SEC's cybersecurity warnings take more urgent tone after hacks
On the heels of the massive Equifax data breach revelation, the head of the SEC has acknowledged a hack of the commission's EDGAR electronic filing system and is urging advisors and other regulated firms to redouble their efforts to mitigate cyber risks.
In a somewhat unusually long personal statement, SEC Chairman Jay Clayton calls on firms to reassess their capacity to prevent and respond to data breaches, while offering new details on the agency's own vulnerabilities and appealing for transparency when an incident does occur.
For advisors, Clayton's statement amounts to a stark warning that the commission is expecting firms to think through their cybersecurity policies and procedures with an eye toward protecting clients' information from an intrusion and mitigating the damage should one occur.
"I recognize that even the most diligent cybersecurity efforts will not address all cyber risks that enterprises face," Clayton says. "That stark reality makes adequate disclosure no less important."
Just last month, the SEC determined that a cyber incident the commission had detected in 2016 "may have provided the basis for illicit gain through trading," according to Clayton.
He describes a weakness in the software for EDGAR's test filing system that was exploited to gain access to private information. The SEC patched the vulnerability after it was discovered, Clayton says, and the commission does not believe that consumers' personal information was exposed.
The SEC's investigation into the incident is ongoing, and Clayton stresses the dynamic nature of cyber threats. He holds up the agency's experience as a warning to firms that they need to brace for the possibility that their systems will be compromised and game out how they will respond to an attack.
"Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself," Clayton says. "Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery."
WEALTH MANAGEMENT TARGETS
Advisors, broker-dealers and investment companies are high-value targets for hackers owing to their direct relationships with retail investors, Clayton stresses.
"Many of these entities act as the primary interface between the securities markets and investors, including Main Street investors," Clayton says. "Not only do their systems provide investors access to their securities accounts, but those systems in many cases also hold customers' personally identifiable information."
In 2016, the SEC brought a record 868 cases, including 173 against broker-dealers and advisers and 159 against investment companies.
Those words might have a familiar ring for advisors who have been paying attention to the signals coming from their regulator. The commission's Office of Compliance Inspections and Examinations has been conducting a series of targeted exams looking how firms are handling cybersecurity.
In August, the commission issued a risk alert warning that while many advisors had a cybersecurity policy on the books, many of those programs are not sufficiently tailored to address the firm's distinct risks.
Likewise, OCIE found that many firms over-promised but under-delivered on their training cybersecurity programs for employees.
SEC TAKES ITS MEDICINE
Meanwhile, Clayton promises that the commission is taking its own medicine. Within the SEC, Clayton describes an "agency-wide cybersecurity detection, protection and prevention program" that includes perimeter security, monitoring and detection and employee training
"That said, we recognize that cybersecurity is an evolving landscape, and we are constantly learning from our own experiences as well as the experiences of others," Clayton says, indicating that the SEC is looking to hire on more cybersecurity professionals.
Beyond the immediate breach at the SEC, the commission is also undertaking a systemic review of its cybersecurity apparatus. Growing out of that initiative, begun in May, is a senior-level committee that is seeking to harmonize cyber monitoring and response efforts and share threat information across the commission.
While the SEC looks to get its own house in order, Clayton notes that the commission is working to take a more active role as a regulator overseeing firms' cybersecurity programs and bringing enforcement actions against bad actors.
Even without a specific, market-wide cybersecurity rule on the books, the SEC already extends oversight in that area through a number of existing regulations, including the S-P rule that governs how advisors handle clients' personal information. A data breach that exposes sensitive client data, then, could result in an enforcement action if the commission determined that the firm failed to take adequate steps to protect its systems.
Of course, one way to limit those potential liabilities is to put restrictions on the data that firms collect and retain. That may be a hard-learned lesson within the commission itself, where Clayton is calling for an "ongoing, thoughtful evaluation of the data we obtain."
"When determining when and how to collect data, it is important that we regularly review whether our related data protections are appropriate in light of the sensitivity of the data and the associated risks of unauthorized access," Clayton says. "We should also continue to evaluate whether alternatives exist that may allow us to further our mission while reducing the sensitivity of data we collect."