On September 26, 2018, the Securities and Exchange Commission charged Voya Financial Advisors Inc., an investment advisor and broker-dealer, for its failure to respond adequately to a cybersecurity intrusion. This case marks the first SEC charges related to the Identity Theft Red Flags Rule (Regulation S-ID), which requires regulated entities that maintain covered accounts to implement identity theft programs.

The action signals that the SEC’s Enforcement Division will pursue regulated entities that fail to implement adequate cybersecurity protocols, even when those entities maintain relatively robust policies and even in the absence of any theft of funds or securities. Regulated entities should pay particular attention to red flags, fully extend their cybersecurity programs to contractors, and direct more resources toward governance and implementation.

SEC Cybersecurity Framework

Broadly speaking, the SEC divides its enforcement approach to cybersecurity into three areas:

• Unlawful Market Advantage. The SEC investigates cyber-related misconduct designed to gain some form of unlawful market advantage.  Examples include hacking or intrusions designed to facilitate insider trading or market manipulation.

• Regulated Entities. As demonstrated by this most recent action, the SEC also will pursue registered entities—investment advisors, broker-dealers, and others—that fail to safeguard information or to develop adequate protocols. The SEC focuses on breaches of various Commission rules, such as Regulations S-P, S-ID, SCI, and others, as well as the design and execution of policies and procedures.

• Public Companies. The third area of SEC focus is public company disclosures related to cyber events. In February 2018, the Commission issued guidance reaffirming the need for public companies to disclose risks and implications of cyber events.   

The Commission has been proceeding cautiously in the second and third categories. That hesitation acknowledges that regulated entities and public companies are themselves victims of intrusions, appreciates the evolving nature of technological threats, and reflects a desire to encourage a collaborative regulatory relationship in this area. 

The case against Voya suggests a subtle shift in this dynamic. The SEC appears more willing to police cybersecurity through enforcement. This action follows the SEC’s formation of a Cyber Unit in September 2017 and the high-profile announcement of a settled action against Altaba in April 2018.  Investment advisors and broker-dealers should anticipate additional examination and enforcement focus on cybersecurity, and a less forgiving approach to intrusions. 

Cybersecurity for Investment Advisors

In April 2015, the Division of Investment Management (IM) issued cybersecurity guidance for investment advisors. The guidance focused on the adequacy of cybersecurity policies and procedures. IM advised registrants to take the following steps:

• Periodic Assessment. Conduct a periodic assessment of (1) the information collected and used and the related technology systems; (2) internal and external threats and vulnerabilities; (3) current controls and processes; (4) the impact of breaches; and (5) the governance structure. An effective assessment identifies threats and vulnerabilities to prioritize and mitigate risk.

First « 1 2 3 4 » Next