Advisors and brokers aren't doing enough to protect their information technology systems and the sensitive client information they contain, and many firms have been slow to respond to the challenge, according to SEC officials.
In a live stream of the annual SEC Speaks conference, commission leaders noted that cybersecurity has become a priority across the commission, and is a particular focus for the Division of Enforcement and the exam unit.
The SEC is in the midst of the second phase of its cybersecurity initiative, where it is conducting a series of exams evaluating how advisors and brokers are handling information security, controlling access to sensitive material, and planning for how to detect and respond to an attack, among other issues.
Kevin Goodman, associate director of broker-dealer examinations at the Office of Compliance Inspections and Examinations, noted that those security reviews are ongoing, but the early results have made it clear that some practices aren't doing nearly enough to get their cyber house in order.
"[N]ot surprisingly, there are some indications of firms that aren't doing some of the important yet fairly simple things that they should be doing," Goodman said. "We've seen access rights that really aren't being managed well. We've seen firms dealing with third parties and not really assessing at all the level of cyber awareness and preparedness at those third-party firms."
Goodman suggested that the commission might publish a risk alert after it digests the findings from the second phase of its cybersecurity initiative, which he described as "a testing approach" to follow up on the first phase, a fact-finding endeavor he called "a correspondence effort."
"We learned a lot from phase one, and we've learned enough to know that there's a meaningful role our non-expert cyber examiners can play in assessing cyber preparedness," Goodman said.
"So we're going into firms and we're actually testing things like how they manage access controls," he explained. "Are they designed to limit access reasonably to the functions that various people play? Do they keep tabs on those access rights as people's roles change? Once someone has an access right or misappropriates an access right and gets into the system, how does the system's architecture work? Can people move around anywhere they want within that system's architecture, or is it designed so that if someone gets in either properly or improperly they're walled off to some reasonable area?"
OCIE examiners are also looking at the credentialing systems firms have in place to grant users access to their networks, in particular whether they are using multi-factor authentication.
"Hopefully you need a token or something other than just a password," Goodman said. "Well, we're trying to see is that really used by firms consistently and across firms."
Of course, OCIE's role is essentially to serve as the eyes and ears for the commission, and Goodman was quick to point out that his division does not make policy or handle enforcement actions. But cybersecurity is very much on the radar of the unit that does bring cases against bad actors in the industry.
Stephanie Avakian, the deputy director of the SEC's Division of Enforcement, explained that her team sees three general areas where cybersecurity issues could result in a firm getting hit with a sanction.
- In the first instance, the SEC might pursue action against a firm for failing to take appropriate steps to safeguard clients' information, which could entail a violation of Regulation S-P or Regulation S-ID.
- A more flagrant category of violations would entail the use of stolen, non-public information to profit from trading or market manipulation ahead of some event like a corporate earnings announcement or a merger.
- In the third category, the SEC's enforcement unit is looking at how registered companies respond to a cybersecurity incident, and would consider bringing an action if a firm failed to notify customers affected by a data breach or did not cooperate with law-enforcement authorities.
Avakian said that the SEC has brought actions against market participants for the first two categories of violations, but not yet the third, where the enforcement division is offering firms some latitude in how they respond to a cyber attack.
"A company that's been the victim of an intrusion is just that -- a victim. And the first priority is to assess the situation, address the intrusion, minimize the damage," she said.
"In the case of public companies, we are not looking to second-guess good-faith decisions," she added. "As I noted, we've not yet brought a disclosure case, and there've been a number of cyber incidents at public companies. But can I envision circumstances where we would bring an action? Sure. But it would have to be a significant disclosure failure to warrant that."
Avakian stressed that it is important for victims of a cyber attack to promptly engage with the relevant law-enforcement organization, whether it be the FBI, the Department of Homeland Security or local authorities.
"Whether a company self-reports to law enforcement is a critical factor," she said. "We will give significant credit to companies that self-report, so while companies might be reluctant to report a cyber incident because of the potential for an investigation, it would be a significant disclosure failure that leads to an action."
The SEC has brought cyber-related enforcement actions in the other two areas of concern that Avakian flagged, including a case the commission announced in August against more than 30 defendants charged with trading on hacked corporate information and netting more than $100 million in illegal profits.
In the RIA sphere, the commission reached a settlement in September with RT Jones, a St. Louis-based advisor, in a case involving a data breach that compromised the personal information of some 100,000 individuals.
"In that case, the firm stored sensitive information of its clients and others on its third-party hosted Web server, and the Web server was attacked in 2013 by an unknown hacker who gained access to copyrights, all the data on the server, leaving all the individuals and clients vulnerable to theft," Avakian said. "RT Jones violated Reg S-P because it failed entirely to adopt written policies and procedures designed to safeguard customer information, which is what Reg S-P requires."
To be sure, that was only one case, and the SEC has been moving cautiously in bringing enforcement actions in the cybersecurity arena. But Avakian, offering a general assessment, suggested that advisors and other registrants need to take a more rigorous approach in shoring up their systems to protect sensitive client information.
"We see a spectrum of cyber awareness and attention," she said, "and some firms essentially have nothing, so this is something we have to look at."
- Combating Cybersecurity Concerns and Reassuring Clients
- SEC to Intensify Probes Into Retirement Planning, Cybersecurity
- Voices: Being Ready When Regulators Come