Just weeks ago, SEC Commissioner Aguilar’s Chief of Staff noted that the SEC is about to enter “a time of great change” regarding regulation for breach disclosure. Just weeks later, the guidance from the Division of Investment Management reinforced this notion by commenting that “in the staff’s view, funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks.
The “time of great change” is here, regardless of your level of preparedness. Irrespective of your status as an RIA, BD, Investment Company, Public Company, or a combination thereof, your Compliance Program must consider your obligations and preventative measures in the areas of disclosure and insider/employee activity.
The starting point for understanding Cybersecurity Risk and Breach disclosure starts with the primary guidance offered by the SEC’s Division of Corporate Finance’s CF Disclosure Guidance, Topic 2, issued in October, 2011 and titled “Disclosure by Public Companies Regarding Cybersecurity Risks and Cyber Incidents.” Within this guidance, the Commission noted that risk (including cybersecurity risk) factors should be disclosed to the extent material, and could include aspects of business or operations that “give rise to material cybersecurity risks and the potential costs and consequences” as well as “a description of cyber incidents experienced by the registrant that are material” and finally “Risks related to cyber incidents that may remain undetected for an extended period.”
The Division of Corporate Finance further went on to note that firms must consider the necessity to file reports to disclose the costs and consequences of material cyber incidents. The Division noted that such information would be deemed material “if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”
Porting the 2011 guidance to the Anti-Fraud Provisions of the Advisers Act we note a prohibition on misstatements or misleading omissions of material facts and other fraudulent acts and practices in connection with the conduct of an investment advisory business. Applying the same standard of materiality to Advisers, this concept of general disclosure of material facts and events clearly must now be considered in light of cybersecurity and breach.
The DIM Guidance further highlights the importance of Risk related to Breach and whether or not your firm should consider the addition of disclosure in Item 8 of your Form ADV Part 2A, and or in Private Placement Memoranda in the case of advisers with Private Funds. (see blogpost “The SEC at RSA 2015: Focus on Breach and Disclosure”)
The DIM additionally commented that activity of insiders or employees at your company causing internal breach could be tied to Fraud. This was made clear in footnote 9 of the Guidance Update
Fraudulent activity could result from cyber or data breaches from insiders, such as fund or advisory personnel, and funds and advisers may therefore wish to consider taking appropriate precautions concerning information security.
This is a fairly broad statement essentially saying: Be on the lookout for the activity of insiders! Their activity may be tied to fraud. There is also an implication that the firm’s management of employees, from hiring practices, to ongoing monitoring of employees, and the necessity for internal breach disclosure should all be under review.
Just last week, BakerHostetler released its “Data Security Incident Response Report for 2015” which analyzed security incidents and breach at 160 of its clients. While the data set may be somewhat limited and could reflect the type of incidents that Baker’s clients were willing to report, we think this publication is interesting, especially in light of both other major, well-known breach reports and the clear revelation that employee activity is at the top of the incident list.
The Baker Report highlighted this differentiation from major annual reports, most of which put phishing scams at the top of the threat landscape. Baker’s top causes for incidents among its limited data set was as follows:
- employee negligence;
- external theft of a device;
- employee theft
- phishing; and
This report is, of course, made more interesting by the recent DIM Guidance, which emphasized Review of the activities of insiders, which may be considered fraudulent in the event of breach.
We will discuss in greater detail measures for monitoring employee activity in our May 28th Webinar: Monitoring Solutions for a Regulated Future, we would suggest the following Action Points with respect to your employees as the most basic controls:
- Review Employee Hiring Practices: background checks should be required, especially for Privileged Access Users and high-risk employees based upon access to specific data identified in your Data Classification Program. Some ongoing monitoring should be considered based upon common Fraud factors;
- Consider additions to your Code of Ethics or Employee Handbook and Attestations with respect to the handling data and reporting errors, loss, and theft;
- Employee Training needs to emphasize and require specific protocols for reporting and escalating loss and theft of devices and company data;
- Discuss monitoring capabilities of individual data flows with respect to ActiveDirectory roles and security tools which may assist in this process such as UTM devices and MSSP solutions, where feasible. (This topic alone is far beyond the scope of a blog post. Please contact us for further discussion of these potential technology enhancements.)
- Plan and test for breach created by employee negligence and be prepared for this possibility. Consideration should be given to both Pre- and Post-breach plans. (see recent DOJ guidance discussed in last week’s post).
For Further Reading: (Links will open in a new window)
See discussion of Privileged Access User in the Sony Breach White Paper: