Exam Priorities and Alerts
The SEC’s Division of Examinations (formerly known as the Office of Compliance Inspections and Examinations, or OCIE) has explicitly included cybersecurity concerns in its examination priorities since 2012. Over that period, the division has published eight risk alerts touching on cybersecurity matters, steadily upping the ante on the topic.
The earliest risk alerts included cybersecurity matters almost as an aside. For example, a 2012 risk alert on social media use by investment advisors contained a single paragraph on information security, noting that “[a]lthough hacking and other breaches of information security can be posed in multiple ways, use of social media, especially third party social media sites, may pose elevated risks.” Investment Adviser Use of Social Media (Jan. 4, 2012).
Alerts that followed began to focus more squarely on cybersecurity. In February 2015, the Exam Division announced the results of an examination sweep of 57 registered broker-dealers and 49 registered investment advisors related specifically to cybersecurity issues. See Cybersecurity Examination Sweep Summary (Feb. 3, 2015). The alert announcing those results disclosed that 88 percent of broker-dealers examined and 74 percent of investment advisors examined had experienced a cyberattack either directly or through a vendor. The alert also announced that although 68 percent of broker-dealers had a designated chief information security officer (CISO), only 30 percent of investment advisors had a designated CISO. Most of the examined advisors assigned the duties of a CISO to a chief technology officer or other senior executive.
In 2017, the Exam Division issued another risk alert containing an overview of observations from the continued cybersecurity examination of registered entities. Observations from Cybersecurity Examinations (Aug. 7, 2017). Although the Exam Division noted increased preparedness from prior years, it also identified several areas for continued improvement. These included full remediation of observed vulnerabilities, enhancing policies and procedures to reflect firms’ actual practices, and ensuring compliance with Regulation S-P (which generally requires written policies and procedures that protect customer information) through robust system maintenance.
Four subsequent Exam Division risk alerts issued between 2017 and 2019 focused on discrete issues related to cybersecurity: ransomware attacks, use of personal and mobile devices for electronic messaging, compliance with privacy notice and safeguard obligations under Regulation S-P, and safeguarding customer records in network storage. Cybersecurity: Ransomware Alert (May 17, 2017); Observations from Investment Adviser Examinations Relating to Electronic Messaging (Dec. 14, 2018); Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P—Privacy Notices and Safeguard Policies (Apr. 16, 2019); Safeguarding Customer Records and Information in Network Storage—Use of Third Party Security Features (May 23, 2019).
On January 27, 2020, the Exam Division’s focus on cybersecurity reached full throttle in a report entitled Cybersecurity and Resiliency Observations. The report summarized best practices for “managing and combating cybersecurity risk and the maintenance and enhancement of operational resiliency” and highlighted the following areas of cybersecurity focus, many of which had been discussed in previous alerts:
- Governance and Risk Management
- Access Rights and Controls
- Data Loss Prevention
- Mobile Security
- Incident Response and Resiliency
- Vendor Management
- Training and Awareness
While recognizing “there is no such thing as a ‘one-size fits all’ approach” to cybersecurity, the Exam Division report presented these considerations as takeaways from “thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.” If nothing else, the report suggests that the listed areas will likely be points of focus in any examination.
We can expect the Exam Division’s focus on cybersecurity to continue. Most recently, in announcing its 2021 examination priorities, the Exam Division stated that it would “review whether registrants have taken appropriate measures” to safeguard customer accounts, prevent account intrusions, oversee vendors, and respond to incidents (including those related to ransomware attacks), among other things. SEC Press Release 2021-39, SEC Division of Examinations Announces 2021 Examination Priorities (Mar. 3, 2021).
Enforcement Actions Have Focused on the Safeguards Rule of Regulation S-P
The first wave of enforcement actions against registered entities came shortly after the Exam Division reiterated its focus on cybersecurity issues affecting broker-dealers and investment advisors in 2015. The SEC’s focus in actions against registered entities has been those entities’ compliance with Regulation S-P and its Safeguards Rule.
The First Wave
In late 2015, the commission charged R.T. Jones Capital Equities Management, an investment advisor, with failing to adopt proper prophylactic cybersecurity procedures in advance of a breach that compromised the information of thousands of firm clients. In the Matter of R.T. Jones Capital Equities Mgmt., Inc. (Sept. 22, 2015). Under the Safeguards Rule, registered entities are required to “adopt written policies and procedures reasonably designed to protect customer records and information.” The commission found that R.T. Jones had violated this rule by failing to adopt any written policies ensuring the security of its clients’ personally identifiable information (PII).
The commission’s order instituting a settled administrative proceeding found that R.T. Jones had not implemented policies and procedures designed to protect the PII of its clients, which was housed on a server hosted by a third party. When the server was compromised in 2013, R.T. Jones promptly disclosed the breach to each affected individual and hired a cybersecurity consultant to analyze the scope of the attack. There was no indication that any client suffered financial harm as a result of the breach. Still, on a no-admit, no-deny basis, R.T. Jones agreed to a censure and a $75,000 penalty and agreed to refrain from further violations of Regulation S-P. In the press release accompanying the order, Marshall S. Sprung, then co-chief of the SEC Enforcement Division’s Asset Management Unit, stated that “[a]s we see an increasing barrage of cyber attacks on financial firms, it is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients.” SEC Press Release 2015-202, SEC Charges Investment Adviser With Failing to Adopt Proper Cybersecurity Policies and Procedures Prior To Breach (Sept. 22, 2015) (emphasis added).
In 2016, Morgan Stanley Smith Barney LLC agreed to a $1 million civil penalty for failure to adopt policies and procedures designed to protect consumer data following an employee’s transfer of data related to more than 70,000 accounts to his personal server, which was later hacked. In the Matter of Morgan Stanley Smith Barney, LLC (June 8, 2016). The employee at issue was criminally convicted and received 36 months’ probation and a $600,000 restitution order.
The commission’s order found that Morgan Stanley failed to adopt reasonable policies safeguarding consumer data with respect to two internal portals through which employees could access customer information. The commission found that these portals did not have effective authorization modules and that Morgan Stanley did not audit or test the authorization modules to determine their effectiveness. In addition, Morgan Stanley did not sufficiently monitor its employees’ access to and use of the portals containing sensitive customer information. As a result, an employee was able to download confidential information to his personal computer over a series of three years. Portions of this confidential information were exposed when the employee’s personal system was hacked.
Also in 2016, Craig Scott Capital LLC (CSC) and two individual officers agreed to pay a collective $150,000 for violations of Regulation S-P’s Safeguards Rule. In the Matter of Craig Scott Capital, LLC, Craig S. Taddonio, and Brent M. Porges (Apr. 12, 2016). Unlike the alleged failures in R.T. Jones and Morgan Stanley, CSC’s alleged violation of the Safeguards Rule did not actually result in the compromise of customer information. CSC had merely failed—in the judgment of the commission—to enact sufficient policies and procedures ensuring the protection of confidential customer information.
Specifically, CSC and the two individuals routinely used email addresses other than those associated with the firm’s domain name—i.e., personal email addresses—to receive faxes from thousands of customers and third parties containing sensitive information, such as customer names, addresses, Social Security numbers, bank and brokerage account numbers, copies of driver’s licenses and passports, and other financial information. In addition, the commission found that CSC’s principals and other employees routinely used their personal email addresses for firm business, failing to preserve the correspondence in violation of section 17(a) of the Exchange Act and Rule 17a-4 thereunder. Although the firm had written supervisory procedures, the order found they were not reasonably designed to “protect customer records and information, as required by the Safeguards Rule” because they “failed to designate the responsible supervisor, [ ] failed to address how customer records and information transmitted through the electronic fax system was to be handled, [ ] contained blanks as to how CSC was to comply with the Safeguards Rule, and [ ] were not tailored to the actual practices at CSC.”
These early enforcement actions drove home the message that the SEC will charge violations of Regulation S-P even when there is no apparent harm to investors or clients, and violations of the regulation can be based on a variety of fact patterns.
Social Engineering Makes an Appearance
On September 26, 2018, Voya Financial Advisers (Voya or VFA) agreed to pay $1 million to settle charges related to alleged failures in its cybersecurity policies that violated Regulation S-P and the Identity Theft Red Flags Rule. In the Matter of Voya Fin. Advisers, Inc. (Sept. 26, 2018). As noted in the press release, Voya was the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. SEC Press Release 2018-213, SEC Charges Firm With Deficient Cybersecurity Procedures (Sept. 26, 2018). In a departure from previous cybersecurity cases, the intrusion at issue was not purely virtual; it involved cyber thieves calling Voya’s support lines and impersonating Voya contractors to get access to their accounts. During the calls, the thieves requested that the contractors’ passwords be reset, and once they had gained access to Voya’s systems, the impersonators accessed the PII of about 5,600 Voya customers. There was no indication that any unauthorized transfers had been made from client accounts.
On a no-admit, no-deny basis, the commission found that Voya had violated the Safeguards Rule and the Identity Theft Red Flags Rule, which is designed to protect customers from the risk of identity theft. Specifically, its policies and procedures with regard to “resetting VFA contractor representatives’ passwords, terminating web sessions in its proprietary gateway system for VFA contractor representatives, identifying higher-risk representatives and customer accounts for additional security measures, and creation and alteration of Voya.com customer profiles” were not designed to reasonably protect customer information. For example, while Voya apparently kept a “monitoring list” of phone numbers associated with potentially fraudulent activity, Voya’s telephone representatives were not required to have that list accessible while taking calls. Apparently two of the impersonators called from numbers on the monitoring list.
As in previous orders, the commission reiterated that there is no one-size-fits-all solution to cybersecurity, but that “cybersecurity procedures must be reasonably designed to fit [companies’] specific business models.” SEC Press Release 2018-213, supra. Companies must therefore take into account the potentially unique aspects of their business—as well as how their firm operates in practice—when developing policies and procedures relating to cybersecurity.
The Most Recent Wave of Enforcement
After a brief quiet spell, the Enforcement Division brought two more cyber-related enforcement actions against registered entities in the last year. In May 2021, in a somewhat unique case, the commission charged a broker-dealer with failing to file Suspicious Activity Reports (SARs) in accordance with the federal Bank Secrecy Act (BSA) following successful and attempted takeovers of retirement accounts by cybercriminals and other bad actors. In the Matter of GWFS Equities, Inc. (May 12, 2021). According to the SEC’s order, between 2015 and 2018, GWFS Equities, Inc., experienced an increase in attempted account takeovers, or instances in which bad actors attempted to gain unauthorized access to an account, often by leveraging improperly obtained personal information belonging to the account holders.
The SEC alleged that GWFS failed to file required SARs in about 130 instances and failed to provide sufficient detail in SARs reports it did file in an additional 300 instances. The SEC acknowledged that in many cases, GWFS detected account takeovers before any improper distributions occurred, and the commission did not allege that the personal information used in attempted takeovers had been obtained through any breach of GWFS’s systems. Nonetheless, the SEC alleged that GWFS’s conduct violated the financial record-keeping and reporting provisions of section 17(a) of the Exchange Act and Rule 17a-8. The SEC ordered GWFS to cease and desist from any future violations, censured GWFS, and imposed a $1.5 million civil penalty. GWFS neither admitted nor denied the SEC’s allegations in the order.
Most recently, on August 30, 2021, the commission sanctioned eight broker-dealer and investment advisor firms for alleged failures in their cybersecurity policies and procedures. According to the commission, these failures allowed unauthorized third parties to take over cloud-based email accounts of firm representatives, exposing PII of thousands of firm customers and clients in violation of Rule 30(a) of Regulation S-P. In the Matter of Cetera Advisor Networks LLC (Aug. 30, 2021); In the Matter of Cambridge Inv. Research, Inc. (Aug. 30, 2021); In the Matter of KMS Fin. Servs., Inc. (Aug. 30, 2021).
In one instance, the firm’s policies required multifactor authentication (MFA) “whenever possible,” but allegedly none of the compromised email accounts had MFA turned on. In another instance, a firm recommended the use of MFA for email accounts by independent representatives but allegedly did not require it, even after account takeovers had been discovered. In yet another instance, the commission alleged, one firm had become aware of a breach but took months to implement firmwide policies enhancing security.
The commission also alleged violations of the antifraud provisions of the Investment Advisers Act in one of the settled orders. Specifically, the SEC alleged the breach notifications sent to clients by two firms contained misleading language suggesting the notifications were being issued much closer in time to the discovery of the breach than they really were.
It appeared that none of the account takeovers in these cases resulted in unauthorized trades or fund transfers, but the SEC nonetheless charged the firms with violating Rule 30(a) of Regulation S-P. The firms that allegedly delivered misleading notifications to customers were also charged with violating section 206(4) of the Investment Advisers Act and Rule 206(4)-7. The firms neither admitted nor denied the commission’s charges but agreed to cease and desist from future violations, to be censured, and to pay civil penalties between $200,000 and $300,000.
Takeaways
The SEC is continuing to prioritize cybersecurity and focus on firms’ obligations to protect confidential customer information under the Safeguards Rule. As evidenced by the actions discussed above, the commission is willing to impose significant sanctions on firms that fail to meet that obligation even if there is ultimately no harm to investors as a result of that failure. The commission will also look at cybersecurity practices from a variety of angles to ensure firms are doing all they can to minimize cyber risk. Although it is important for firms to fashion appropriate cybersecurity policies and procedures on the front end, equally vital is the implementation of those policies and a prompt, transparent, and tailored response to any discovered breach.
Further, as discussed in Part I of this article, companies that do experience a cyberattack should promptly and accurately communicate with customers and clients who may have been affected, in accordance with relevant laws and regulations. They should also timely review existing security policies and procedures, ensure compliance, and analyze whether any enhancements should be made.