On February 3, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert that summarizes the OCIE’s observations from its recent examinations of registered broker-dealers and investment advisers. The observations were conducted under the OCIE Cybersecurity Examination Initiative, which was announced on April 15, 2014. In 2014, the OCIE examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory and compliance issues associated with cybersecurity. The OCIE staff reviewed documents and conducted interviews with key personnel regarding each firm’s business and operations, detection and impact of cyber attacks, preparedness for cyber attacks, training and policies relevant to cybersecurity and protocols for reporting cyber breaches.
The examination’s findings were as follows:
The OCIE’s findings were set forth in the form of a Risk Alert, the purpose of which is (1) to highlight for broker-dealers and advisers risks and issues that the staff has identified in the course of its examinations and (2) to describe factors that firms may consider to assess their supervisory, compliance and/or other risk management systems related to cybersecurity risks and to make any changes, as appropriate, in order to address or strengthen such systems. Although the OCIE clearly stated that the factors noted are not exhaustive, and will not constitute a safe harbor, it is clear that addressing all of these factors will put firms in a better position when facing a future OCIE examination with respect to cybersecurity. This is further reinforced by the fact that the Financial Industry Regulatory Authority (FINRA) issued a Report on Cybersecurity Practices, which sets forth parallel points with respect to the areas that could be improved.
It is likely that future examinations will focus on the areas that the OCIE Risk Alert flagged as lacking. Broker-dealers and advisers should focus, assess and improve, where necessary, their preparedness with respect to the following key issues:
- Third-Party Provider Management: Third-party vendors are often the weakest links in the cybersecurity chain and, thus, are most often manipulated by hackers. As is now well known, the Target data breach in December 2013 was the result of vulnerabilities originating with Target’s HVAC provider. If there is any vulnerability in a third-party provider who has access to a broker-dealer’s system or an adviser’s system, any measures taken by the broker-dealer or the adviser to protect their own system will be rendered meaningless, as they would still be held liable for such vulnerability. Third-party providers must be closely researched and assessed before they are selected. Contractual engagements with them must be carefully drafted to include sufficient protective provisions; and periodic audits should be taken in order to ensure that contractual provisions are followed. Guidance on this topic has been provided by various financial regulators1 and can serve as a starting point for discussions with legal counsel.
- Cyber Incident Reporting: A significant part of the information collected and maintained by broker-dealers and advisers is “personally identifiable” information. As such, it is subject to a “patchwork quilt” of laws in 47 states with respect to reporting a data breach. Firms should seek legal counsel to assess which laws in which jurisdictions apply to the data they collect and process and to formulate a clear written plan for responding to and reporting breach incidents, not only to FinCEN and law enforcement, but also to regulators, to the individuals whose data may have been compromised and to anyone else to whom they may be required to report by law or under their cybersecurity insurance policies.
- Cybersecurity Insurance: Increasingly, insurance providers are shying away from providing coverage for cyber incidents under general liability insurance policies. Broker-dealers and advisers should acquire policies that are tailored to their size and their needs to ensure that they are covered when an incident occurs.
1 See, e.g., OCIE, Risk Alert, Investment Adviser Due Diligence Processes for Selecting Alternative Investment and their Respective Management (Jan. 28, 2014), http://www.sec.gov/about/offices/ocie/adviser-due-diligence-alternative-investments.pdf; FINRA, Notice to Members 5-48, Members’ Responsibilities When Outsourcing Activities to Third-Party Service Providers (July 2005), http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p014735.pdf; FINRA, Regulatory Notice 11-14, Third-Party Service Providers (March 2011), https://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p123398.pdf; OCC, Bulletin 2013-29, Risk Management Guidance (Oct. 30, 2013), http://occ.gov/news-issuances/bulletins/2013/bulletin-2013-29.html; FDIC, FIL-44-2008, Guidance for Managing Third-Party Risk (June 6, 2008), https://www.fdic.gov/news/news/financial/2008/fil08044.html; FDIC, FIL-132014, Technology Outsourcing Informational Tools for Community Bankers (reissued Apr. 7, 2014), https://www.fdic.gov/news/news/financial/2014/fil14013.html); Federal Reserve: Guidance on Managing Outsourcing Risk (Dec, 5, 2013), http://www.federalreserve.gov/bankinforeg/srletters/sr1319a1.pdf); NYDFS, Cybersecurity Guidance, http://www.pepperlaw.com/publications_update.aspx?ArticleKey=3132.
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.