Regulators’ Cybersecurity Crackdown Already In Full Swing. Are Firms Ready?

The Securities and Exchange Commission’s creation of its Cyber Unit coupled with an uptick in exams and the relentless onslaught of cyber intrusion attempts should put broker-dealers and investment advisors on notice—regulators are training their sites on policies, practices and people.

“I’m aware of exams that are going on by both the SEC and Finra and I think it’s just a matter of time before enforcement referrals are made,” said Brian L. Rubin, a partner with Eversheds Sutherland, which just published a new legal alert: “SEC and States Are Upping Their Cyber Game, Are You Doing the Same?”

As the virulence and prevalence of cyberattacks increase, “regulators at both the federal and state levels are looking to enforce sound cyber hygiene on the front end, and they are increasingly requiring that proactive plans and policies be updated regularly to address rapidly evolving threats,” the report states.

With the creation of the Cyber Unit, the SEC is beefing up its technical expertise and demonstrating that it too will evolve and adapt as cybersecurity threats become more advanced. The agency is making it increasingly clear that it expects those it regulates to up their games as well.

The unit will function as part of the SEC’s Enforcement Division to target misconduct in six cyber-related priority areas:

• Market manipulation schemes involving false information spread through electronic and social media;

• Hacking to obtain material nonpublic information;

• Violations involving distributed ledger technology and initial coin offerings;

• Misconduct perpetrated using the dark web;

• Intrusions into retail brokerage accounts; and

• Cyber-related threats to trading platforms and other critical market infrastructure.

These are all areas firms may want to consider addressing, before facing the SEC in an examination or in an enforcement action, Rubin says.

Last year, the SEC fined Morgan Stanley Smith Barney LLC for failure to protect information in 730,000 client accounts, which were first stolen by an employee and transferred to a personal server and then hacked and offered for sale online. The employee who transferred the personal financial client data was required to pay $600,000 in restitution and barred from the securities industry for five years.

In that case, the SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure the security of clients’ personally identifiable information.

The case shines the light on what the SEC expects from firms when it comes to their internal web applications and portals that give employees access to customers’ confidential account information.

Morgan Stanley did not have effective authorization modules restricting employees’ access to customer data based on each employee’s legitimate business need. The firm failed to audit and test its modules and also failed to monitor and analyze employees’ access and use of the modules.

As a result, a Morgan Stanley employee downloaded and transferred confidential data to his personal server at home over a four-year period. A likely third-party hack of the Morgan Stanley employee’s personal server resulted in portions of the confidential data being posted on the Internet with offers to sell larger quantities.

What Advisors Should Do

To try to avoid future enforcement actions, broker-dealers and investment advisors should focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques. “Cyber is a dynamic, if not volatile, environment—the best laid plans of last year may not mean much this year,” the report says.

Examiners are also looking at employee training and vendor relationships, Rubin said. A great idea is to have policies that show that firms actively train their employees and registered persons to try to ensure that each person understands her role and responsibility with regard to cybersecurity, Rubin said.

Firms are also responsible for knowing what kind of cybersecurity system their vendors have, he added.

States regulators have already found nearly 700 deficiencies during exams of 1,200 state-level investment advisors in the first year state regulators reported on cybersecurity incidents.

The North American Securities Administrators Association (NASAA) used the data to generate a list of cybersecurity best practices for investment advisors: prepare and maintain records by backing them up; maintain client information; revise Form ADV and disclosure brochures; implement safeguards through cybersecurity policies and measures; and prepare a written compliance and supervisory procedures manual.

NASAA found policies and procedures to be adequate when: firms require and enforce frequent password changes, lock devices, report lost devices, and create specific roles and responsibilities for people to assess these requirements on a frequent basis. To minimize threats posed by data breaches, firms may want to consider routinely backing up devices and storing the underlying data in a separate, remote location.

Firms may also want to consider regularly testing backup procedures to ensure their suitability. Similarly, firms may want to consider whether email communications should be sent securely, especially where they involve identifiable information regarding a client, NASAA recommends.