SEC Potentially Targets CCOs for Cybersecurity Lapses

In light of these remarks ' as well as a recent SEC cybersecurity enforcement action ' CCOs would be well advised to carefully review and implement where appropriate the SEC's latest cybersecurity guidance.

The SEC's Long-Awaited Cybersecurity 'Message Case'

The most recent SEC cybersecurity guidance is its settled enforcement action against investment adviser R.T. Jones Capital Equities Management for allegedly failing to establish cybersecurity policies and procedures in advance of a breach that compromised the personal identification information (PII) of approximately 100,000 individuals. As a result of these alleged violations, R.T. Jones agreed to pay a $75,000 penalty and undertake remedial efforts, including:

• Retaining multiple cybersecurity firms to assess the scope of the breach;
• Removing all PII from its webserver and encrypting all PII on its internal network;
• Installing a new firewall and logging system;
• Appointing an information security manager and implementing a written information security policy; and
• Notifying the affected individuals (both advisory clients and third parties) of the breach and providing them with free identity monitoring.

See, http://1.usa.gov/1MGArcB.

Because this was the first officially titled SEC “cybersecurity” enforcement action, it appears to be the SEC's long-awaited “message case” on this issue. Indeed, in the press release announcing the settlement with R.T. Jones, co-chief of the SEC Enforcement Division's Asset Management Unit, Marshall S. Sprung stated: “Firms must adopt written policies to protect their clients' private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

The SEC's Cybersecurity Initiative

The R.T. Jones settlement is part of the SEC's expanding cybersecurity initiative. The commission also recently announced a second round of examinations of broker-dealers and investment advisers to focus on the following key topics: governance and risk assessment; access rights and control; data loss prevention; vendor management; training; and incident response.

The SEC's Risk Alert announcing these examinations included a sample document request seeking, among other things, the following information on these key topics:

• The firm's policies and procedures, including access controls, device rights, usage obligations, and incident response plan;
• The firm's board minutes and briefing materials;
• Information on the firm's Chief Information Security Officer or equivalent position and other employees responsible for cybersecurity matters, including reporting charts;
• The firm's risk assessment findings and remediation steps, including penetration testing, data mapping, patching, and surveillance; and
• The firm's procedures with respect to employees, vendors, and business partners, including training, due diligence, supervision, and contract provisions.

See, National Exam Program Risk Alert, Volume IV, Issue 8 (Sept. 15, 2015).

These sample requests provide significant insight into how the SEC assesses a firm's cybersecurity compliance program. But while these requests are not exhaustive and do not represent binding requirements, CCOs should view them as an appropriate baseline for evaluating their firms' cybersecurity preparedness.

The SEC's Cybersecurity Guidance

CCOs also should incorporate into their firms' compliance programs the SEC's cybersecurity guidance released earlier this year, which recommended the following measures.

• Periodically assess their firms': 1) information and processes; 2) internal and external cybersecurity threats and vulnerabilities; 3) security controls and processes; 4) impact of cyber-related events; and 5) governance structures;
• Devise cybersecurity strategy to: 1) control access to systems and data; 2) encrypt data; 3) restrict use of removable media; 4) deploy monitoring software; 5) employ data backup and retrieval; and 6) develop an incident response plan;
• Implement written police and procedures and training to provide appropriate guidance; and
• Assess cybersecurity measures of vendors and business partners.

Protect Your Firm and Yourself

The SEC has been increasingly active in regulating cybersecurity as a cornerstone of all firms' compliance programs. Its message case against R.T. Jones is likely only the first of many to come. Earlier this year, SEC Commissioner Luis A. Aguilar said at the SINET Innovation Summit in New York that the Division of Enforcement is “currently investigating multiple data breaches '[,] examining how it can bring more cybersecurity enforcement actions using its existing authority, and [determining] how that authority might need to be broadened to meet emerging cybersecurity threats.” See, “A Threefold Cord ' Working Together to Meet the Pervasive Challenge of Cyber-Crime.”'

It may be only a matter of time before the SEC starts bringing additional enforcement actions against compliance personnel for inadequate cybersecurity. As if there are not already sufficient incentives for firms to incorporate appropriate cybersecurity measures into their compliance programs ….

Judy Selby is a Partner at Baker & Hostetler in New York. She can be reached at [email protected]. Follow her on Twitter @judy_selby. Jonathan A. Forman is an Associate at the firm. He can be reached at [email protected].

Two recent speeches by Securities and Exchange Commission (SEC) officials likely got the attention of every Chief Compliance Officer (CCO).

In the first, at an Investment Adviser and Broker-Dealer Compliance Conference last month, SEC Chief of Staff Andrew J. Donohue indicated that the SEC will continue to bring enforcement actions against CCOs for not addressing compliance issues, including cybersecurity. Donohue challenged compliance professionals to be “pro-active” in their work and pointed to three recent SEC enforcement actions against CCOs on the ground that they failed to implement compliance programs reasonably tailored to the specific needs of their firms. See, “Remarks at NRS 30th Annual Fall Investment Adviser and Broker-Dealer Compliance Conference.”

Two days after Donohue's speech, SEC Chair Mary Jo White told the MFA Outlook Conference in New York: “While cybersecurity attacks cannot be entirely eliminated, it is incumbent upon private fund advisers to employ robust, state-of-the-art plans to prevent, detect, and respond to such intrusions.” See, “Five Years On: Regulation of Private Fund Advisers after Dodd-Frank.”'

In light of these remarks ' as well as a recent SEC cybersecurity enforcement action ' CCOs would be well advised to carefully review and implement where appropriate the SEC's latest cybersecurity guidance.

The SEC's Long-Awaited Cybersecurity 'Message Case'

The most recent SEC cybersecurity guidance is its settled enforcement action against investment adviser R.T. Jones Capital Equities Management for allegedly failing to establish cybersecurity policies and procedures in advance of a breach that compromised the personal identification information (PII) of approximately 100,000 individuals. As a result of these alleged violations, R.T. Jones agreed to pay a $75,000 penalty and undertake remedial efforts, including:

• Retaining multiple cybersecurity firms to assess the scope of the breach;
• Removing all PII from its webserver and encrypting all PII on its internal network;
• Installing a new firewall and logging system;
• Appointing an information security manager and implementing a written information security policy; and
• Notifying the affected individuals (both advisory clients and third parties) of the breach and providing them with free identity monitoring.

See, http://1.usa.gov/1MGArcB.

Because this was the first officially titled SEC “cybersecurity” enforcement action, it appears to be the SEC's long-awaited “message case” on this issue. Indeed, in the press release announcing the settlement with R.T. Jones, co-chief of the SEC Enforcement Division's Asset Management Unit, Marshall S. Sprung stated: “Firms must adopt written policies to protect their clients' private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

The SEC's Cybersecurity Initiative

The R.T. Jones settlement is part of the SEC's expanding cybersecurity initiative. The commission also recently announced a second round of examinations of broker-dealers and investment advisers to focus on the following key topics: governance and risk assessment; access rights and control; data loss prevention; vendor management; training; and incident response.

The SEC's Risk Alert announcing these examinations included a sample document request seeking, among other things, the following information on these key topics:

• The firm's policies and procedures, including access controls, device rights, usage obligations, and incident response plan;
• The firm's board minutes and briefing materials;
• Information on the firm's Chief Information Security Officer or equivalent position and other employees responsible for cybersecurity matters, including reporting charts;
• The firm's risk assessment findings and remediation steps, including penetration testing, data mapping, patching, and surveillance; and
• The firm's procedures with respect to employees, vendors, and business partners, including training, due diligence, supervision, and contract provisions.

See, National Exam Program Risk Alert, Volume IV, Issue 8 (Sept. 15, 2015).

These sample requests provide significant insight into how the SEC assesses a firm's cybersecurity compliance program. But while these requests are not exhaustive and do not represent binding requirements, CCOs should view them as an appropriate baseline for evaluating their firms' cybersecurity preparedness.

The SEC's Cybersecurity Guidance

CCOs also should incorporate into their firms' compliance programs the SEC's cybersecurity guidance released earlier this year, which recommended the following measures.

• Periodically assess their firms': 1) information and processes; 2) internal and external cybersecurity threats and vulnerabilities; 3) security controls and processes; 4) impact of cyber-related events; and 5) governance structures;
• Devise cybersecurity strategy to: 1) control access to systems and data; 2) encrypt data; 3) restrict use of removable media; 4) deploy monitoring software; 5) employ data backup and retrieval; and 6) develop an incident response plan;
• Implement written police and procedures and training to provide appropriate guidance; and
• Assess cybersecurity measures of vendors and business partners.

Protect Your Firm and Yourself

The SEC has been increasingly active in regulating cybersecurity as a cornerstone of all firms' compliance programs. Its message case against R.T. Jones is likely only the first of many to come. Earlier this year, SEC Commissioner Luis A. Aguilar said at the SINET Innovation Summit in New York that the Division of Enforcement is “currently investigating multiple data breaches '[,] examining how it can bring more cybersecurity enforcement actions using its existing authority, and [determining] how that authority might need to be broadened to meet emerging cybersecurity threats.” See, “A Threefold Cord ' Working Together to Meet the Pervasive Challenge of Cyber-Crime.”'

It may be only a matter of time before the SEC starts bringing additional enforcement actions against compliance personnel for inadequate cybersecurity. As if there are not already sufficient incentives for firms to incorporate appropriate cybersecurity measures into their compliance programs ….

Judy Selby is a Partner at Baker & Hostetler in New York. She can be reached at [email protected]. Follow her on Twitter @judy_selby. Jonathan A. Forman is an Associate at the firm. He can be reached at [email protected].