Commissioner Luis A. Aguilar delivered the morning keynote address last Thursday at the SINET Innovation Summit 2015 in New York. We continue to pay close attention when the Commissioner speaks as he has been a proponent on the subject of Cybersecurity, has contributed key guidance in previous speeches, and was the driving force behind the SEC’s Cybersecurity Summit of March, 2014. In this broad-ranging speech, the Commissioner discussed the activities of the Division of Enforcement and proscriptive measures of the SEC…

 

The speech, title, “A Threefold Cord — Working Together to Meet the Pervasive Challenge of Cyber-Crime” referenced Ecclesiastes and the concept that we need to work together, sharing information to create a strong defense against cyber criminals. SINET’s primary mission, as described on their website, is to “to advance innovation and enable global collaboration between the public and private sectors to defeat Cybersecurity threats,” and, therefore, it makes sense that the Commissioner emphasize this concept.

In addition to issues related to information sharing, a description of recent breach, the current threat landscape, and a high-level history of the SEC’s activities related to cybersecurity, the Commissioner discusses “Enforcement” and other issues of which registered investment advisers, broker-dealers, and public companies should be mindful.

The Commissioner starts by emphasizing the importance of Cybersecurity with several broad statements including notions such as:

Cybersecurity is an issue of profound importance in today’s technology-driven world; and In light of all this, it is not an overstatement to say that cybersecurity is one of the defining issues of our time.

Mr. Aguilar continues to list several trends, statistics, and recent breach including the activities of the “FIN 4” Group which has reportedly attacked over 100 companies seeking confidential information regarding market impacting news and merger negotiations. The group targets corporate executives, researchers, and attorneys through spear-phishing attempts to gain critical information.

We believe this type of information is relevant to understanding and identifying who your potential and specific external threats and attackers may be. For example, both investment companies and law firms who maintain such information, as part of their risk assessment process, should consider these types of specific external threats. While we will not dissect every threat discussed in the speech, we note that researching and documenting some of the external threats mentioned in the Commissioner’s speech is one way that you can evidence some ongoing assessment of external threats.

While the Commissioner addressed the history of the SEC’s approach to cybersecurity and breach events of the past two years, perhaps of the greatest interest for registered entities will be the description of the “The Commission’s Response” and subsequent headings which include references to the following topics:

Regulation SCI – Under rulemaking efforts, Mr. Aquilar points to Regulation SCI or Regulation Systems Compliance and Integrity. The Rule, for which the compliance date is November of this year, requires cybersecurity protocols to be implemented by higher-level market participants such as the exchanges. There is the ever-present threat, however, that this rule will be applied more broadly to other market participants and that the SEC’s approach to examination with respect to the rule may ultimately be applied and perhaps pushed down to lower-level participants such as broker-dealers and investment advisers.

We find it interesting that the Commissioner did not mention Regulation S-ID or Identity Theft in this section as there are several specific requirements here which should be considered notable rulemaking, such as the requirement to maintain an incident response plan for Red Flags/ID theft, obtain due diligence from third parties for whom risk for ID theft may be present, and training. Reg S-ID was mentioned in the Division of Investment Management’s recent guidance. By not referencing the Regulation it may be implied that market participants who are affected should be well-versed and well-equipped to address the regulation and that the SEC is looking to the next round of cybersecurity controls.

Cybersecurity Inspections and Examinations – Referencing the Cybersecurity Sweep Document Request of April, 2014 and the corresponding results of February, 2015, Mr. Aguilar directly refers to two areas implying the potential for regular examination:

  1. Conducting risk assessment of vendor’s systems or what we refer to as due diligence;and
  2. The designation of a chief information security officer or person to act in this capacity.

We expect these two specific areas to be built into pending examinations and also emphasize that failures which can be related to these topics may also be treated harshly.  Please note the repeated emphasis upon the Risk Assessment process which firms should take clear steps to evidence.

Enforcement – The Commissioner states point-blank that the SEC is and will be investigating breach. We have heard this before, hinted at by the Commissioner’s Chief of Staff at the RSA Conference (see our blogpost, The SEC at RSA). In Mr. Aguilar’s words:

It should not be a surprise that cybersecurity has become a focal point for the SEC’s enforcement efforts in recent years, and it has been reported that the SEC’s Division of Enforcement is currently investigating multiple data breaches. Moreover, the SEC has been proactively examining how it can bring more cybersecurity enforcement actions using its existing authority, and how that authority might need to be broadened to meet emerging cybersecurity threats.

We continue to believe that questions concerning breach and the request to see your Incident Log and corresponding documentation are coming as part of the regular examination process.  All firms should be preparing for this initiative starting with recording such events and finishing with your documentation, corresponding training, and, ultimately, your 206(4)-7 review of material incidents.

Staff Guidance on Cybersecurity Issues – The Commissioner references the Division of Investment Management’s recent Guidance Alert, which we have covered extensively (see Lyman Terni’s blogpost: SEC offers Cybersecurity Guidance). Once again, this three-part guidance reiterates the importance of cybersecurity issues, makes conducting periodic assessment in specific areas foundational to your program, and lists specific areas of technical focus. Mr. Aguilar also emphasizes the importance of disclosure as it relates to the 2011 Division of Corporate Finance guidance.

Once again, our thoughts are that disclosures will be called for more broadly and pushed down to regulated entities and that firms should consider appropriate additions to the Item 8 of the Brochure for advisers and private placement memoranda in the case of Private Fund Managers.

Enhanced Cooperation Among all Stakeholders – We cannot completely get past the irony that the Commissioner is calling for more vigorous and open information sharing just two months after the Division of Investment Management issued critical guidance tying IT security failures to specific rules and regulations, paving a way for broadening enforcement efforts. This blind spot is particularly glaring as the Commissioner refers to fears of legal liability as inhibiting information sharing.

Another barrier to a more robust approach to cybersecurity lies in the legal risks associated with sharing threat intelligence. Many firms claim that such liability is one of the principal hurdles they face when they seek to share information.

We believe this notion is absolutely correct, however SEC-regulated firms are equally concerned about potential regulatory reprisals of sharing information and documenting cybersecurity risks. In other words, the SEC themselves need to consider forms of regulatory relief in order for firms to maintain good faith risk management processes, step forward on the subject of breach, and potentially participate in future public and private information sharing efforts.

Mr. Aguilar’s effort here is comprehensive, and should be put on the table at your Information Security Committee meeting or corresponding Risk Management component.

If you have any questions regarding your program or regulatory expectations in light of Commissioner Aguilar’s speech, please contact Tim@ArtemisSecure.com

 

For Further Reading: (Links will open in a new window)

A Threefold Cord – Working Together to Meet the Pervasive Challenge of Cyber-Crime

 

Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus

 

The SEC at RSA 2015: Focus on Breach and Disclosure

Aguilar Speaks (But You Should Read the Footnotes)

Division of Investment Management’s April 2015 Guidance Update

 

October 2011 SEC Guidance on Cybersecurity Risk