The Securities and Exchange Commission (“SEC”) has been squarely focused on cybersecurity and data protection for the last several years. The SEC launched an initiative to examine investment advisers’ cybersecurity compliance and controls in 2014, and these areas remain an examination priority. The SEC has also published multiple cybersecurity guidance and risk alerts since 2014. David Glockner, regional director of the SEC’s Chicago office, recently stated that the SEC will lead its “efforts with respect to cyber-security controls through the exam program, not through enforcement.” However, the SEC has also brought enforcement actions against investment advisers resulting from cyber-attacks and the firms’ lack of written cybersecurity policies and procedures designed to prevent against such attacks. Investment advisers, and those who counsel them, should be aware of the SEC’s authority to mandate and enforce cybersecurity controls.
The SEC brought its first cybersecurity enforcement action against an adviser in September 2015, when it instituted administrative and cease-and-desist proceedings against R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”), alleging that R.T. Jones failed to adopt written policies and procedures reasonably designed to protect customer records and information in violation of Rule 30(a) of Regulation S-P (the “Safeguards Rule”). The Safeguards Rule requires registered investment advisers to adopt written policies and procedures reasonably designed to safeguard customer records and information. The proceedings stemmed from a July 2013 attack on R.T. Jones’s server that left the personally identifiable information (“PII”) of more than 100,000 individuals vulnerable to theft. The order alleged that “[f]rom at least September 2009 through July 2013, R.T. Jones stored sensitive PII of clients on its third party-hosted web server without adopting written policies and procedures regarding the security and confidentiality of that information and the protection of that information from anticipated threats or unauthorized access.” To mitigate the risks of future cyber threats, R.T. Jones appointed an information security manager, adopted and implemented a written information security policy, no longer stores PII on its webserver and encrypts any PII stored on its internal network, installed new firewall and logging systems to prevent and detect malicious incursions, and retained a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security. R.T. Jones was ordered to pay a civil money penalty of $75,000.
In a second action, against Morgan Stanley Smith Barney, LLC (“MSSB”) in June 2016, the SEC found that MSSB willfully violated the Safeguards Rule despite its adoption of written policies and procedures relating to the protection of customer PII, because those policies were not reasonably designed to safeguard its customers’ PII as required by the Safeguards Rule. The SEC alleged that from 2011 to 2014, an MSSB employee misappropriated the PII of approximately 730,000 customers, including customers’ names, addresses, and account numbers, balances and securities holdings. In its findings, the SEC alleged that MSSB’s written policies and procedures failed to adequately address certain key administrative, technical and physical safeguards, such as: reasonably designed and operating authorization modules for certain business portals to restrict employee access to only the confidential customer data that employees had a legitimate business interest to use; auditing and/or testing of the effectiveness of such authorization modules; and monitoring and analyzing of employee access to and use of the portals. In addition to remedial efforts already undertaken, MSSB was ordered to pay a civil money penalty of $1,000,000.
As Mr. Glockner noted at the SEC’s compliance outreach program in Chicago, the agency is “focused on trying to prevent these problems before they occur.” The SEC has previously articulated its views on effective cybersecurity protocols by providing guidance for investment advisers to assess cybersecurity risks, including periodic assessments of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risks. Mr. Glockner has also emphasized that written policies and procedures may be found to be deficient on their face even if there was no breach. For that reason, an adviser’s policies and procedures should be tailored to its operations.
The SEC’s guidance has also pointed to certain practices investment advisers may wish to implement to ensure the sufficiency of their cybersecurity compliance and controls, including:
- Controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening;
- Data encryption;
- Protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology stems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events;
- Data backup and retrieval;
- The development of an incident response plan; and
- Routine testing of these strategies.
These strategies should be implemented through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Investment advisers may also wish to educate investors and clients about how to reduce their exposure to cyber threats concerning their accounts.
Diana E. McCarthy (LAW ’93) is a partner as Drinker Biddle in the firm’s Investment Management Group. She focuses on representations of registered investment companies, including exchange-traded funds, and their independent boards of directors, investment advisers and other financial services companies.
Joshua M. Lindauer is an associate at Drinker Biddle where he counsels a variety of clients in the investment management industry, including investment advisers and investment companies. He also advises clients on the formation, governance, reorganization and ongoing operations of investment companies, such as product structuring, marketing, operations, and compliance.