The SEC’s Enforcement Division has created a new Cyber Unit targeting “cyber-related misconduct.” The new Cyber-Unit will target market manipulation schemes using electronic and social media, hacking schemes, account intrusions, and the dark web. The Co-Director of the SEC’s Enforcement Division labeled cyber-related threats as one of the “greatest risks facing investors and the securities industry.”
OUR TAKE: We suspect that this Cyber Unit will ultimately morph into its own office (See OCIE, Whistleblowers). If you have been on vacation in the woods for the last 3 years and have not yet retained a third party firm to test your cybersecurity readiness, we recommend moving quickly to catch up to the rest of the industry.
A large insurance company agreed to pay a total of $5.5 Million to settle charges brought by 32 states resulting from the loss of critical consumer information attributable to a criminal data breach. According to the Settlement Agreement, the respondent lost the data for 1.27 million customer across the country when hackers exploited a security breach created when the respondent failed to implement a security patch. As part of the settlement, the insurance company agreed to appoint a security patch supervisor, implement security patch policies and procedures, and perform internal assessments. The New York State Attorney General criticized the respondent for its “true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” He warned, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”
OUR TAKE: The NYS Attorney General implies that companies can be held liable for data breaches that result from simple negligence rather than recklessness or intent. A solid compliance program that includes a robust cybersecurity assessment can help defend charges that a firm acted negligently.
The SEC Office of Compliance Inspections and Examinations (OCIE) released the results of its Cybersecurity 2 sweep initiative. OCIE reviewed policies and procedures and assessed cybersecurity preparedness of 75 firms with respect to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. OCIE found that most firms have adopted policies and procedures, conducted penetration tests and vulnerability scans, used a system to prevent data loss, installed software patches, adopted response plans, and conducted vendor risk assessments. OCIE recommended that registrants better tailor policies and procedures, conduct enhanced employee training, replace outdated systems, and ensure remediation of identified vulnerabilities. OCIE warned that cybersecurity “remains one of the top compliance risks for financial firms” and that it “will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms.”
OUR TAKE: Advisers, broker-dealers, and funds that fail these compliance best practices risk falling behind their competitors and incurring the wrath of the OCIE examiners. Compliance officers must become conversant in the required elements of an adequate cybersecurity program and implement the required policies and procedures, testing, and remediation.
Cipperman Compliance Services (CCS) has partnered with Align Cybersecurity to offer “CyberSecure,” a collaborative initiative to address the cybersecurity compliance needs of asset managers of all sizes with a trusted, industry-leading solution that provides end-to-end identification, evaluation and remediation of cybersecurity deficiencies. CyberSecure seeks to integrate the necessary business functions and disparate skill sets of an organization to address data control, vendor management, security protocols, and active threat protection. Cyber Secure is a necessary investment to ensure compliance with SEC cybersecurity requirements and help protect client data and other intellectual assets from cybertheft.
CCS provides outsourced chief compliance officers and other compliance services to mutual funds, hedge funds, private equity firms, broker-dealers, and money managers. Align Cybersecurity is a global cybersecurity advisory practice led by subject matter experts in cybersecurity law and regulation. The two firms bring together an active understanding of all relevant law, regulations and rules regarding cyber and data security as well as one of the deepest, most comprehensive suites of capabilities for security, testing, vendor management, employee training and vulnerability remediation.
On Wednesday, July 12, CCS and Align Cybersecurity are holding a client webinar to describe CyberSecure. If you currently work with CCS and would like to attend the webinar, please contact your CCS service team.
If you otherwise want more information about CyberSecure, please contact Michelle Gallagher at 484-588-5520 or email@example.com.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert about recent ransomware attacks and offered some best practices for smaller firms for dealing with ransomware incidents. Based on a recent review of 75 registrants, the OCIE staff recommends that firms perform a cyber-risk assessment, conduct penetration and vulnerability tests, and ensure software maintenance including adequate software patches. The OCIE staff stressed the importance of developing a “rapid response capability.” OCIE found widespread deficiencies among advisers during its review: 57% did not conduct penetration and vulnerability testing and 26% did not conduct periodic risk assessments of critical systems.
OUR TAKE: Cybersecurity has become one of the most significant compliance issues facing investment management firms. CCOs and their bosses must take action to address outside threats. We recommend reviewing the SEC’s 2014 guidance.