Publications

On February 3, 2015, the SEC’s Office of Compliance Inspection and Examinations (“OCIE”) released a risk alert titled Cybersecurity Examination Sweep Summary providing an overview of how investment advisers and broker-dealers are addressing the legal, regulatory and compliance issues associated with the increasing risk from cyber-attacks. The risk alert is based on the findings of OCIE’s 2014 cybersecurity sweep, which examined 49 investment advisers and 57 broker-dealers picked to represent a wide cross-section of the financial services industry. In conjunction with FINRA’s Report on Cybersecurity Practices released on the same day, OCIE’s risk alert emphasizes regulators’ increasing focus on ensuring that all advisers are adequately recognizing and addressing cybersecurity issues. Both OCIE’s risk alert and FINRA’s report also reveal certain specific potential areas of concern that should be considered by advisers when responding to the ever-increasing risk of cyber-attacks.

Prevalence of Incidents

OCIE found that financial firms are already facing considerable cybersecurity risk. The OCIE survey revealed that 74 percent of advisers and 88 percent of broker-dealers have already experienced cyber-attacks, either directly or through one of their vendors. The majority of these attacks were related to malware and fraudulent e-mails. Almost 43 percent of advisers and 54 percent of broker-dealers reported receiving fraudulent e-mails attempting to wrongfully transfer client funds. FINRA’s report indicated that firms also face risk from outside hackers penetrating systems for the purposes of account manipulation, harvesting or destroying sensitive data and/or extortion, as well as from insiders abusing authorized access to systems and data.

Areas of Concern

Mapping of Technology Resources

Because an understanding of a firm’s technology infrastructure is the first step to identifying and reducing risks, OCIE notes that the majority of firms report conducting a firm-wide inventory or mapping of their technology infrastructure. Such cataloging usually includes an understanding of the type of data maintained by the firm, as well as the technology currently in use that provides any type of potential access to such data. As noted by OCIE, the type of systems mapped generally include hardware, devices and systems, software platforms and applications, network resources, connections and data flows. To the extent that they have not done so already, all advisers should consider such mapping of their technology infrastructure, since the OCIE risk alert indicates that OCIE is likely to expect all financial firms of any size to demonstrate an understanding of their potential cybersecurity risks in the future.

Implementation of Security Policy and Risk Assessment

OCIE’s risk alert notes that the majority of investment advisers and broker-dealers have adopted written information security policies and procedures, and conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities, as well as the potential consequences of any breaches. As such policies and procedures are fast becoming the de facto minimum standard, all advisers should consider conducting a cybersecurity risk assessment and creating and implementing proper written cybersecurity policies and procedures. Once implemented, such policies and procedures should be subject to periodic examination as part of an adviser’s Rule 206(4)-7 annual review so they can be updated as necessary in accordance with ever-evolving standards and ongoing risk assessment.

While no one standard has been endorsed, OCIE reports that when determining the “best practices” for cybersecurity, many of the surveyed firms were using the standards published by such organizations as the National Institute of Standards and Technology (NIST), the International Organization for Standardization (ISO) and Federal Financial Institutions Examination Council (FFIEC). In FINRA’s cybersecurity release, it noted that effective practices include implementing a cyber attack defense strategy and selecting controls appropriate to a firm’s technology and threat environment, addressing, for example:

• Identity and access management;
• Data encryption;
• Penetration testing; and
• Use of monitoring.

While such guidelines and standards can be used as a model for a firm’s security policy, it is important that any security policy also be tailored to a particular firm’s technology use, business activities and risk profile and should address any issues determined through the firm’s periodic risk assessments.

It is also important that employees be properly educated in these cybersecurity policies and procedures and that compliance be enforced to reduce cybersecurity risk. Indeed, OCIE’s risk alert indicates that many of the losses associated with fraudulent e-mails arose from employees’ failure to properly follow basic identity authentication procedures.

Cybersecurity issues should also be included in or cross-referenced to a firm’s business continuity/disaster recovery plan. These plans should identify and discuss the potential impacts of different types of cybersecurity incidents and outline plans to mitigate and recover from such incidents, including data breaches, loss of data, denial of service attacks or system shutdowns to eliminate malware.

Vendor Issues

Firms should also consider applying security policies and risk assessments to vendors with access to a firm’s networks. OCIE’s risk alert noted that many of the firms that had written cybersecurity policies failed to apply them to their vendors and other third-party business partners, even though such third-party access is often used as a means of implementing cyber-attacks against financial firms. We anticipate, however, that examiners will expect in the future that firms will demonstrate proper oversight over third-party vendors with access to a firm’s network and data.

Accordingly, when using vendors, a firm should consider, among other things:

• Limiting vendor access to networks and data to only that access necessary for the conduct of the vendor relationship;
• Performing pre-contract and ongoing due diligence/risk assessment with respect to a vendor’s cybersecurity practices, including any use of subcontractors, and ensuring that vendors and/or subcontractors with access to the firm’s systems meet and follow the requirements of the firm’s cybersecurity policies;
• Instituting appropriate contract terms in vendor agreements to address potential cybersecurity issues, such as confidentiality provisions, indemnity provisions, vendors’ representations and warranties, data ownership, use rights and restriction clauses and auditing and inspection provisions[1];and
• Including vendor relationships and outsourcing systems as part of a periodic cybersecurity risk assessment and/or the adviser’s annual review.

Investment advisers frequently find themselves subject to cybersecurity requirements and standards imposed by institutional clients and investors, program sponsors, and other parties. Accordingly, advisers should consider:

• Having standard policies and procedures in place to respond to due diligence requests and RFP questions pertaining to cybersecurity;
• Implementing certain contract terms (i.e., limitations of liability, indemnity provisions) to decrease a firm’s potential liability for cybersecurity issues; and
• Ensuring that the firm’s cybersecurity policies and procedures incorporate any and all cybersecurity requirements and obligations imposed upon the firm through its investment management agreements, vendor contracts, and disclosure documents, and have a system in place to ensure all such requirements are known and followed.

Client Protection Measures

OCIE’s risk alert notes that almost all of the examined investment advisers (91%) and broker-dealers (98%) utilize some form of encryption for data. Further, for those investment advisers and broker-dealers who offer client online access, OCIE found that the majority provide those clients with information about certain steps that can be taken to reduce cybersecurity risks when conducting business with the firm (e.g., password strength, two-step authentication procedures). Firms should consider providing these notices through either the firm website or periodic client communications, such as account statements.

OCIE’s survey noted that very few firms have incorporated policies that address how firms determine who is responsible for client losses and even fewer incorporate any client guarantees to protect against cyber-related losses. It is not clear at this time whether such policies will become more common in the future.

Use of a Chief Information Security Officer

According to OCIE’s risk alert, approximately 30 percent of the sampled advisers reported having a designated person acting as a Chief Information Security Officer (“CISO”). By comparison, 68 percent of broker-dealers reported having a designated CISO. CISOs are generally responsible for overseeing and implementing all information security issues and coordinating a firm’s response to any cyber-attacks or data breaches. As noted in OCIE’s risk alert, many advisers delegate these duties to the Chief Compliance Officer or a Chief Technology Officer, who liaise as necessary with legal and technical advisers.

Whether a firm decides to designate a separate CISO is to a large extent dependent on the firm’s size, resources, business activities and security obligations. To the extent that a person is designated as a CISO, this person should have sufficient authority to ensure proper oversight and accountability for cybersecurity policies and procedures and also be familiar with the developing legal and regulatory requirements that govern data security, including financial regulations and the variety of federal and state consumer protection laws that address handling the confidential data of others.

Any CISO, or CCO handling such cybersecurity issues, may also wish to proactively establish policies and procedures for escalating and responding to any cybersecurity incidents, including identifying the specific roles and responsibilities of employees and outside consultants, so as to reduce recovery time and costs if and when a cyber incident occurs.

Use of Cyber-Insurance

Insurance can be utilized to reduce the economic consequences of cybersecurity incidents to a firm. OCIE’s risk alert notes that the majority (58%) of broker-dealers maintain such insurance, while only a small percentage of advisers (21%) do.

Cyber-insurance, which can be sold as a separate policy or as a rider to an existing policy, is intended to cover certain costs arising from data breaches that are typically not covered by other types of business policies. Thus, the first step in assessing whether a firm needs a cybersecurity policy is to determine the scope of a firm’s present insurance coverage and any potential gaps in coverage related to cybersecurity issues, as well as the potential economic consequences of various cybersecurity issues.

As cyber-insurance is a relatively new type of insurance, it has not developed the standardization that exists for other types of business coverage offered by insurance companies. Thus, the scope of coverage can vary widely by policy and carrier and policies should be carefully evaluated to ensure that a firm is purchasing the appropriate type of cyber-insurance coverage for its needs. The most basic cybersecurity policies cover data breaches and are intended to reimburse the following types of costs:

• The costs of a forensic investigation to determine which data was accessed in a breach and who should be notified;
• Notification and credit monitoring services for impacted clients;
• Litigation costs arising from the data breach; and
• Public relations costs arising from the breach.

More comprehensive cyber-insurance policies are becoming available. These policies may offer coverage not only for data breaches by hackers, but also for other types of costs associated with cyber-attacks, such as:

• Data theft by employees;
• Business interruption costs if a website or business is affected by malware or technology issues;
• Costs associated with restoring, updating or replacing business assets stored electronically and damaged or lost;
• Costs arising from cyber-terrorism or cyber-extortion;
• Damages to third parties caused by negligent transference of malware;
• Costs associated with regulatory compliance or investigation; and
• Content liability for websites, including copyright/trademark infringement.

Potential purchasers should also evaluate whether coverage extends to cloud-based storage systems, vendors and foreign affiliates or subsidiaries.

It should be noted that when issuing cyber-insurance policies, insurers focus on risk management. Accordingly, obtaining comprehensive coverage at the best price usually requires a firm to have a cybersecurity plan in place, which includes access management and up-to-date intrusion protection measures, as well as disaster recovery plans.

* * * * *

While OCIE’s risk alert does not provide specific guidance or standards for addressing cybersecurity issues, it does provide valuable insight into what other investment advisers (and broker-dealers) are doing to address such concerns. Additionally, this risk alert (along with OCIE’s 2014 risk alert and cybersecurity document request list) provides advisers with a general framework for issues that OCIE currently considers to be relevant to a firm’s cybersecurity efforts and what an examination focusing on cybersecurity may look like.

Please feel free to contact us if you have any questions regarding OCIE’s risk alert or any related matter.