2017 was, unfortunately, a year filled with data breaches—breaches that have impacted millions of Americans. Cybersecurity concerns are rapidly evolving on a daily basis, as are industry and regulatory efforts to address them. To that end, 2017 has also been a year filled with proclamations from securities regulators naming cybersecurity as a top priority—a top-of-the-top priority. Members of the industry are taking note.
Here is a summary of interesting 2017 updates on regulators’ efforts to tackle cybersecurity:
In December 2017, FINRA released an early, interim report on deficiency findings in broker-dealer compliance exams. Though FINRA notes a significant increase in firms’ attention to cybersecurity challenges over the past two years, FINRA examiners continue to cite deficiencies in managing access to client information, firms’ analysis of firm-specific risk factors, and supervision of third-party vendors. FINRA also notes continuing threats from phishing and spear phishing attacks, ransomware attaches and fraudulent third-party wires that frequently involve use of email or stolen customer or financial adviser credentials. The attention devoted to cybersecurity in this report makes it clear that FINRA will continue to ask more questions about cybersecurity in its future examinations.
Securities and Exchange Commission (SEC):
In September 2017, SEC Chairman Jay Clayton issued a public statement on cybersecurity in which he outlined the SEC’s efforts to examine its own policies and procedures to prevent and address cybersecurity attacks. The statement came in response to the 2016 breach of the SEC’s own EDGAR system. Chairman Clayton’s statement describes aspects of how the agency performs a risk assessment when managing internal cybersecurity risks, such as through its approach to governance, policies and procedures, independent audits and reviews, and external reporting. The statement also nicely summarizes (supported by numerous links to additional information) various SEC efforts related to cybersecurity. Though not formal cybersecurity standards or requirements promulgated by the SEC, the statement may be helpful to securities professionals as informal guidance on appropriate measures to take and consider when implementing a cybersecurity program.
North American Securities Administrators Association (NASAA):
In 2014, NASAA conducted a survey to better understand the cybersecurity practices of small and mid-sized investment adviser firms. Nearly half of these firms already have some training or procedures about cybersecurity in place. Since the survey, NASAA has continued the conversation around cybersecurity. In 2017, NASAA hosted a roundtable about cybersecurity. In a speech at the event, NASAA’s former president, Mike Rothman, expressed concerns about cybersecurity:
“No securities firm or investment adviser of any size can afford the loss in client trust – much less financial losses – that will result from a serious cybersecurity failure. And no investor should have his or her personal information compromised.”
Then, NASAA released a report identifying nearly 700 deficiencies involving cybersecurity. These deficiencies were uncovered in examinations of state-registered advisers and include:
No or inadequate cybersecurity insurance
No testing of cybersecurity vulnerability
No procedures for securing or limiting access to devices
No technology specialist or consultant
No procedures for hardware and software updates/upgrades
To help investment advisors gauge their cybersecurity preparedness, NASAA also created a Cybersecurity Checklist for Investment Advisors. In September 2017, Joseph Borg, NASAA’s newly elected president, reaffirmed that cybersecurity will continue to be a top priority for the Association. He noted that in 2018 NASAA will consider a model cybersecurity rule for state-registered investment advisers.
State Securities Regulators:
Supported by NASAA, many state regulators are interested in engaging in conversation about and implementing policies regarding cybersecurity and privacy violations. New York, Vermont, and Colorado are three states that have already implemented cybersecurity regulations for financial services professionals, such as broker-dealers and investment advisors.
On March 1, 2017, New York became the first state to announce a cybersecurity regulation specifically tailored for financial institutions. The new cybersecurity regulation, “Part 500,” applies only to covered entities – that is, any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York’s banking, insurance, or financial services laws. Each of these organizations must:
Designate a Chief Information Security Officer
Implement and maintain a written cybersecurity policy
Shortly after New York, Vermont also effected a cybersecurity regulation (Section 8-4 of the Vermont Securities Regulations). This regulation requires securities professionals, such as investment advisors and broker-dealers, to implement and maintain written procedures “reasonably designed” to ensure cybersecurity. Guidance for what makes a procedure “reasonably designed” is included in the regulation. As part of implementing written cybersecurity procedures, the regulation requires securities professionals to:
Conduct an annual risk assessment on cybersecurity
Maintain evidence of adequate insurance for the risk of a cybersecurity breach
Provide identity restoration services at no cost to consumers in the occurrence of a cybersecurity breach
Finally, Colorado amended its Code of Regulations in July 2017. Similar to Vermont, Colorado now requires broker-dealers and investment advisors to implement and maintain a written procedure “reasonably designed” to ensure cybersecurity. Again, this Code lists factors for firms to determine if their procedures are reasonable. Additionally, Colorado requires firms to:
Perform an annual risk assessment including cybersecurity
Provide for use of secure email
Adopt practices to authenticate client instructions
Disclose to clients the risk of using electronic communications
Brian Edstrom is a Shareholder and Attorney at Avisen
Legal, P.A. He brings to Avisen clients the ability to “speak regulator,” having
spent several years working for federal and state regulators in Washington D.C.
and Saint Paul, MN before entering private practice. Brian assists
clients in all aspects of working with securities regulators, whether it be to
obtain a license or registration, prepare for an audit, or respond to an
enforcement investigation. Brian also regularly advises clients on their
general business needs, particularly surrounding raising money through