Cybersecurity For Brokers: 'Only The Paranoid Survive'

Transcription

1 Portfolio Media. Inc. 860 Broadway, 6th Floor New York, NY Phone: Fax: Cybersecurity For Brokers: 'Only The Paranoid Survive' Law360, New York (July 2, 2015, 10:32 AM ET) -- Duuun dun, duuun dun, dun, dun, dun, dun, dun, dun, BOM, BOM, dun,dun, dun, dun, dun, dun, doo dedoo, doo dedoo, dede doo, dede doo, dede doo[1] Just when you thought it was safe to go back in the water and have a quiet summer, U.S. Securities and Exchange Commission Commissioner Luis Aguilar hoisted the warning flags. At the end of June, he gave a wide-ranging speech addressing a number of cyber-related problems facing the securities industry.[2] Aguilar touched on cyberissues relevant to many key players, from issuers to exchanges, but his speech was particularly noteworthy for securities firms trying to stay afloat in the (cyber) shark-infested waters of today s technology-driven world. [3] His speech is the first by a commissioner to address in detail the results of the SEC s 2014 cybersecurity sweep exam of broker-dealers (BDs) and Brian L. Rubin investment advisers (IAs), and it is also the first to discuss cyber-related enforcement actions by the SEC. Securities firms would do well to take notice (and take all other necessary precautions including, but not limited to, battening down the hatches). This was No Boat Accident [4]: Results of the SEC s 2014 Cybersecurity Exam The SEC s 2014 cybersecurity sweep examined 57 BDs and 49 IAs on a number of cyber-related issues ranging from technical safeguards and cybergovernance to breach response.[5] The sweep s results, released in February 2015,[6] had some encouraging data; for example, 93 pecent of BDs (although just 83 percent of IAs) reported having written information security policies.[7] Nonetheless, as Aguilar noted, the sweep s results revealed areas that needed improvement. [8] Among the troubled waters Aguilar identified were the following: Firms cybersecurity policies and procedures generally failed to specify how firms would determine responsibility for client losses stemming from a cyberattack. [9] The SEC s exam found that the policies and procedures of 30 percent of BDs and 13 percent of IAs contain these provisions.[10] Aguilar s decision to highlight this statistic may suggest that the SEC views this issue as a basic, best practice that all firms should address.

2 While most firms conduct periodic risk assessments of their own systems, fewer firms conducted [risk] assessments of their vendors systems. [11] The SEC found that 84 percent of BDs and 32 percent of IAs conduct risk assessment of vendors that have access to their networks.[12] The stark difference between BDs and IAs suggests that Aguilar s criticism may have been aimed more at IAs, whose results in the SEC s sweep exam were generally not as positive as the results from BDs.[13] However, the fact that Aguilar highlighted vendors suggests that firms may want to consider how they handle the cyberpractices of their vendors. Particularly given that several high-profile breaches in recent years began with a vendor breach, it is not surprising that the SEC might focus on this issue. The Financial Industry Regulatory Authority has already brought an enforcement action for this issue. In February 2010, it sanctioned a firm for failing to establish policies and procedures that address and review administrative, technical, and physical safeguards for the protection of customer information involved in an arrangement by which a firm outsourced many of its compliance and operations functions to a nonaffiliated third party. [14] [O]nly two-thirds of broker-dealers and only one-third of advisers have elected to designate a chief information security officer, while cybersecurity insurance is carried by just over half of broker-dealers, and by less than a quarter of advisers. Aguilar called these numbers disappointing because both practices are common-sense precautions that have been shown to decrease the costs associated with data breaches. [15] While having a dedicated chief information security officer (CISO) may not make sense for all firms (particularly smaller firms), having a cyber point person may help ensure that fewer cyberissues fall through the cracks. Like a CISO, cyberinsurance may not be appropriate for all firms. As FINRA has suggested, firms might want to assess whether existing insurance policies cover any aspects of cybersecurity events, as well as the cost of a new policy and the nature of coverage... a new or enhanced cyberinsurance policy [will] provide. [16] FINRA also found, however, that firms purchase cybercoverage to transfer potential unmitigated risk that a cyberattack poses; to obtain coverage for gaps in existing insurance policies; and to reduce the risk of potential impact to a firm s financial statement that a cyberattack might cause.[17] I Think He s Come Back For His Noon Feeding [18]: Cybersecurity Enforcement Actions According to Aguilar, the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority. [19] Although he did not cite any specific examples, he did reference a 2011 enforcement action as an example of a case in which a firm failed to protect [its] customers confidential information. [20] Aguilar s decision to cite this case may suggest one issue that is being investigated by the SEC s enforcement staff during its current investigations into multiple data breaches. [21]

3 In the case cited by Aguilar,[22] a broker-dealer s chief compliance officer (CCO) was fined and censured after his firm experienced a series of data breaches. According to the CCO s settlement with the SEC, no single person or department directed or coordinated the firm s responses to the thefts. In addition, the firm s limited response or follow-up [to a series of breaches] repeatedly revealed the firm s policies and procedures for safeguarding customer information to be inadequate. Nonetheless, according to the SEC, the firm s CCO failed to update his firm s Regulation S-P policies and procedures to address the firm s known cyberdeficiencies. The SEC censured the CCO and fined him $15,000. Aguilar s decision to highlight this case suggests that, setting aside the low-hanging fruit (or floating shark bait, if you prefer), such as firms using the word password as their password,[23] the SEC s future cyber-related enforcement actions will most likely involve firms that did not adequately respond to breaches or known cyberdeficiencies. The SEC has brought at least one similar case. In September 2008, the commission sanctioned a firm that was hacked at the time it had been considering implementing auditors recommendations to strengthen its cybersecurity practices.[24] For this and several other cyber-related issues, the firm was censured and fined $275,000.[25] Likewise, in May 2015, FINRA fined a firm $225,000 for not encrypting its laptops until June 2014 (following the theft of a firm laptop), despite having recognized the need for encryption of laptops in 2009.[26] You re Gonna Need a Bigger Boat [27]: Next Steps Aguilar s primary recommendation for members of the securities industry was the prompt sharing of actionable information about threats and possible defenses. For example, Aguilar referenced organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC),[28] which gathers and disseminates information about cyberthreats to industry members. FINRA s comprehensive Report on Cybersecurity Practices likewise noted that [f]irms should use cyber threat intelligence to improve their ability to identify, detect and respond to cybersecurity threats. [29] In addition to the FS- ISAC, FINRA found that many firms have establish[ed] an in-house group or department responsible for handling threat intelligence, employed a security services provider for threat intelligence, relied on vendors, or used a combination of these approaches.[30] Lastly, the assistant director of the Federal Bureau of Investigation s Cyber Division recently suggested that members of the securities industry sign up to receive PIN, FLASH, and JAB alerts from the FBI, each of which provides a different type of notification discussing cyberthreats identified by the bureau.[31] * * * Just as "Jaws" kept coming back to the boat at the most importune times, a cyberattack can hit when you least expect it. (And unlike Jaws, a cyberattack will not be accompanied by ominous music to warn you that it s coming.) Although Aguilar s speech did not dive too deeply into cybersecurity for securities firms, it did highlight that firms must continually monitor how they protect themselves and their customers. As Aguilar observed, [i]t s an old joke that only the paranoid survive. In the cybersecurity context, it might just be true. [32] By Brian Rubin and Charlie Kruly, Sutherland Asbill & Brennan LLP Brian Rubin is the partner in charge of litigation in Sutherland's Washington, D.C., office. He is a former deputy chief counsel of enforcement at the National Association Of Securities Dealers (now FINRA) and a former senior enforcement counsel at the SEC.

4 Charlie Kruly is an associate in the firm's Washington office. The opinions expressed are those of the author(s) and do not necessarily reflect the views of the firm, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice. [1] See (video of the Jaws theme on a 10-hour loop). [2] SEC Commissioner Luis A. Aguilar, A Threefold Cord Working Together to Meet the Pervasive Challenge of Cyber-Crime, SINET Innovation Summit, New York, New York (June 25, 2015), [hereinafter, Aguilar, A Threefold Cord ] [3] Id. [4] Jaws (1975), [5] See National Exam Program Risk Alert: OCIE Cybersecurity Initiative, at 3 (Apr. 15, 2014) [hereinafter SEC Cybersecurity Sweep], [6] See National Exam Program Risk Alert: Cybersecurity Examination Sweep Summary (Feb. 3, 2015), [hereinafter SEC Sweep Results ]. [7] Id. at 2. [8] Aguilar, A Threefold Cord. [9] Id. [10] SEC Sweep Results at 2. [11] Aguilar, A Threefold Cord. [12] SEC Sweep Results at 2. [13] For example, 82 percent of BDs business continuity plans (BCPs) address cybersecurity, while only 51 percent of IAs BCPs do so. Similarly, 93 percent of BDs conduct cyberrisk assessments, but only 79 percent of IAs do the same. Id. [14] FINRA Letter of Acceptance, Waiver and Consent No at 4 (Feb. 10, 2010), [15] SEC Sweep Results at 2. [16] FINRA, Report on Cybersecurity Practices, at 37 (Feb. 2015),

5 df. [17] Id. [18] Jaws. [19] Aguilar, A Threefold Cord. [20] Id. [21] Id. [22] Release No (Apr. 7, 2011), [23] We re not making that up. See FINRA Letter of Acceptance, Waiver and Consent No , at3, 7 (Apr. 28, 2009), firm for, among other things, employ[ing] the username of Administrator and the password password on a fax server that had been used to host a phishing scam). [24] Release No , at 4-5 (Sept. 11, 2008), available at [25] Id. at 7. [26] FINRA Letter of Acceptance, Waiver and Consent No , at 2-3 (May 15, 2015), [27] Jaws. [28] See [29] FINRA, Report on Cybersecurity Practices at 34 [30] Id. [31] FBI Makes Broker-dealers an Offer They Can t Refuse: Talk to Us About Cybersecurity, Sutherland Cybersecurity and Privacy Insights (June 3, 2015), [32] Aguilar, A Threefold Cord. All Content , Portfolio Media, Inc.