(Article from Registered Funds Alert, November 2015)
For more information, please visit the Registered Funds Alert Resource Center.
The SEC continues to focus on cybersecurity, as demonstrated by recent announcements of more examinations and an enforcement action related to cybersecurity. Additionally, the NYSE published a cybersecurity guide aimed at directors and officers of listed companies that may be of interest to registered funds.
OCIE Announces a Second Round of Cybersecurity Examinations
On September 15, 2015, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued a new Risk Alert announcing a second round of cybersecurity examinations in light of recent breaches and threats against financial services firms. OCIE’s first round of cybersecurity examinations started in 2014, concluding with a Risk Alert on February 3, 2015, summarized in our prior Alert. As part of its 2015 Examination Priorities, OCIE announced that, in contrast to the 2014 Initiative, the 2015 Initiative would concentrate more on evaluating a firm’s implementation of systems regarding its individual cybersecurity preparedness. The most recent Risk Alert noted six core focus areas for the second round of exams. By asking to review policies on these topics, OCIE is effectively requiring firms to have such policies. The six core focus areas included in the Risk Alert are:
- Governance and Risk Assessment: OCIE will assess cybersecurity policies, procedures, and processes, including whether they are evaluated regularly.
- Access Rights and Controls: OCIE will examine how firms control access to various systems through management of user credentials, authentication and authorization, such as the use of RSA tokens to access firm systems.
- Data Loss Prevention: Examiners will evaluate whether a firm monitors its own network traffic, including content transferred outside of the firm by its employees or by third parties as email attachments or uploads. Additionally, they will assess how firms block unauthorized data transfers and verify the authenticity of a customer request to transfer funds.
- Vendor Management: Reviews may include firm practices and controls related to vendor management, such as vendor selection, due diligence, monitoring and contractual terms.
- Training: Examiners will note whether and how training of employees and vendors is tailored to specific job functions in order to encourage responsible behavior, in addition to procedures for responding to cyber incidents under an incident response plan.
- Incident Response: OCIE will assess whether firms have established policies, assigned roles, located vulnerabilities, and developed plans to address possible future cyber-events.
SEC Brings Enforcement Action Against Registered Investment Adviser
Further demonstrating the SEC’s focus on cybersecurity, on September 22, 2015, the SEC announced that R.T. Jones Capital Equities Management (“R.T. Jones”), a St. Louis-based investment adviser, had settled charges that it had not adopted written cybersecurity policies and procedures before a 2013 data breach that compromised the personally identifiable information (“PII”) of approximately 100,000 individuals, consisting of both clients and others. In connection with the attack, an unknown hacker who was later traced to China was able to gain access to sensitive PII stored by R.T. Jones on a third party-hosted web server. In light of the incident, R.T. Jones provided notice of the breach to any individual whose PII may have been compromised and further offered free identity theft monitoring.
Following an investigation, the SEC alleged that the firm had entirely failed to adhere to the “safeguards rule”—Rule 30(a) under Regulation S-P—which requires registered investment advisers to adopt written policies and procedures reasonably designed to protect the security and confidentiality of customer records and information against anticipated threats or unauthorized access. For example, the firm had never conducted periodic risk assessments, implemented a firewall, encrypted PII stored on its server, or maintained a response plan for cybersecurity incidents. In settling the allegations, R.T. Jones agreed to cease and desist from committing or causing any future violations of Rule 30(a) of Regulation S-P, and also agreed to be censured and pay a $75,000 penalty.
NYSE Publishes Cybersecurity Guide
In October 2015, the NYSE published a 355-page book to serve as what it deems the “definitive cybersecurity guide for the directors and officers of public companies.” The subject areas of the book – which was written by over 35 contributors across the information security, business, and government arenas – range from board obligations and action plans to how to protect trade secrets, in addition to consumer protection and incident response. The book aims to outline a listed company’s responsibilities to oversee, manage, and mitigate cyber risks.
Notably, the NYSE provides a decision tree regarding whether companies should disclose a cybersecurity breach. The book offers a flexible response depending on a multitude of factors, including whether the hack is material, whether there is a separate obligation to disclose (e.g., under trading rules); whether the discovery of the breach is likely or inevitable; and whether there is a potential requirement to disclose the incident pursuant to Regulation FD.
The NYSE book may serve as a useful resource for registered funds, including open-end funds (which may have access to PII of thousands of individuals) and listed closed-end funds (which have similar Regulation FD obligations to those of other public companies).