{"id":1272,"date":"2017-07-20T16:37:19","date_gmt":"2017-07-20T20:37:19","guid":{"rendered":"https:\/\/www2.law.temple.edu\/10q\/?p=1272"},"modified":"2017-07-20T16:37:19","modified_gmt":"2017-07-20T20:37:19","slug":"the-sec-and-cybersecurity","status":"publish","type":"post","link":"https:\/\/law.temple.edu\/10q\/the-sec-and-cybersecurity\/","title":{"rendered":"The SEC and Cybersecurity"},"content":{"rendered":"

The Securities and Exchange Commission (\u201cSEC\u201d) has been squarely focused on cybersecurity and data protection for the last several years. The SEC launched an initiative to examine investment advisers\u2019 cybersecurity compliance and controls in 2014, and these areas remain an examination priority. The SEC has also published multiple cybersecurity guidance and risk alerts since 2014. David Glockner, regional director of the SEC\u2019s Chicago office, recently stated that the SEC will lead its \u201cefforts with respect to cyber-security controls through the exam program, not through enforcement.\u201d However, the SEC has also brought enforcement actions against investment advisers resulting from cyber-attacks and the firms\u2019 lack of written cybersecurity policies and procedures designed to prevent against such attacks. Investment advisers, and those who counsel them, should be aware of the SEC\u2019s authority to mandate and enforce cybersecurity controls.<\/p>\n

The SEC brought its first cybersecurity enforcement action against an adviser in September 2015, when it instituted administrative and cease-and-desist proceedings against R.T. Jones Capital Equities Management, Inc. (\u201cR.T. Jones\u201d), alleging that R.T. Jones failed to adopt written policies and procedures reasonably designed to protect customer records and information in violation of Rule 30(a) of Regulation S-P (the \u201cSafeguards Rule\u201d). The Safeguards Rule requires registered investment advisers to adopt written policies and procedures reasonably designed to safeguard customer records and information. The proceedings stemmed from a July 2013 attack on R.T. Jones\u2019s server that left the personally identifiable information (\u201cPII\u201d) of more than 100,000 individuals vulnerable to theft. The order alleged that \u201c[f]rom at least September 2009 through July 2013, R.T. Jones stored sensitive PII of clients on its third party-hosted web server without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.\u201d To mitigate the risks of future cyber threats, R.T. Jones appointed an information security manager, adopted and implemented a written information security policy, no longer stores PII on its webserver and encrypts any PII stored on its internal network, installed new firewall and logging systems to prevent and detect malicious incursions, and retained a cybersecurity firm to provide ongoing reports and advice on the firm\u2019s information technology security. R.T. Jones was ordered to pay a civil money penalty of $75,000.<\/p>\n

In a second action, against Morgan Stanley Smith Barney, LLC (\u201cMSSB\u201d) in June 2016, the SEC found that MSSB willfully violated the Safeguards Rule despite its adoption of written policies and procedures relating to the protection of customer PII, because those policies were not reasonably designed to safeguard its customers\u2019 PII as required by the Safeguards Rule. The SEC alleged that from 2011 to 2014, an MSSB employee misappropriated the PII of approximately 730,000 customers, including customers\u2019 names, addresses, and account numbers, balances and securities holdings. In its findings, the SEC alleged that MSSB\u2019s written policies and procedures failed to adequately address certain key administrative, technical and physical safeguards, such as: reasonably designed and operating authorization modules for certain business portals to restrict employee access to only the confidential customer data that employees had a legitimate business interest to use; auditing and\/or testing of the effectiveness of such authorization modules; and monitoring and analyzing of employee access to and use of the portals. In addition to remedial efforts already undertaken, MSSB was ordered to pay a civil money penalty of $1,000,000.<\/p>\n

As Mr. Glockner noted at the SEC\u2019s compliance outreach program in Chicago, the agency is \u201cfocused on trying to prevent these problems before they occur.\u201d The SEC has previously articulated its views on effective cybersecurity protocols by providing guidance for investment advisers to assess cybersecurity risks, including periodic assessments of: (1) the nature, sensitivity and location of information that the firm collects, processes and\/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm\u2019s information and technology systems; (3) security controls and processes currently in place; (4) the impact should information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risks. Mr. Glockner has also emphasized that written policies and procedures may be found to be deficient on their face even if there was no breach. For that reason, an adviser\u2019s policies and procedures should be tailored to its operations.<\/p>\n

The SEC\u2019s guidance has also pointed to certain practices investment advisers may wish to implement to ensure the sufficiency of their cybersecurity compliance and controls, including:<\/p>\n