As many of you know, last April the SEC issued the Cybersecurity Examination Initiative to assess the cybersecurity practices and preparedness of registered broker-dealers and investment advisers. The initiative arose from an SEC-sponsored Cybersecurity Roundtable held on March 26, 2014, which discussed the growing cybersecurity threats to our financial markets and intermediaries. Now, some nine months into its National Examination Program, the SEC earlier this week issued a risk alert titled “Cybersecurity Examination Sweep Summary,” dated February 3, 2015. These risk alerts, regularly published by the Office of Compliance Inspections and Examinations (OCIE) at the SEC, provide summary observations from its examinations of regulated broker-dealers and advisers, and are meant to serve as tools to provide a degree of risk management and awareness in the industry.
In the Cybersecurity Summary, OCIE staff examined 57 registered broker-dealers and 49 registered investment advisers to better understand how they address the legal, regulatory, and compliance issues associated with cybersecurity. This is the first such summary resulting from the program, and it can and should be used, in several ways, by regulated financial services companies as well as nonfinancial companies.
First, the Cybersecurity Summary lays out what might be considered best practices in preparing for and preventing successful cybersecurity attacks. Next, it provides a blueprint for some of the more significant issues and factors to consider as part of an effective cybersecurity program for any company. Last, while OCIE staff always takes pains to provide a disclaimer that factors discussed will not necessarily constitute a safe harbor if followed, the Cybersecurity Summary can provide a degree of comfort as a way to avoid adverse regulatory and SEC scrutiny.
According to the Cybersecurity Summary, the OCIE staff collected and analyzed information relating to practices for:
- identifying risks relating to cybersecurity;
- establishing cybersecurity governance, including policies, procedures, and oversight processes;
- protecting firm networks and information;
- identifying risks associated with information and fund transfer requests;
- identifying and addressing risks associated with vendors and third parties; and
- detecting unauthorized activity.
In reviewing the Cybersecurity Summary, certain observations can be made. As a general rule, registered investment advisers from the sample had a lower percentage of cybersecurity policies and practices than did their counterpart regulated broker-dealers. The exception was that almost all examined broker-dealers (98%) and investment advisers (91%) make use of encryption in some form. The other place where there was a strong correlation of practices was with written information security policies, which have been adopted by 93% of the examined broker-dealers and 83% of investment advisers. Other than that, the differences between the practices of registered broker-dealers and those of investment advisers are significant.
The Cybersecurity Summary notes that the vast majority (80% or more) of examined firms conduct periodic risk assessments on a firm-wide basis to identify cybersecurity threats, vulnerabilities, and potential business consequences. However, while a majority of broker-dealers (84%) apply these requirements to their vendors, only 32% of the advisers do so.
It is also worth noting that the OCIE staff makes a point of assessing whether written policies and procedures address how firms will determine their responsibility for client losses associated with cyber incidents. By noting that “only a small number of the broker-dealers (30%) and the advisers (13%) contain such provisions,” the OCIE staff is driving home a point.
Another interesting OCIE staff observation is that while almost 75% of advisers and 88% of broker-dealers have been the subject of a cyber-related incident, most have involved losses of no more than $5,000. In addition, almost half the broker-dealers (47%) are members of groups, associations, or organizations that exist for the purpose of sharing information regarding cybersecurity attacks and identifying best practices to mitigate harm. Many identify the Financial Services Information Sharing and Analysis Center as adding significant value in this effort.
Finally, and perhaps most important, OCIE staff noted that the designation of a Chief Information Security Officer (“CISO”) varied with the examined firms’ business models. Approximately two-thirds of the broker-dealers (68%) examined had an individual explicitly assigned as the firm’s CISO. In contrast, less than one-third (30%) of the advisers had a designated CISO. In addition, over half (58%) of the broker-dealers maintained some form of cybersecurity insurance, while the number was significantly lower (21%) for advisers.
Overall, while the Cybersecurity Summary purports simply to provide a survey of the examination results of the National Examination Program, a thoughtful read will reveal some degree of insight into the SEC’s view on best practices in this space. As a former SEC enforcement regulator, I have observed this pattern before. For example, in September 2012, the OCIE staff conducted a similar examination of the use of information barriers to protect material, nonpublic information within the examined broker-dealers and thereafter issued a report. That report was quite explicit in identifying what the staff perceived to be weak or better practices for prevention.
Those in the financial sector should note the SEC’s increased attention to and scrutiny of matters of cybersecurity and should heed its guidance, as enforcement investigations and actions may soon follow for those that do not. While representing companies in these enforcement matters is my law practice, I would much prefer seeing clients avoid the crosshairs of the SEC in the first instance by employing strong efforts to deter cyber attacks.