At the 2015 RSA conference, Commissioner Aguilar’s Chief of Staff, Smeta Ramarathnam, participated in a panel titled “Full Disclosure: What Companies Should Tell Investors About Cyber Incidents.” While Aguilar’s emissary reminded us of the importance of general cybersecurity risk disclosure, her message focused upon the disclosure of breach events, stating that the SEC is about to enter “a time of great change” regarding regulation for breach disclosure.
This is not the first time the SEC has mentioned the disclosure of cybersecurity and technology-related risks. The primary guidance offered by the Commission’s Division of Corporate Finance, issued in October, 2011 is titled “Disclosure by Public Companies Regarding Cybersecurity Risks and Cyber Incidents.”
The SEC’s early guidance on the subject is geared toward public companies, but, make no mistake about it, this guidance will be applied to private companies as well, especially those in the investment management business. There is potential, of course, for further disclosure for all companies with customer responsibilities. We are witnessing an evolution of process to address and inform the public of cybersecurity risks and, subsequently, to reduce corporate liability. There are no two ways about it:
All SEC-regulated entities should be disclosing cybersecurity and technology-related risks.
We were encouraged to see the participation of the SEC at the RSA 2015 Conference. The RSA Conference has been around since 1991 and has typically been viewed as a trade show for new technologies and, more recently, the hottest security products. The explosion in cybersecurity awareness has, however, clearly broadened the agenda appropriately and we will, no doubt, continue to see the regulatory bodies participate in such high-profile events. Their participation further underscores the relationship of regulatory issues as a driver for the security business in general and the binary concern faced across industries of regulatory and business risk.
The movement toward mandated disclosure discussed at the RSA Conference among agency-regulated entities has been inching forward for the past few years. This has been hinted at via the Financial Industry Regulatory Authority FINRA’s voluntary Risk Control Assessment (RCA), which defines incidents specifically and asks firms to disclose breach. We consider FINRA to be out in front on the subject of cybersecurity when compared to the SEC, as evidenced in the past several years of Examination Priority letters, and that it is just a matter of time until the RCA becomes mandatory for FINRA-regulated firms. Given the recent history of the SEC following suit on FINRA’s sweeps and actions, we would recommend all SEC-regulated entities review and understand FINRA’s RCA. It’s only a matter of time until it will apply to you. It is also clear that the SEC and FINRA are moving with some degree of coordination or in unison, in line with an ultimate unified approach, with respect to both sweep’s and resulting Alerts and Reports.
A sign of this impending unified approach was posted last year at this time when the SEC requested of advisers in the Cybersecurity Sweep Document Request of April 2014:
24. Since January 1, 2013, has your Firm experienced any of the following types of events?
We have attached a link to full Cybersecurity Sweep Document Request below, but the idea is that this request pertaining to specific events, associated loss and costs, and a firm’s management practices for such events will soon be mandatory and part of the SEC examination process.
Breach management is a vast topic, which is highly debated, and some additional helpful information has been released with the recent Verizon 2014 Data Breach Investigations Report. We will continue this discussion in relation the SEC’s NEP Alert, corresponding results and next steps on Thursday’s webinar. We hope you can join us. In the meantime, we highly suggest you review the following action items:
Action Items:
1. Review and Consider additional cybersecurity risk disclosure to Item 8 “Methods of Analysis, Investment Strategies and Risk of Loss” of Form ADV Part 2A. While Item 8 is specific to utilized strategies, this is likely the place to consider the appropriateness of related cybersecurity risks. Many firms err on the side of disclosing more rather than less in this Item, and this makes sense to us given that private money managers are not required to disclose such risks in Item 1A of the 10-K as expected for public companies. A helpful hint here for understanding appropriate disclosure language is to review 10-K disclosures of public companies with similar mandates to your own. In the case of Private Funds, consideration of such risk items should be undertaken for Private Placement Memoranda (PPM).
2. Expect Breach and be Prepared: We have posted on the importance of Response and Recovery Plans, and preparation for breach is essential to this concept. Manage IT incidents thoroughly with appropriate logging, documentation, and lessons learned on the assumption that this will be an area of regulatory request and scrutiny going forward.
3. Treat IT Security events as a Compliance Issues, to be examined in the context of your 206(4)-7 Review. The obvious question, as is the case for other Compliance issues, is: what are your controls and testing methods? The resultant questions, for which you should have answers, are:
- What cybersecurity Framework does your firm employ to ensure that risks are properly considered?; and
- What monitoring and testing mechanisms do you have in place to ensure that such a framework and its outputs are, indeed, effective?
For Further Reading: (links will open in a new window)
October 2011 SEC Guidance on Cybersecurity Risk
Aguilar Speaks (But You Should Read the Footnotes) – Artemis Blog Post
Archived RSA Conference Panel and PowerPoint
FINRA’s Risk Control Assessment (RCA) Survey