Cybercrime, as numerous almost daily headlines tell us, is understandably a favored tactic of organized criminals. The crimes can be committed far from the locus of the harm and do not involve face-to-face confrontations, are capable of repetition once devised, and can be highly lucrative. From organized computer wizards in Eastern Europe, to governmental actors in North Korea, to crime syndicates in the United States, it seems that everyone wants to get in on the act.
The Securities and Exchange Commission (SEC) has, appropriately, taken notice. Most recently, in March 2015, the National Associate Director of the SEC’s Investment Adviser/Investment Company exam program, announced to the press that the SEC would be continuing and expanding a cybersecurity initiative it had launched a year earlier.
The SEC’s initiative was first introduced by its Chair, Mary Jo White, on March 26, 2014 at a Cybersecurity Roundtable sponsored by the Commission. The SEC announced that it would conduct special examinations of more than fifty broker-dealers and registered investment advisers. Registered investment advisers collectively manage approximately $62 trillion dollars of wealth. The examinations would be conducted by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”).
The SEC then proceeded to exam 57 broker-dealers and 49 registered investment advisers to better understand how each were addressing cybersecurity issues. In connection with this program, the SEC released publicly a complex and detailed questionnaire that it required its examinees to complete.
On February 3, 2015 the SEC issued a summary of its examination findings. The examination summary found that most broker-dealers and investment advisers had adopted written information security policies and conducted periodic risk assessments to identify cybersecurity threats.
Importantly, the examination found that the vast majority of broker-dealers (88%) and investment advisers (74%) had experienced some type of cyber-attack directly or through a vendor.
Most of the attacks related to fraudulent emails, which are requests to disburse money that purport to be from a client but are in fact from an imposter and malware, which is the installment of hostile or intrusive software on a host computer.
The examination also indicated that a number of these cyber-attack schemes were successful. Approximately 12 broker-dealers reported losses related to fraudulent emails and one adviser reported a loss in excess of $75,000. The examination also found that while most firms conducted a comprehensive inventorying, cataloguing, or mapping of their technology resources, only 58% of broker-dealers and 21% of advisers maintain insurance to cover losses attributable to cybersecurity incidents.
The SEC promised that in 2015, it would, “continue to focus on cybersecurity using risk-based examinations.” The examination noted that in January 2015 OCIE had released its examination priorities for the year, which stated that in 2014, “we launched an initiative to examine broker-dealers’ and investment advisers’ cybersecurity compliance and controls” and in 2015, “we will continue these efforts and will expand them to include transfer agents.”
With the March 2015 announcement by OCIE’s National Associate Director of Investment Adviser/Investment Company exam program referenced above, SEC regulated entities now have a sense as to the SEC’s intentions in “phase 2” of its cybersecurity initiative. Between summer 2015 and early 2016, the SEC intends to begin a second round of examinations of the same number of investment advisers and broker-dealers. Phase 2, unlike Phase 1, will also involve on-site visits by SEC staff. Phase 2 will be a nationwide effort that will inquire into firms’ response plans in the event of a cyber attack or breach, due diligence of vendors’ cyber policies, and the role of senior executives in cybersecurity risk management.
Clearly any firm subject to an examination should be carefully reviewing cybersecurity issues but should do so not out of fear of an SEC examination but to protect itself and its clients from the many bad actors who wish to profit by doing them harm.
Most recently on April 28, 2015, another branch of the SEC, the Division of Investment Management, issued its own “Guidance Update” on cybersecurity issues. The Guidance Update states that the Division of Investment Management has identified cybersecurity as an important issue and one that it will continue to focus on and monitor. The Division recommended that investment advisers and investment companies consider taking a number of measures to address cybersecurity risks, including: (1) conducting a comprehensive periodic assessment of electronic information used, threatened, or vulnerable, as well as the security controls in place to protect the data; (2) create an effective strategy to prevent, detect, and respond to cybersecurity threats; and (3) implement the strategy through written policies and procedures and training of officers and employees.
Paul Snitzer joined Prudent Management Associates as General Counsel in 2011 after practicing law in Philadelphia for almost 20 years, first at Dechert Price & Rhoads and then at Duane Morris.