There is little doubt that the U.S. Securities and Exchange Commission is making cybersecurity a top priority. SEC Chair Gary Gensler told a Senate committee on Tuesday, September 14, 2021 that the agency is developing a proposal on cybersecurity risk governance, which “could address issues such as cyber hygiene and incident reporting.” This initiative follows the SEC’s repeated warnings regarding the importance of cybersecurity, and the need to maintain and follow appropriate cybersecurity and breach response procedures.
The agency is also ramping up cybersecurity enforcement. On August 30, 2021, the SEC sanctioned eight registered broker-dealers and investment advisers (including various affiliated firms) for failing to implement cybersecurity practices and/or modify them following data security incidents.
According to the SEC, each of the eight firms was the victim of a business email compromise. A business email compromise occurs when an unauthorized third party gains access to a firm’s internal email system – often by launching phishing attacks that trick employees into giving up their work email access credentials. At each of the eight firms, the compromise lasted for over a year – nearly three years in some cases – without being detected, and resulted in the exposure of personal information of thousands of the firms’ customers and clients.
Cybersecurity Deficiencies in Violation of Safeguards Rule
The SEC asserted that the sanctioned firms failed to maintain appropriate cybersecurity measures to safeguard against and respond to the business email compromise. According to the SEC, some of the firms failed to follow their own, existing cybersecurity policies and did not adequately secure their email environment, while others did not have firm-wide cybersecurity measures in place at the time they experienced incidents. The agency alleged that each compromise resulted, at least in part, from these failures.
Focusing on multi-factor authentication (“MFA”) – which is an industry-standard, “low-hanging-fruit” information security control – the SEC determined that five of the eight firms failed to follow their own cybersecurity policies. Their policies required multi-factor authentication for email access “whenever possible,” but the firms did not actually have MFA in place. The SEC also found that the policies of three of the firms “recommended,” but did not require, MFA to be used, and that the firms failed to implement MFA on an expedited timeline after the incidents.
The SEC asserted that in each case this conduct violated Rule 30(a) of Regulation S-P – the SEC’s version of the Gramm-Leach-Bliley (GLBA) “Safeguards Rule.” The Safeguards Rule requires registered broker-dealers and investment advisers to adopt written policies and procedures implementing technical, administrative, and physical safeguards reasonably designed to protect the security and confidentiality of customer records and information. The rule requires these policies to protect against any anticipated threats to the security and integrity of customer records and information, including against unauthorized access or use that could result in substantial harm or inconvenience to any customer.
Misleading Breach Notification in Violation of the Investment Advisers Act
The SEC also asserted that some of the firms misled their clients by mischaracterizing the delay between when the firms discovered the compromise and when they notified clients. While the notices suggested that the incident was discovered two months prior, the SEC concluded that the underlying breach occurred six months prior. Because the “dates referenced in the letters were the dates the firms completed PII review of compromised email accounts and determined that particular recipient’s PII may have been accessed,” rather than the dates of the underlying breach, the SEC found that clients were “misinformed” and “would not have known to look for or guard against potential misuse of their PII that may have occurred more than two months before they received the misleading notices.”
The agency determined that the mischaracterization of the delay rendered the notifications misleading in violation of Section 206 of the Advisers Act, which in relevant part bars regulated entities from engaging in any fraudulent, deceptive or manipulative act. Going a step further, the SEC took the position that not having policies and procedures in place to safeguard against the issuance of misleading notices to clients was an independent violation of SEC Rule 206(4)-7, which in relevant part requires regulated entities to adopt and implement written policies and procedures reasonably designed to prevent violation of the Advisers Act.
Each firm received a fine ranging from $200,000-$300,000 for the violations.
As the SEC ramps up cybersecurity enforcement, regulated entities are on notice to improve the maturity of their cybersecurity programs. At a high level, firms should confirm that they:
- Assign responsibility for cybersecurity and maintain a cybersecurity governance program;
- Follow all of the requirements of Regulation S-P;
- Implement and document industry-standard information security controls. This requires firms to understand what information they process and the systems, applications and vendors that have access to this data (and which must be protected through administrative, physical and safeguards), well as to conduct risk assessments to identify the systems and assets that warrant enhanced protections;
- Implement and test incident detection and response capabilities and processes; and
- Periodically review and update the firm’s cybersecurity program.
Improving the maturity of a cybersecurity program can demand significant resources and time. Given the SEC’s focus on cybersecurity, regulated entities should actively evaluate and improve their programs to meet the SEC’s timeline.