The SEC has issued cybersecurity guidance that directs public companies to adopt effective disclosure controls and procedures and overhaul their disclosure about incidents and threats. The SEC believes that public companies should adopt and implement cybersecurity risk management policies and procedures that ensure timely disclosure, internal reporting, processing of risks and incidents, and prevention of insider trading. The SEC also admonishes public companies to review all public disclosures including the materiality of incidents and security, risk factors, MD&A disclosure, business description, legal proceedings, financial statements, and board risk oversight. Firms should also consider disclosing past incidents “in order to place discussions of these risks in the appropriate context.” The SEC believes that “the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” The SEC said that it will be reviewing cybersecurity disclosures.
OUR TAKE: We expect institutional investors will add similar cybersecurity inquiries into their Operational Due Diligence processes before choosing an investment firm. So, even if you do not work for a public company, you should consider implementing the SEC’s recommendations.
The SEC obtained an emergency asset freeze against a fraudulent internet-based initial coin offering. According to the SEC, the Canadian respondents promised outlandish returns and made other significant misrepresentations as part of a scheme that raised over $15 Million from thousands of investors through offerings of a crypto-currency advertised on various social media sites. The SEC asserts that the offering of virtual tokens constituted an illegal offering of securities and that it was made available to U.S. investors through the internet. The SEC announced that this case is the first filed by its new Cyber Unit, which was created in September to focus on “misconduct involving distributed ledger technology and initial coin offerings, the spread of false information through electronic and social media, hacking and threats to trading platforms.”
OUR TAKE: Perhaps most significant is the SEC asserting (without much precedent or support) that an initial coin offering is an offering of securities subject to the securities laws. This view may lead to broader regulatory oversight of cryptocurrency offerings. Also, we expect that this first action by the Cyber Unit won’t be its last.
The SEC’s Enforcement Division has created a new Cyber Unit targeting “cyber-related misconduct.” The new Cyber-Unit will target market manipulation schemes using electronic and social media, hacking schemes, account intrusions, and the dark web. The Co-Director of the SEC’s Enforcement Division labeled cyber-related threats as one of the “greatest risks facing investors and the securities industry.”
OUR TAKE: We suspect that this Cyber Unit will ultimately morph into its own office (See OCIE, Whistleblowers). If you have been on vacation in the woods for the last 3 years and have not yet retained a third party firm to test your cybersecurity readiness, we recommend moving quickly to catch up to the rest of the industry.
A large insurance company agreed to pay a total of $5.5 Million to settle charges brought by 32 states resulting from the loss of critical consumer information attributable to a criminal data breach. According to the Settlement Agreement, the respondent lost the data for 1.27 million customer across the country when hackers exploited a security breach created when the respondent failed to implement a security patch. As part of the settlement, the insurance company agreed to appoint a security patch supervisor, implement security patch policies and procedures, and perform internal assessments. The New York State Attorney General criticized the respondent for its “true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” He warned, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”
OUR TAKE: The NYS Attorney General implies that companies can be held liable for data breaches that result from simple negligence rather than recklessness or intent. A solid compliance program that includes a robust cybersecurity assessment can help defend charges that a firm acted negligently.
The SEC Office of Compliance Inspections and Examinations (OCIE) released the results of its Cybersecurity 2 sweep initiative. OCIE reviewed policies and procedures and assessed cybersecurity preparedness of 75 firms with respect to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. OCIE found that most firms have adopted policies and procedures, conducted penetration tests and vulnerability scans, used a system to prevent data loss, installed software patches, adopted response plans, and conducted vendor risk assessments. OCIE recommended that registrants better tailor policies and procedures, conduct enhanced employee training, replace outdated systems, and ensure remediation of identified vulnerabilities. OCIE warned that cybersecurity “remains one of the top compliance risks for financial firms” and that it “will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms.”
OUR TAKE: Advisers, broker-dealers, and funds that fail these compliance best practices risk falling behind their competitors and incurring the wrath of the OCIE examiners. Compliance officers must become conversant in the required elements of an adequate cybersecurity program and implement the required policies and procedures, testing, and remediation.
Cipperman Compliance Services (CCS) has partnered with Align Cybersecurity to offer “CyberSecure,” a collaborative initiative to address the cybersecurity compliance needs of asset managers of all sizes with a trusted, industry-leading solution that provides end-to-end identification, evaluation and remediation of cybersecurity deficiencies. CyberSecure seeks to integrate the necessary business functions and disparate skill sets of an organization to address data control, vendor management, security protocols, and active threat protection. Cyber Secure is a necessary investment to ensure compliance with SEC cybersecurity requirements and help protect client data and other intellectual assets from cybertheft.
CCS provides outsourced chief compliance officers and other compliance services to mutual funds, hedge funds, private equity firms, broker-dealers, and money managers. Align Cybersecurity is a global cybersecurity advisory practice led by subject matter experts in cybersecurity law and regulation. The two firms bring together an active understanding of all relevant law, regulations and rules regarding cyber and data security as well as one of the deepest, most comprehensive suites of capabilities for security, testing, vendor management, employee training and vulnerability remediation.
On Wednesday, July 12, CCS and Align Cybersecurity are holding a client webinar to describe CyberSecure. If you currently work with CCS and would like to attend the webinar, please contact your CCS service team.
If you otherwise want more information about CyberSecure, please contact Michelle Gallagher at 484-588-5520 or email@example.com.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert about recent ransomware attacks and offered some best practices for smaller firms for dealing with ransomware incidents. Based on a recent review of 75 registrants, the OCIE staff recommends that firms perform a cyber-risk assessment, conduct penetration and vulnerability tests, and ensure software maintenance including adequate software patches. The OCIE staff stressed the importance of developing a “rapid response capability.” OCIE found widespread deficiencies among advisers during its review: 57% did not conduct penetration and vulnerability testing and 26% did not conduct periodic risk assessments of critical systems.
OUR TAKE: Cybersecurity has become one of the most significant compliance issues facing investment management firms. CCOs and their bosses must take action to address outside threats. We recommend reviewing the SEC’s 2014 guidance.