In the following guest post, Paul A. Ferrillo takes a look at the recent findings that the SEC Office of Compliance, Inspections and Examinations issue with respect to its cybersecurity examinations of registered investment advisers and broker dealers. The findings, Paul suggests, provides good guidance from a number of perspectives with regard to cybersecurity governance issues. Paul is a partner with McDermott, Will & Emery. I would like to thank Paul for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
The D&O Diary has done an exemplary job noting that there have generally been two fast ways that cause “event-driven” litigation for a company and its directors (through a derivative action) to be filed: 1) to either ignore published regulatory warnings, disclosure guidance or direction, and have those warnings come back and bite you following a disastrous event (like a big cyberattack), or 2) to ignore warnings and “red-flags” evidencing potentially ‘poor conduct’ or “red flags” not in conformance with such regulatory advice, and have those warnings eventually come back and be the cause of the event. Both 1 and 2 can be equally painful for a company. Associated stock drops coupled with regulatory actions, orders or proceedings will likely cause both securities and derivative litigation (and potentially other forms of breach or privacy-related litigation).
While some regulatory bodies have not been prolific with their guidance to companies, firms, directors and officers as to “what to do to avoid” or “how to handle” the big cybersecurity “ugly mess,” the Securities and Exchange Commission (SEC), for example has been a lot more helpful and direct to registered entities.
On January 27, 2020 the US SEC Office of Compliance, Inspections and Examinations (OCIE) issued a helpful summary of the findings it has made in targeted cybersecurity examinations of registered investment advisers and broker dealers (hereinafter referred to as the “cyber observation memo”).
The cyber observation memo follows yearly examination memorandums and advisories on the points of emphasis that it wants its registered firms to both identify, remediate and otherwise control for. It’s no secret that the practices the SEC identified as “important” in prior years – 2016-2019 – are approximately the same practices that it highlights in the cyber observation memo where firms have done a “good job.”
The cyber observation memo is helpful for another reason – to clarify the ground rules for the registered entities and their directors and officers. If you do not follow what the SEC has “suggested,” and you subsequently have a major data breach or other cyber incident that affects customer data, do not be surprised if the SEC assesses a fine or penalty. Regulated firms and their directors and officers would do well to avoid enforcement actions and fines, especially since there may be related public disclosure obligations as well. So “RIA emptor” or “Registered Investment Adviser Beware!”
What Registered Investment Advisors (RAI) should be thinking about when it comes to cyber
Here are the key factors the SEC has identified that each RIA or broker-dealer should be considering:
- Identity and Access Management (IAM). 2018 and 2019 presented firms with two different problems: (1) that the Internet is awash with billions of stolen credentials and passwords allowing criminals to get access to networks; and (2) certain nation-state attackers, knowing financial firms have adopted cloud and SAAS resources to allow their businesses to operate both remotely and more efficiently, have attacked corporate email systems to gain access to financial firms’ email servers and steal both customer and business information. How do you stop these attacks from occurring? There is no foolproof method, but a strong IAM program would help. In the cyber observation memo, the SEC lists elements of such a program.
- Data Loss Prevention topics
The cyber observation memo offers a list of good practices and procedures to help guard against data loss:
- Vulnerability Scanning. Establishing a vulnerability management program that includes routine scans of software code, web applications, servers and databases, workstations, and endpoints both within the organization and applicable third party providers.
- Perimeter Security. Implementing capabilities that are able to control, monitor, and inspect all incoming and outgoing network traffic to prevent unauthorized or harmful traffic.
- Detective Security. Implementing capabilities to detect threats on endpoints.
- Patch Management. Establishing a patch management program covering all software (i.e., in-house developed, custom off-the-shelf and other third party software) and hardware, including anti-virus and anti-malware installation.
- Inventory Hardware and Software. Maintaining an inventory of hardware and software assets, including identification of critical assets and information (i.e., know where they are located and how they are protected).
- Encryption and Network Segmentation. Using tools and processes to secure data and systems, including: (i) encrypting data “in motion” both internally and externally; (ii) encrypting data “at rest” on all systems including laptops, desktops, mobile phones, tablets, and servers; and (iii) implementing network segmentation and access control lists to limit data availability to only authorized systems and networks.
- Have a Plan and Practice it
This is older piece of advice, but one that is often over looked in the heat of business or the economy: make sure that you have a practiced and tested cyber incident response, business continuity and crisis communications plan.
These are the first documents that a regulator will ask for during an examination. And these are probably the first documents that the firm’s directors and officers will ask for when reviewing the cybersecurity posture of the firm. If you are not practicing what to do when you get attacked, then you are not being realistic of your chances of effectively responding to a devastating cybersecurity attack.
- Vendor Management is Critical
The Internet has created so many efficiencies for business. Nearly everything can be outsourced – from manufacturing to HR to payroll to cybersecurity itself – by using a managed service provider. But what really do you know about your vendor? What program do you have in place to both identify and monitor the cybersecurity of your critical vendors? And maybe your less critical vendors too? The SEC OCIE recommends a fulsome vendor management program. We do too.
Finally, none of the above is any good (most of the time) unless your board and senior executives buy into both your regulatory cybersecurity compliance strategy and your data loss prevention strategies. Update to date network servers and operating systems are critical in today’s environment; so are machine-learning solutions for network security and things like good IAM programs. And both cost money.
“Buy in” by the board and senior management is important. Some boards are very focused on cybersecurity. Many are not. To avoid event-driven disasters, they really need to focus upon the fact that ANY company or firm is a target in today’s threat filled environment.
Many states and regulatory schemes require board signoff of cybersecurity initiatives and compliance. The SEC has always considered good cybersecurity and good cyber governance to be essential. Good cybersecurity is not just an IT responsibility; it’s everyone’s responsibility at the firm. Chief Information Security Officers and IT executives should make it standard to meet with boards and senior executives once a quarter to talk about cybersecurity. Having your outside forensic advisor available to board members helps too, and adds a sense of comfort to discussions. Having directors who actually understand digital transformation and cybersecurity issues would be bonus additions to any board of directors.
The SEC OCIE cyber observation memo is good guidance from many perspectives. Clients, customers and investors like stability and appreciate good cybersecurity, but they do not like data breaches or ransomware attacks. Regulated entities and their directors – beware! The world — and the SEC — are watching.
About the author
Paul Ferrillo is a partner with McDermott, Will & Emery. He focuses his practice on corporate governance issues, complex securities class action, major data breaches and other cybersecurity matters, and corporate investigations. He can be reached at firstname.lastname@example.org.