Cyber Security Solutions for the US Investment Advisers
SEC Focus on Cyber Security and Operational Resilience.
The US Securities and Exchange Commission (“SEC”) has increased its focus on cyber security and operational resilience, in a clear signal that firms who are not prepared to address cyber security risks will need to take action.
Information security and operational resilience were highlighted as priorities by the Division of Examinations, which confirmed that they will be reviewing registrants’ business continuity and disaster recovery plans, with particular focus on substantial disruptions to normal business operations.
In enforcing this priority, the SEC toward the end of 2021 sanctioned eight firms for deficient cyber security procedures, as well as deficient cyber security disclosure.
SEC Enforcement of Deficient Cyber security Procedures: A Case Study
The SEC sanctioned eight firms for failures in their cyber security policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.
According to the SEC’s order against several entities, cloud-based email accounts of over 60 of the entities’ personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information (PII) of at least 4,388 customers and clients. None of the taken over accounts were protected in a manner consistent with the various entities’ policies. The SEC’s order also found that some of the entities sent breach notifications to the firms’ clients that included misleading language suggesting that the notifications were issued much sooner than they actually were after discovery of the incidents.
According to the SEC’s order against another firm, cloud-based email accounts of over 121 firm representatives were taken over by unauthorized third parties, resulting in the PII exposure of at least 2,177 firm customers and clients. The SEC’s order found that although the particular firm discovered the first email account takeover in January 2018, it failed to adopt and implement firm-wide enhanced security measures for cloud-based email accounts of its representatives until 2021, resulting in the exposure and potential exposure of additional customer and client records and information.
Another SEC order against a different entity details that cloud-based email accounts of 15 of the firm’s financial advisers or their assistants were taken over by unauthorized third parties, resulting in the PII exposure of approximately 4,900 firm customers and clients. The SEC’s order further found that the firm failed to adopt written policies and procedures requiring additional firm-wide security measures until May 2020, and did not fully implement those additional security measures firm-wide until several months later, placing additional customer and client records and information at risk.
Each of these SEC orders found that the various firm’s violated Rule 30(a) of Regulation S-P, also known as the Safeguards Rule, which is designed to protect confidential customer information. The SEC’s order against several of the firm’s mentioned above violated Section 206(4) of the Advisers Act and Rule 206(4)-7 in connection with their breach notifications to clients. Each firm agreed to cease and desist from future violations of the charged provisions, to be censured and to pay a penalty ranging from $200,000 – $300,000.
What can firms do now to prepare?
- Begin risk assessments that include a strong vendor risk management component
- Draft new cyber policies or review prior policies
- Examine existing technology controls to determine whether or not they meet current industry best practice
- Prepare for the SEC’s annual review requirements
How can Waystone Compliance Solutions help?
The Annual Cyber Security Review Retainer
Earlier this year, the SEC proposed a cybersecurity requirement for managers including a proposed annual review of firm cybersecurity policies and procedures. Because the SEC has drawn a line in the sand around best practices, boards and their board members should view this new proposed annual review process as a very important benchmark. We believe that this new benchmark could set the stage for shareholder actions against funds that did not conduct annual reviews thereby failing to show an appropriate standard of care and protect themselves and the funds against potential litigation.
We are urging funds to begin to understand this new set of standards and to take action to review the state of their cyber security preparedness now.
Waystone Compliance Solutions offers an SEC Annual Cyber Security Review Retainer. This Annual Cyber Security Review Retainer will offer:
SEC Annual Review Preparation including Baseline Cyber Risk Assessment
- Written Information Security Policy update or implementation, if required
- SEC Readiness Report
- Incident Response Annual Retainer (including SEC filing)
- Cyber Risk Gap Analysis Report
- Provide ongoing advice on cyber security matters, ensuring that client remains at the forefront in addressing cyber security developments
- Propose an annual cyber workplan to be signed off by the management team
- Provide quarterly updates to the management team on progress against a cyber workplan
- Oversee third-party vendor management and other stakeholders.
Waystone Compliance Solutions Cyber Security Services
Our Cyber Security Solutions include:
- Cyber risk assessment including vendor risk assessment
- Cyber policy drafting
- Baseline cyber assessment and recommendation
- Annual review and remediation of any attendant issues
- Cyber incident response, reporting and remediation
- Provision of Chief Information Security Officer (CISO) for Board of Management
- Provision of Cyber Security Advisor for SEC registered investment advisers and funds