The Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) recently released a Risk Alert containing its plan for a second round of cybersecurity examinations of registered broker-dealers and investment advisers. In its Risk Alert, OCIE provided additional information regarding its ongoing initiative of testing to assess implementation of firm cybersecurity procedures and controls. OCIE also provided a sample request for information and documents, which is included as an Appendix at the end of this alert. Concurrently, the SEC charged an investment adviser for failing to have adequate policies and procedures in place to protect customer records and personally identifiable information.
OCIE Risk Alert and Exam Plans
OCIE detailed six primary target areas on which it intends to focus its cybersecurity examinations, including:
-
Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment processes. They may also review whether firms are periodically evaluating cybersecurity risks, whether their controls and risk assessment processes are tailored to their business, and the level of communication to, and involvement of, senior management and fund boards of directors. Examiners will likely seek information regarding the firm’s chief information security officer and other employees responsible for cybersecurity matters. Document requests may include board minutes and other briefing materials regarding cybersecurity matters and the firm’s policies and procedures related to protection of client records and information.
-
Access Rights and Controls: OCIE believes that firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Therefore, examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods, including controls associated with remote access, customer logins and passwords. Specifically, the firm may be requested to provide its policies and procedures related to, among other items:
-
Access by unauthorized persons to firm network resources, including establishing, updating, terminating and changing such access;
-
Access to the firm’s system externally, whether on firm-issued or personal devices, including encryption, monitoring and deactivation of such devices; and
-
Any internal audits conducted by the firm that cover access rights and controls.
-
-
Data Loss Prevention: OCIE stated that some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Thus, examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads; how firms monitor for potentially unauthorized data transfers; and how firms verify the authenticity of a customer request to transfer funds. Of particular interest to examiners are the systems and controls regarding protection of customers’ personally identifiable information.
-
Vendor Management: OCIE asserted that some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may also assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor. They may request sample documents or notices that a firm requires from third-party vendors, such as those required before a vendor can perform any significant changes to its systems or services that could potentially have a security impact on the firm. Examiners may also want to see the written contingency plans that a firm has with its vendors concerning issues such as conflicts of interest or bankruptcy. Vendor management has been a particularly vexing area in terms of due diligence, however, as many vendors refuse to provide advisers and funds with information on their systems.
-
Training: OCIE stated that without proper training, employees and vendors may put a firm’s data at risk. Some data breaches may result from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or opening messages or downloading attachments from an unknown source. With proper training, however, OCIE believes that employees and vendors can be the firm’s first line of defense, such as by alerting firm IT professionals to suspicious activity and understanding and following firm protocols with respect to technology. Examiners may focus on how training is tailored to specific job functions; how training is designed to encourage responsible employee and vendor behavior; and how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
-
Incident Response: OCIE stated that firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes an assessment of which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm. Specifically, examiners may request to see the firm’s business continuity plan that addresses mitigation and/or recovery from a cybersecurity incident; information regarding successful unauthorized internal or external incidents, including the date of the incident, the discovery process, escalation and any responsive remediation efforts taken; and specific data regarding the amount of actual customer losses associated with cyber incidents, whether the firm reimbursed such losses, and whether an insurance claim was filed and recovered.
OCIE’s announcement of the second round of cybersecurity examinations is in line with its 2015 examination priorities, which included a focus on cybersecurity compliance and controls. It also underscores the importance that the SEC and OCIE have placed on identification of cybersecurity risks and assessment of cybersecurity preparedness in the securities industry. The announced examinations, which are expected to take place primarily during the 2016 fiscal year, follow a March 2014 SEC-sponsored Cybersecurity Roundtable, an April 2014 OCIE Risk Alert announcing an initial cybersecurity examination sweep, and the release of OCIE’s summary observations of the sweep in February 2015.*
Broker-dealers and investment advisors are urged to carefully review OCIE’s sample examination request list to ensure proper preparation for a cybersecurity exam, even if the firm does not anticipate ending up on OCIE’s target list of examinees. Firms should also consider that although OCIE provided detailed information regarding their anticipated areas of focus, the agency may add new areas of interest based upon further findings and new identified risks.
Cybersecurity Enforcement Action
Just one week after OCIE issued its Alert, on Tuesday, September 22, 2015, the SEC charged an investment adviser with violating Rule 30(a) of Regulation S-P (the Safeguards Rule) for failing to adopt written policies and procedures reasonably designed to safeguard customer records and information. The charge spawned from a July 2013 cyberattack on the investment adviser’s third party-hosted server, which potentially compromised the personally identifiable information (PII) of over 100,000 individuals stored on the server. Without admitting or denying the SEC’s findings, the investment adviser has agreed to settle the charge for approximately $75,000 and cease and desist from committing or causing any future violations of the Safeguards Rule.
According to the SEC’s Order, from September 2009 to July 2013, the investment adviser stored, without modification or encryption, the PII of both clients and other persons on a third party-hosted web server. After discovering the potential breach, the investment adviser promptly retained multiple cybersecurity firms to confirm the attack and assess the scope of the breach. Though the firms ultimately could not determine whether the PII stored on the server had been accessed or compromised, the investment adviser notified every individual whose PII may have been stolen and offered free identity theft monitoring through a third-party provider.
Despite its subsequent remedial efforts, which all appear to have been implemented prior to the SEC’s investigation of the matter, and the lack of any harm, the SEC charged the investment adviser for failing to adopt written policies and procedures reasonably designed to safeguard customer information prior to the breach. Notably, the SEC’s finding followed OCIE’s Risk Alert very closely. More specifically, the SEC found that the investment adviser’s policies and procedures for protecting its customers’ sensitive PII did not include: (1) conducting periodic risk assessments, (2) employing a firewall to protect the web server containing client PII, (3) encrypting client PII stored on the server, or (4) establishing procedures for responding to a cybersecurity incident.
The SEC acknowledged the following changes promptly adopted by the investment adviser to mitigate future risks: (1) appointing an information security manager to oversee data security and protection of PII, (2) adopting and implementing a written information security policy, (3) refraining from storing PII on its webserver and encrypting all PII stored on its internal network, (4) installing a new firewall and logging system to prevent and detect malicious intrusions, and (5) retaining a cybersecurity firm to provide ongoing reports and advice. Further, there has been no indication to date that any client has suffered financial harm as a result of the breach.
APPENDIX
This document1 provides a sample list of information that the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) may review in conducting examinations of registered entities regarding cybersecurity matters. Some of the questions track information outlined in the “Framework for Improving Critical Infrastructure Cybersecurity”2 released on February 12, 2014, by the National Institute of Standards and Technology. OCIE has published this document as a resource for registered entities. This document should not be considered all inclusive of the information that OCIE may review or the validation and testing we may perform of firm policies and procedures. Accordingly, OCIE will alter its requests for information it reviews, as well as whether it asks for production of information in advance of an examination or reviews certain information on site, as it considers the specific circumstances presented by each firm’s business model, systems, and information technology environment.
Governance and Risk Assessment
-
Firm policies and procedures related to the following:
-
Protection of broker-dealer customer and/or investment adviser client (hereinafter “customer”) records and information, including those designed to secure customer documents and information, protect against anticipated threats to customer information, and protect against unauthorized access to customer accounts or information; and
-
Patch management practices, including those regarding the prompt installation of critical patches and the documentation evidencing such actions.
-
-
Board minutes and briefing materials, if applicable, regarding: cyber-related risks; cybersecurity incident response planning; actual cybersecurity incidents; and cybersecurity-related matters involving vendors.
-
Information regarding the firm’s Chief Information Security Officer (CISO) or equivalent position, and other employees responsible for cybersecurity matters.
-
Information regarding the firm’s organizational structure, particularly information regarding the positions and departments responsible for cybersecurity-related matters and where they fit within the firm’s organization or hierarchy.
-
Information regarding the firm’s periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business and compliance consequences, if applicable, and any related findings and responsive remediation efforts taken.
-
Information regarding the firm’s policies related to penetration testing, whether conducted by or on behalf of the firm, and any related findings and responsive remediation efforts taken.
-
Information regarding the firm’s vulnerability scans and any related findings and responsive remediation efforts taken.
Access Rights and Controls
-
Firm policies and procedures regarding access by unauthorized persons to firm network resources and devices and user access restrictions (e.g., access control policy, acceptable use policy, administrative management of systems, and corporate information security policy), including those addressing the following:
-
Establishing employee access rights, including the employee’s role or group membership;
-
Updating or terminating access rights based on personnel or system changes; and
-
Any management approval required for changes to access rights or controls.
-
-
Information demonstrating the implementation of firm policies and procedures related to employee access rights and controls, such as the following:
-
Documentation evidencing the tracking of employee access rights, changes to those access rights, and any manager approvals for those changes;
-
Information related to former employees’ last date of employment and the date their access to the firm’s systems was terminated; and
-
Information related to current employees who have been reassigned by the firm to a new group or function, including their date of reassignment and the date their access to the firm’s systems was modified.
-
Information related to the systems or applications for which the firm uses multi-factor authentication for employee and customer access as well as documentation evidencing implementation of any related policies and procedures and information on systems or applications for which the firm does not use multi-factor authentication.
-
Firm policies and procedures related to log-in attempts, log-in failures, lockouts, and unlocks or resets for perimeter-facing systems and information regarding the process the firm uses to enforce these policies and procedures and to review perimeter-facing systems for failed log-in attempts, deactivation of access, dormant user accounts, and unauthorized log-in attempts.
-
Information related to instances in which system users, including employees, customers, and vendors, received entitlements or access to firm data, systems, or reports in contravention of the firm’s policies or practices or without required authorization as well as information related to any remediation efforts undertaken in response.
-
Firm policies and procedures regarding system notifications to users, including employees and customers, of appropriate usage obligations when logging into the firm’s system (e.g., log-on banners, warning messages, or acceptable use notifications) and sample documentation evidencing implementation of these policies and procedures.
-
Firm policies and procedures regarding devices used to access the firm’s system externally (i.e., firm-issued and personal devices), including those addressing the encryption of such devices and the firm’s ability to remotely monitor, track, and deactivate remote devices.
-
Information related to customer complaints received by the firm related to customer access, including a description of the resolution of the complaints and any remediation efforts undertaken in response.
-
Firm policies and procedures related to verification of the authenticity of customer requests to transfer funds.
-
Information related to any reviews of employee access rights and restrictions with respect to job-specific resources within the network and any related documentation.
-
Information related to any internal audit conducted by the firm that covered access rights and controls.
Data Loss Prevention
-
Firm policies and procedures related to enterprise data loss prevention and information related to the following:
-
Data mapping, with particular emphasis on understanding information ownership and how the firm documents or evidences personally identifiable information (PII); and
-
The systems, utilities, and tools used to prevent, detect, and monitor data loss as it relates to PII and access to customer accounts, including a description of the functions and source of these resources.
-
-
Firm policies related to data classification, including: information regarding the types of data classification; the risk level (e.g., low, medium, or high) associated with each data classification; the factors considered when classifying data; and how the factors and risks are considered when the firm makes data classification determinations.
-
Firm policies and procedures related to monitoring exfiltration and unauthorized distribution of sensitive information outside of the firm through various distribution channels (e.g., email, physical media, hard copy, or web-based file transfer programs) and any documentation evidencing this monitoring.
Vendor Management
-
Firm policies and procedures related to third-party vendors, such as those addressing the following:
-
Due diligence with regard to vendor selection;
-
Contracts, agreements, and the related approval process;
-
Supervision, monitoring, tracking, and access control; and
-
Any risk assessments, risk management, and performance measurements and reports required of vendors.
-
-
Any risk assessments, risk management, and performance measurements and reports required of vendors.
-
Information regarding third-party vendors with access to the firm’s network or data, including the services provided and contractual terms related to accessing firm networks or data.
-
Information regarding third-party vendors that facilitate the mitigation of cybersecurity risks by means related to access controls, data loss prevention, and management of PII, including a description of the services each vendor provides to the firm and contractual terms included in vendor contracts involving cybersecurity-related services.
-
Information regarding written contingency plans the firm has with its vendors concerning, for instance, conflicts of interest, bankruptcy, or other issues that might put the vendor out of business or in financial difficulty.
-
Sample documents or notices required of third-party vendors, such as those required prior to any significant changes to the third-party vendors’ systems, components, or services that could potentially have security impacts to the firm and the firm’s data containing PII.
Training
-
Information with respect to training provided by the firm to its employees regarding information security and risks, including the training method (e.g., in person, computer-based learning, or email alerts); dates, topics, and groups of participating employees; and any written guidance or materials provided.
-
Information regarding training provided by the firm to third-party vendors or business partners related to information security.
Incident Response
-
Firm policies and procedures or the firm’s business continuity of operations plan that address mitigation of the effects of a cybersecurity incident and/or recovery from such an incident, including policies regarding cybersecurity incident response and responsibility for losses associated with attacks or intrusions impacting clients.
-
Information regarding the firm’s process for conducting tests or exercises of its incident response plan, including the frequency of, and reports from, such testing and any responsive remediation efforts taken, if applicable.
-
Information regarding system-generated alerts related to data loss of sensitive information or confidential customer records and information, including any related findings and any responsive remediation efforts taken.
-
Information regarding incidents of unauthorized internal or external distributions of PII, including the date of the incidents, discovery process, escalation, and any responsive remediation efforts taken.
-
Information regarding successful unauthorized internal or external incidents related to access, including the date of the incidents, discovery process, escalation, and any responsive remediation efforts taken.
-
Information regarding the amount of actual customer losses associated with cyber incidents, as well as information on the following:
-
The amount of customer losses reimbursed by the firm;
-
Whether the firm had cybersecurity insurance coverage, including the types of incidents the insurance covered
-
Whether any insurance claims related to cyber events were filed; and
-
The amount of cyber-related losses recovered pursuant to the firm’s cybersecurity insurance coverage.
-
1 The statements and views expressed herein are those of the staff of OCIE. This guidance is not a rule, regulation, or statement of the Commission. The Commission has expressed no view on its contents. This document was prepared by the SEC staff and is not legal advice.
2 National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity (February 12, 2014).