Cybersecurity Compliance Is More Than a Policy, Part 1: What Advisers and Brokers Can Do to Ensure Policies Are Followed With Action
On August 30, the US Securities and Exchange Commission (SEC) announced three cybersecurity-related enforcement actions relating to eight different firms. The actions arose from what appear to be routine examinations of registered investment advisers and broker-dealers. This post provides some high-level takeaways for companies to consider in the wake of these actions. Tomorrow, we will dive into the actions and rules violated.
As brief background, the SEC’s examination priorities have included a focus on cyber- and information security since at least 2015. As Kristina Littman, chief of the SEC’s cyber unit, warned in the press release announcing the actions: “It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.” Moreover, beyond the SEC, other regulators are focused on companies’ cybersecurity policies. For example, FINRA recently published guidance on cloud computing and vendor management, which reminds firms to include vendor management in their “reasonably designed cybersecurity programs and controls consistent with their risk profile, business model, and scale of operations.”
In the wake of these recent orders, and the continued focus of regulators in this area, companies would be well-served to review and update their policies and procedures relating to information security, consider whether technology enhancements are required (and swiftly implement them), and ensure that individuals are complying. Additionally, as one of the orders illustrates, companies cannot merely send out form notifications in the event of a cybersecurity breach, as they may prove to be inaccurate especially if they are sent out at different times. Instead, companies should re-evaluate communications each time they are sent in order to make sure that they accurately reflect both the timing of when an issue was identified and the nature of what occurred.
As this area continues to be a focus for all regulators, the costs of compliance can seem daunting. Given this, registered investment advisers and broker-dealers should consider taking the following steps now:
- Confirm that your written cyber- and information security policies are reasonably designed and tailored to the needs and sophistication of your business, and that sufficient and reasonable safeguards are in place with respect to protecting personal information. What is considered sufficient and reasonable in the realm of information security constantly evolves. This may require more frequent policy reviews than those that occur in other areas, especially if you experience any type of cybersecurity attack or breach.
- Confirm that your policies and procedures have been implemented, which will likely require frequent discussion and contact with your Information Technology and Data Security teams.
- Confirm that, in addition to your employees, any independent contractors and individuals located offshore are implementing your policies and procedures.
- Conduct a cybersecurity risk assessment to ensure that you are meeting all of your legal requirements to protect data under the SEC Safeguards Rule and otherwise.
- Implement the findings from the risk assessment! If there is a determination not to implement findings from the risk assessment, document the reasons why not and the alternative measure(s) taken.
- Ensure written policies and procedures are robust and updated and include new findings from the assessment.
- Practice your incident response process. Practice makes perfect, and failing to practice can lead to failure to comply in the moments when faced with a real crisis (ransomware or otherwise).
Check back tomorrow for an in-depth discussion of the precise rules implicated by these orders. For questions about requirements for cybersecurity incident notices, please see our previous Advisory discussing banking agencies’ updated vendor management guidance or contact the authors of this post.
© Arnold & Porter Kaye Scholer LLP 2021 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.