that one can look to in order to discern regulatory expectations. By way of current law, brokers, dealers, investment companies and investment advisers (SEC-regulated Entities) can look to Securities and Exchange Commission (the SEC) Regulation S-P, 1 promulgated pursuant to Title V of the Gramm-Leach-Bliley Act, enforcement actions taken under that rule, and state laws governing information security generally. More current guidance was discussed at a roundtable on cybersecurity hosted by the SEC and an alert with a sample request for information, providing more detail on expectations, was released by the SEC Office of Compliance Inspections and Examinations (OCIE). In addition to OCIE guidance, the National Institute of Standards and Technology (NIST) issued its cybersecurity framework, which appears to have been accepted by the SEC. Existing Laws and Regulations Governing Cyber-Security Prescriptive rules and regulations governing data security practices of SEC-regulated Entities are generally limited to discrete requirements designed to protect specific classes of information. Regulation S-P, for example, requires SEC-regulated Entities to adopt written policies and procedures with administrative, technical and physical safeguards to protect customer records and information. Unlike similar regulations promulgated by bank regulators, Regulation S-P does not contain detailed information security requirements. In 2008, the SEC had proposed a significant expansion of Regulation S-P to provide more detailed requirements with respect to the information security policies and procedures of SEC-regulated Entities. 2 The SEC s proposed rule would have closely tracked the Interagency Guidelines Establishing Standards for Safeguarding Customer Information adopted by federal bank regulators. 3 The proposed regulations would have explicitly imposed a number of requirements that may otherwise be viewed as best practices, including: Designating employees to implement the information security program; Identifying risks to data security;
2 2 THE INVESTMENT LAWYER Designing safeguards to protect against identified risks; Testing or monitoring effectiveness of key controls, systems and procedures; Training staff; and Overseeing service providers by ensuring that they are capable of protecting data and requiring them to maintain appropriate safeguards. 4 The proposed rules also would have imposed requirements for responding to data security breaches and providing notice to affected persons, a key concern at the time the rules were proposed. 5 Regulation S-P further requires that SECregulated Entities dispose of consumer report information and protect against its unauthorized access or use in connection with its disposal. 6 Consumer report information is a consumer report or information derived from a consumer report. Consumer report, in turn, is defined somewhat circularly as any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer s credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer s eligibility for [consumer credit, employment or other permissible purposes]. 7 In addition, the SEC promulgated Regulation S-ID pursuant to the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). 8 Regulation S-ID requires SEC-regulated Entities that are financial institutions or creditors (that is, persons that regularly extend credit) 9 and that offer or maintain covered accounts to develop and implement written identity theft prevention programs designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. 10 For purposes of Regulation S-ID, a financial institution is an entity that maintains accounts with respect to which the account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items. 11 Covered accounts are consumer accounts incident to continuing relationships that allow for multiple transactions or withdrawals or other accounts that present the risk of identity theft. 12 There are also state data security laws that may be broadly applicable to information security programs. Massachusetts adopted one of the more detailed information security and data security breach laws that applies to any person that holds protected personal information pertaining to Massachusetts residents. 13 The Massachusetts law protects information, however, only to the extent that it consists of a name and an identifying number, such as a social security number, drivers license number or account number. Regulations adopted under the Massachusetts statute require persons holding such protected information, which may include SEC-regulated Entities, to: Designate one or more employees to maintain the comprehensive information security program; Identify and assess reasonably foreseeable internal and external risks to information security and assessing the effectiveness of the current safeguards; Educate and train employees on the proper use of the computer security system and the importance of information security; Develop security policies for employees relating to the storage, access and transportation of protected information; Impose disciplinary measures for violations of the comprehensive information security program rules; Prevent terminated employees from accessing records containing personal information; Manage vendors by, among other things, ascertaining each vendor s ability to keep protected information secure and requiring that vendors maintain comprehensive information security programs;
3 VOL. 21, NO. 8 AUGUST Impose reasonable restrictions upon access to protected information; Review the scope of the security measures at least annually or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information; Document responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken; Employ secure user authentication protocols; Encrypt all transmission of protected information and all personal information stored on laptops or other portable devices; Monitor for unauthorized use of or access to personal information; and Employ reasonably up-to-date firewall protection and operating system security patches. 14 While the SEC has yet to impose such detailed requirements, OCIE has taken the position that Rule 15c3-5 promulgated under the Securities Exchange Act of requires broker-dealers with market access to an exchange or alternative trading system or that provide customers or other persons with such access to maintain policies and procedures to protect information and information systems from unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording or destruction. 16 OCIE appears to reason that Rule 15c3-5 s requirement that a broker-dealer restrict access to trading systems and technology that provide market access to persons and accounts preapproved and authorized by the broker or dealer imposes a general cybersecurity requirement. 17 With respect to the business continuity aspect of cybersecurity, the Financial Industry Regulatory Authority, Inc. (FINRA) has adopted a rule on the topic, 18 which was approved by the SEC in August of 2009 and became effective January 1, FINRA Rule 4370 succinctly requires FINRA members to adopt a business continuity plan, designate members of senior management responsible for its implementation and disclose to their customers how the business continuity plan addresses possible future significant business disruption. Similarly, registered investment advisers are required to have compliance policies and procedures that address business continuity plans under Rule 206(4)-7 under the Investment Advisers Act of And, registered investment companies are required under Rule 38a-1 under the Investment Company Act of 1940 to have compliance policies and procedures that provide for oversight of compliance by certain fund service providers, which would include the service providers business continuity plans. 20 Cybersecurity events such as distributed denial of service attacks (or DDoS attacks) would be the type of significant business disruption to be addressed by a business continuity plan under any of these rules. 21 SEC Data Security Enforcement Actions Notwithstanding the lack of detailed information security rules, the SEC has taken a number of enforcement actions under Regulation S-P with respect to data security practices. These actions typically involved what the SEC had perceived as egregious violations of the regulation, such as not having cybersecurity protocols that the SEC views as fundamental, having vague policies that merely restate the rule, or having no policies at all. The actions typically involve firms operating branch networks, where the firm lacks sufficient control over branch offices. For example, in 2008, the SEC issued a cease and desist order in response to an offer of settlement against a firm registered as a broker-dealer and investment adviser that the SEC alleged had insufficient cybersecurity, leaving the firm vulnerable to hacking attacks. 22 The alleged violations were discovered following a hacking event in which hackers were able to access customer accounts and execute trades. In particular, the SEC found the following asserted cybersecurity failures of Regulation S-P: (1) failure to require registered representatives to
4 4 THE INVESTMENT LAWYER maintain strong passwords (that is, passwords requiring a certain length or alphanumeric/special character combinations); (2) failure to require registered representatives to reset passwords periodically; (3) failure to allow registered representatives to change their own passwords; and (4) not having an automatic lockout feature after repeated, unsuccessful log-in attempts. The SEC further criticized the firm for allegedly allowing more than 300 information technology staff to access the log-in credentials for registered representatives. The SEC acknowledged that the firm had established a committee to consider cybersecurity improvements prior to the hacking incident, but it noted that the work of the committee was not scheduled to begin until a date after the hacking incidents occurred. A little over a year later, the SEC issued a cease and desist order in response to an offer of settlement against another firm registered as a broker-dealer and investment adviser that the SEC alleged had insufficient cybersecurity. 23 Like the 2008 action, this action arose out of a hacking incident in which hackers allegedly accessed account information and used such information to execute trades. The particular shortcomings in cybersecurity involved the firm s alleged failure to require branch offices to install antivirus software and knowledge through the firm s information technology help desk that certain branches did not have antivirus software. In this case, the alleged hacking occurred through the use of a computer virus. Another enforcement action in 2009 involved a registered broker-dealer s failure to maintain adequate policies and procedures and failure to train branch office personnel. 24 SEC Staff described the firm s policies and procedures as simply restating the objectives of the information security provisions of Regulation S-P and not addressing any administrative, technical or physical safeguards associated with customer records or information, including how to dispose properly of such records when they were no longer needed. This action did not involve any information systems that were hacked, rather the SEC alleged that records containing customer information were abandoned on the side of a road by a former registered representative and left there for approximately two weeks. This action stresses the SEC s view of the importance of data disposal procedures under Regulation S-P. More recently, in a series of enforcement actions taken in 2011 in connection with the winding down of a registered broker-dealer, the SEC imposed civil money penalties against executives and other employees for, among other things, allegedly taking no action to prevent or respond to security breaches involving theft of laptops and access to firm by former employees. 25 The SEC also asserted that the respondents violated Regulation S-P by transferring customer records of the firm winding down without customer consent, highlighting the obligations of officers and employees to safeguard data as part of a firm s cybersecurity responsibilities. In this case, a chief compliance officer was assessed civil money penalties for the alleged cybersecurity-related violations. While these enforcement actions indicate the SEC s willingness to use existing regulations to ensure security of sensitive information, they all share one common element: each action was commenced after an alleged incident of unauthorized access to customer information. These actions also have little to do with potential risks associated with access to information systems of SEC-regulated Entities where such access involves sensitive information that is not protected by Regulation S-P. It should be no surprise that recent statements and releases from the SEC indicate that the SEC is looking to take a more proactive approach to cybersecurity. Guidance Addressing Cybersecurity While the increasing focus on cybersecurity is unmistakable, the SEC has been following this issue for some time. Over the past few years, OCIE has repeatedly indicated that risk management is one of its examination priorities. 26 Further, with respect to technology, OCIE has indicated that it will examine
5 VOL. 21, NO. 8 AUGUST governance and supervision of information technology systems, operational capability, market access, information security, and preparedness to respond to sudden malfunctions and system outages. 27 In so many words, cybersecurity has been on the minds of OCIE Staff, with a specific reference to the term in On March 26, 2014, the SEC held a roundtable at which SEC Commissioners and external panelists were invited to discuss cybersecurity issues. 29 Dialogue among the panelists focused on measures that could be taken to ensure firms are dedicating resources to risk management and good internal controls. Potential next steps included sharing of information and best practices; principles-based guidance; preparation of incident response playbooks; tailoring requirements so they can be adapted to firms of varying profiles (including small firms); and encouraging further planning, testing and communication. SEC Staff stressed the need for disaster recovery planning and the ability to recover from any outages, including those caused by cybersecurity breaches such as DDoS attacks. One unexpected consensus among panelists in the discussion was that they invited additional regulations or other cybersecurity guidance that would help SEC-regulated Entities focus on particular cybersecurity risks and techniques to mitigate them. One panelist suggested that the SEC s proposed amendments to Regulation S-P could be viewed as guidance to help SEC-regulated Entities establish comprehensive information security programs. Most of the panelists seemed to agree that that the Framework for Improving Critical Infrastructure Cybersecurity, released February 12, 2014 by the NIST 30 is a source of sound guidance for SEC-regulated Entities in designing cybersecurity programs. Less than one month after the SEC roundtable, OCIE followed up with a risk alert indicating that 50 broker-dealers and registered investment advisers would be examined with an eye towards cybersecurity policies and procedures. 31 The OCIE risk alert included a sample information request that provides a glimpse into the types of policies, procedures and protocols that OCIE views as part of a cybersecurity program. This risk alert provides the most comprehensive SEC guidance on cybersecurity to date. Implicit in the OCIE sample information request is that SEC-regulated Entities should incorporate or use as a model the NIST framework or other published cybersecurity risk management process standards. The OCIE focus on the NIST framework can be viewed as a shift from crafting specific rules on cybersecurity to conveying expectations as to risk management activities around cybersecurity. The NIST framework is, after all, essentially a risk management framework tailored to cybersecurity activities. The framework consists of three main areas: core activities, implementation tiers and a framework profile. The NIST framework establishes that the crux of expected cybersecurity activities would include identification (or risk assessments), protection activities (or risk mitigation), detection activities (or monitoring), response activities and recovery activities. Each area is further divided into subgroups, which makes the framework inherently scalable by allowing an organization to implement only those areas that are relevant to it. Through the use of implementation tiers and framework profiles, an organization may use the framework to assess the organization s current profile and create a target profile and plan for transitioning from the current state to the desired state. Consistent with the NIST framework, the OCIE sample information request is organized around assessment activities, including: (1) assessment of technology assets and risks, (2) cybersecurity protection activities, (3) specific risks associated with customer access, (4) specific risks associated with vendors and third parties, and (5) detection of unauthorized activity. With respect to assessment activities, OCIE appears to expect that firms are inventorying physical devices, systems, software platforms and applications. Such inventories should prioritize resources for protection. It also suggests that firms should
6 6 THE INVESTMENT LAWYER catalogue connections and data flows, including connections from external sources. It is expected that firms are already conducting periodic assessments of both cybersecurity and physical security, with documented findings. Firms should also be aware of any insurance coverage maintained for cybersecurity events, including the limitations of such coverage. The information request reminds us that SECregulated Entities should have written information security programs that conform to Regulation S-P, as well as Regulation S-ID (Identity Theft Red Flags Rules), if applicable, and that specifically address removable and portable media. The information request suggests that such programs should incorporate documentation of responsibilities for employees and managers with respect to cybersecurity, and that training for both employees and vendors with access to the firm s network should be documented. Note that for many SEC-regulated Entities these specific aspects of a written information security program may already be required under applicable state laws governing information security. As for protection activities, the OCIE sample information request solicits information pertaining to the following specific data security protection activities: providing written guidance and periodic training to employees concerning information security risks and responsibilities; maintaining controls to prevent unauthorized escalation of user privileges and lateral movement among network resources; restricting users access to those network resources only as necessary for their business functions; maintaining a segregated environment for testing and development of software and applications; preventing users from altering the baseline configuration of hardware and software without authorization; managing IT assets and performing regular system maintenance; maintaining controls to secure removable and portable media against malware and data leakage; maintaining protection against DDoS attacks for critical internet-facing IP addresses; maintaining a written data destruction policy; maintaining a written cybersecurity incident response policy; periodically testing the functionality of the firm s backup system; use of encryption; conducting periodic audits of compliance with the firm s information security policies. With respect to risks associated with customer transactions, many of the items in the OCIE sample information request relate to authentication procedures used when employees and customers access a SEC-regulated Entity s network. This, perhaps, portends some guidance or standards around authentication, similar to the FFIEC 2005 guidance entitled, Authentication in an Internet Banking Environment 32 and the supplement thereto issued in The OCIE sample information request also contains a number of information requests relative to hacking activity or attempted intrusions into a firm s network. Implicit in this request is that a firm is monitoring such activity and maintaining appropriate logs. In other words, there is an expectation that each firm is subjected to hacking attempts, but the awareness of such attacks and the responses thereto are what are critical. The Road Ahead With Regulation S-P as a starting point and the OCIE guidance and NIST framework being potential proxies for current SEC thinking, it appears the SEC may be moving toward a principles-based, risk management regime for cybersecurity. Accordingly, cybersecurity activities can no longer be viewed as issues confronting only compliance or information technology departments. Cybersecurity is increasingly viewed as an enterprise-wide concern that
7 VOL. 21, NO. 8 AUGUST needs to start at the board of directors of a firm and permeate throughout the organization. Future examination and enforcement actions may not be limited to discrete violations of Regulation S-P, but may take into account assessments of risk management activities addressing cybersecurity. In implementing cybersecurity plans, firms need to be careful to avoid silos. Given that cybersecurity will involve both the use of secure technology and training and compliance by natural persons, collaboration between information technology professionals and human resources professionals will be crucial. Moreover, input from operations professionals is also critical to ensure that any secure technologies adopted will be used and to avoid the development of shadow IT by operations professionals developing workarounds to firm technologies without organizational approval. The emergence of shadow IT may itself be a discrete risk that firms will be expected to assess at some point in the future. In any event, the guidance from regulators in this area is evolving rapidly to respond to the fast- changing nature of cybersecurity threats. The challenge for regulators is to devise a framework that allows firms to adapt their risk management programs rapidly without running afoul of discrete requirements. Messrs. Cadigan and Mahoney are partners in the Boston, MA office of K&L Gates LLP. NOTES 1 17 C.F.R (a) Fed. Reg (March 13, 2008) Fed. Reg (February 1, 2001) Fed. Reg. at Fed. Reg. at C.F.R (b) U.S.C. 1681a(d) U.S.C. 1681m(e); 17 Code Fed. Regs U.S.C. 1691a(d) C.F.R (d) C.F.R (a), 15 U.S.C. 1681a(t), 12 U.S.C. 461(b) C.F.R (b)(1), (3). 13 Mass. Gen. Laws. ch. 93H, 93I. 201 Code Mass. Regs et seq Code Mass. Regs , Code Fed. Regs c OCIE National Exam Program Risk Alert (September 29, 2011), available at: https://www.sec. gov/about/offi ces/ocie/riskalert-mastersubaccounts.pdf. 17 See 17 Code Fed. Regs c3-5(c)(iii). 18 FINRA Rule FR (August 28, 2009) Fed. Reg , (enumerating policies and procedures required, including safeguards for the protection of customer information and business continuity plans) (December 24, 2003). In imposing these requirements, the SEC Staff implied that business continuity requirements arise out of an investment adviser s fiduciary duties, noting: We believe that an adviser s fiduciary obligation to its clients includes the obligation to take steps to protect the clients interests from being placed at risk as a result of the adviser s inability to provide advisory services after, for example, a natural disaster or, in the case of some smaller firms, the death of the owner or key personnel. The clients of an adviser that is engaged in the active management of their assets would ordinarily be placed at risk if the adviser ceased operations. 21 The Federal Financial Institutions Examination Council (FFIEC), which consists of the federal bank regulators, adopted guidance highlighting that information security and business continuity plans should recognize DDoS attacks as a risk and be designed to address such risks. See Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, available at: ec.gov/press/pdf/ffiec%20ddos%20 Joint%20Statement.pdf.
8 8 THE INVESTMENT LAWYER 22 In the Matter of LPL Financial Corporation Administrative Proceeding No (September 11, 2008). 23 In the Matter of Commonwealth Equity Services, LLP Administrative Proceeding No (September 29, 2009). 24 In the Matter of J.P. Turner & Company, LLC Administrative Proceeding No (July 17, 2009). 25 See In the Matter of Frederick O. Kraus, SEC Administrative Proceeding , (April 7, 2011), In the Matter of David C. Levine SEC Adminis trative Proceeding , (April 7, 2011), In the Matter of Marc A. Ellis, SEC Administrative Proceeding , (April 7, 2011). 26 OCIE Examination Priorities for 2013 (January 9, 2014), available at: ces/ ocie/national-examination-program-priorities pdf, OCIE Examination Priorities for 2013 (February 21, 2013), available at: gov/about/offi ces/ocie/national-examination-programpriorities-2013.pdf, Examinations by the Securities and Exchange Commission s Office of Compliance Inspections and Examinations (February 2012), available here: ces/ocie/ ocieoverview.pdf. 27 OCIE Examination Priorities for 2013 (January 9, 2014), available at: ocie/national-examination-program-priorities-2014.pdf. 28 Examinations by the Securities and Exchange Commission s Office of Compliance Inspections and Examinations at 33 (February 2012). 29 A transcript is available at: light/cybersecurity-roundtable/cybersecurity-round table-transcript.txt. 30 Available at: upload/cybersecurity-framework final.pdf. 31 OCIE National Exam Program Risk Alert (April 15, 2014), available at: ment/cybersecurity+risk+alert++%2526+appen dix pdf. 32 Available at: ec.gov/pdf/authentication_ guidance.pdf. 33 Available at: ec.gov/pdf/auth-its- Final% %20(FFIEC%20Formated).pdf. Copyright 2014 CCH Incorporated. All Rights Reserved Reprinted from The Investment Lawyer August 2014, Volume 21, Number 8, pages 9 16, with permission from Aspen Publishers, Wolters Kluwer Law & Business, New York, NY, ,