March 02, 2015 Practice Points

Recent SEC Publications Address Cybersecurity

These publications provide tips to investors, and also may be useful for broker-dealers and investment advisors to consider in addressing cybersecurity issues at their firms.

By James Thomas and Laura D'Allaird

In a February 3, 2015 press release, the Securities and Exchange Commission (SEC) announced its publication of a risk alert and an investor bulletin addressing cybersecurity risks at brokerage and advisory firms. These publications provide tips to investors, and also may be useful for broker-dealers and investment advisors to consider in addressing cybersecurity issues at their firms.

According to SEC Chair Mary Jo White, “[c]ybersecurity threats know no boundaries. That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC . . . Through our engagement with other government agencies as well as with the industry and educating the investing public, we can all work together to reduce the risk of cyber attacks.”

The risk alert, from the SEC’s Office of Compliance Inspections and Examinations, contains information based on examinations of more than 100 broker-dealers and investment advisers. The risk alert provides information on how these various firms:

  • identify cybersecurity risks;
  • establish cybersecurity policies, procedures, and oversight processes;
  • protect their networks and information;
  • identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors;
  • detect unauthorized activity.

Some of the examined firms’ procedures to address cybersecurity threats that the risk alert highlights include conducting firm-wide inventorying, cataloguing, or mapping of their technology resources, conducting periodic audits to ensure compliance with written information-security policies, and having a written policy to address how to determine whether the firm is responsible for client losses associated with cyber incidents. The risk alert also notes that many of the examined firms identify best practices through both formal and informal information-sharing networks, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Underlining the importance of assessing and protecting against cybersecurity threats, the risk alert notes that 88 percent of the broker-dealers and 74 percent of the advisers included in the examination stated that they have experienced cyber-attacks directly or through one or more of their vendors, the majority of which related to malware and fraudulent emails.

The Investor Bulletin, issued by the SEC’s Office of Investor Education and Advocacy, provides key suggestions to help investors protect online investment accounts, including:

  • pick a “strong” password
  • use two-step verification
  • exercise caution when using public networks and wireless connections

According to Office of Investor Education and advocacy director Lori J. Schock, “[t]his bulletin provides everyday investors with a set of useful tips to help protect themselves from cyber-criminals and online fraud.”

Such practical information may prove useful to many firms in assessing how to shape and implement their own cybersecurity policies and procedures.

Keywords: litigation, cybersecurity, professional services liability, SEC

— James Thomas and Laura D'Allaird, Arnold & Porter LLP, Washington, D.C.


Copyright © 2015, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).