The SEC has issued cybersecurity guidance that directs public companies to adopt effective disclosure controls and procedures and overhaul their disclosure about incidents and threats. The SEC believes that public companies should adopt and implement cybersecurity risk management policies and procedures that ensure timely disclosure, internal reporting, processing of risks and incidents, and prevention of insider trading. The SEC also admonishes public companies to review all public disclosures including the materiality of incidents and security, risk factors, MD&A disclosure, business description, legal proceedings, financial statements, and board risk oversight. Firms should also consider disclosing past incidents “in order to place discussions of these risks in the appropriate context.” The SEC believes that “the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” The SEC said that it will be reviewing cybersecurity disclosures.
OUR TAKE: We expect institutional investors will add similar cybersecurity inquiries into their Operational Due Diligence processes before choosing an investment firm. So, even if you do not work for a public company, you should consider implementing the SEC’s recommendations.
A large insurance company agreed to pay a total of $5.5 Million to settle charges brought by 32 states resulting from the loss of critical consumer information attributable to a criminal data breach. According to the Settlement Agreement, the respondent lost the data for 1.27 million customer across the country when hackers exploited a security breach created when the respondent failed to implement a security patch. As part of the settlement, the insurance company agreed to appoint a security patch supervisor, implement security patch policies and procedures, and perform internal assessments. The New York State Attorney General criticized the respondent for its “true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” He warned, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”
OUR TAKE: The NYS Attorney General implies that companies can be held liable for data breaches that result from simple negligence rather than recklessness or intent. A solid compliance program that includes a robust cybersecurity assessment can help defend charges that a firm acted negligently.
The SEC Office of Compliance Inspections and Examinations (OCIE) released the results of its Cybersecurity 2 sweep initiative. OCIE reviewed policies and procedures and assessed cybersecurity preparedness of 75 firms with respect to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. OCIE found that most firms have adopted policies and procedures, conducted penetration tests and vulnerability scans, used a system to prevent data loss, installed software patches, adopted response plans, and conducted vendor risk assessments. OCIE recommended that registrants better tailor policies and procedures, conduct enhanced employee training, replace outdated systems, and ensure remediation of identified vulnerabilities. OCIE warned that cybersecurity “remains one of the top compliance risks for financial firms” and that it “will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms.”
OUR TAKE: Advisers, broker-dealers, and funds that fail these compliance best practices risk falling behind their competitors and incurring the wrath of the OCIE examiners. Compliance officers must become conversant in the required elements of an adequate cybersecurity program and implement the required policies and procedures, testing, and remediation.
Cipperman Compliance Services (CCS) has partnered with Align Cybersecurity to offer “CyberSecure,” a collaborative initiative to address the cybersecurity compliance needs of asset managers of all sizes with a trusted, industry-leading solution that provides end-to-end identification, evaluation and remediation of cybersecurity deficiencies. CyberSecure seeks to integrate the necessary business functions and disparate skill sets of an organization to address data control, vendor management, security protocols, and active threat protection. Cyber Secure is a necessary investment to ensure compliance with SEC cybersecurity requirements and help protect client data and other intellectual assets from cybertheft.
CCS provides outsourced chief compliance officers and other compliance services to mutual funds, hedge funds, private equity firms, broker-dealers, and money managers. Align Cybersecurity is a global cybersecurity advisory practice led by subject matter experts in cybersecurity law and regulation. The two firms bring together an active understanding of all relevant law, regulations and rules regarding cyber and data security as well as one of the deepest, most comprehensive suites of capabilities for security, testing, vendor management, employee training and vulnerability remediation.
On Wednesday, July 12, CCS and Align Cybersecurity are holding a client webinar to describe CyberSecure. If you currently work with CCS and would like to attend the webinar, please contact your CCS service team.
If you otherwise want more information about CyberSecure, please contact Michelle Gallagher at 484-588-5520 or email@example.com.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert about recent ransomware attacks and offered some best practices for smaller firms for dealing with ransomware incidents. Based on a recent review of 75 registrants, the OCIE staff recommends that firms perform a cyber-risk assessment, conduct penetration and vulnerability tests, and ensure software maintenance including adequate software patches. The OCIE staff stressed the importance of developing a “rapid response capability.” OCIE found widespread deficiencies among advisers during its review: 57% did not conduct penetration and vulnerability testing and 26% did not conduct periodic risk assessments of critical systems.
OUR TAKE: Cybersecurity has become one of the most significant compliance issues facing investment management firms. CCOs and their bosses must take action to address outside threats. We recommend reviewing the SEC’s 2014 guidance.