5 Steps for Advisers and Broker-Dealers in the Wake of R.T. Jones
The SEC’s Order referenced R.T. Jones’s failure “to adopt any written policies and procedures reasonably designed to safeguard its clients’ PII as required by the Safeguards Rule.” This isn’t the first time the Commission has invoked Rule 30(a) of Regulation S-P, and we are not talking about rocket science: protect the PII; put reasonable practices in place; and make sure it is all down on paper.
Unfortunately, it is not really that simple, and Artemis makes suggestions essential for firms to protect themselves from business, regulatory, and legal risk…
Go to Step 5 for technical recommendations regarding web servers and client-facing applications.
What Happened?
According to the SEC, the Personal Identifiable information (PII) of more than 100,000 individuals was rendered vulnerable to theft when a web server which belonged to R.T. Jones (“RTJ”) was hacked. The web server was hosted at a third party, and somehow RTJ became aware of unauthorized access in July of 2013. While we don’t have all the details, we do know that the firm reacted proactively, hired two cybersecurity forensic firms, provided notification and services to all potential victims. To this date, there is still no evidence that a single individual’s data was utilized for malicious purposes or even removed from the server. Evidently, this information could not be ascertained by the forensic firms, as the hacker obfuscated activity by deleting log files.
Although RTJ appears to have acted diligently and in good faith, they apparently still didn’t have policies and procedures in place, including a written incident response plan, and certainly some practices were lacking. While documentation may not improve defenses in any measurable manner, the notion is clear that the worst thing you can do, from a regulatory standpoint, is to not have a Plan in place.
Keep in mind that as recently as April, the Division of Investment Management stated that all firms need to:
Implement the strategy (cybersecurity) through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.
Constructive Steps
There are plenty of lessons to be drawn from the RTJ saga, but please make sure that, as a starting point, your firm is taking the following measures, many of which we have written about and discussed in webinars in the past.
- Conduct a “Periodic Assessment of the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses.” This language, of course, is directly from the Division of Investment Management’s “Cybersecurity Guidance Alert,” but we believe it can be boiled down to some degree: Where does your Personal Identifiable Information (PII) live? Of course, keep in mind the other 4 periodic assessments mentioned in the DIM Guidance. Consider building these assessments into your Annual Review process and also a repeatable approach or template to make sure the “periodic” notion actually takes place.
- Encrypt the PII, no matter where it lives. The SEC’s Order specifically states that R.T. Jones’s Policies and Procedures “did not include – encrypting client PII stored on that on that server.” This precedent suggests that your WISP should use the word “encryption” and mention it with respect to your clients’ information. Frankly, this is a no-brainer and is often first on the priority list in working with clients. Remember that encryption of PII in many cases provides a Safe Harbor against reporting requirements of most states; this is feasible and relatively cheap insurance against notification expenses/hassle and legal considerations.
- Similarly, the SEC mentions that the P&P failed to establish “procedures for responding to a cybersecurity incident.” You must have a cybersecurity Incident Response/Recovery Plan. If you do not, and you suffer an incident like R.T. Jones, you will have regulatory problems in addition to your potential business and legal exposure. Put a Plan in place immediately.
- Adopt and Implement a Written Information Security Program. As part of the remedial efforts, R.T. Jones is putting in place a WISP. This suggest that the firm had no substantive policies and procedures in place and perhaps a general lack of process. You must have a WISP, make sure it is accurate and not just some off-the-shelf refuse with which regulators are familiar.
- Consider best practices for web servers and client-facing applications. There is a common misconception that outsourcing the hosting of web servers and applications will relieve you of some responsibility for handling PII. We are not suggesting that this was the case for RTJ, but you must have a robust Vendor Management Program in place. This is one of the six areas of focus in the second, 2015 Cybersecurity Sweep Initiative. Also, please consider the following notions with respect to hosted web servers and applications:
- RTJ says that only two people had administrative access to their hosted web server, but we have no idea what kind of controls were in place. Make sure enhanced security measures are in place for admins who handle PII: strong passwords changed regularly; two-factor authentication; monitoring of admin accounts for data flows and data loss prevention. DLP is also a focus area in the second sweep.
- Your third party hosting partner may have technical capabilities and competence to assist with putting encryption and additional security measures like Firewalls, Intrusion Detection/Prevention, and monitoring/reporting in place. The SEC cites that RTJ lacked policies and procedures related to firewall implementation, which may simply suggest that no firewall was in place. This could be remedied with a phone call to some hosting companies.
- Has your webserver or client-facing application been penetration tested? Has the code been tested for security gaps? Admins and developers may resist such best practices, but, if your server or application contains PII, this should be done without question.
- Client access must also be managed in that security controls, including password change protocols, should include reasonable practices such as strong passwords and the use of security questions. As quoted above from the DIM guidance, the SEC has suggested educating clients and investors.
- RTJ had fewer than 8000 plan participant clients on the violated web server but 100K individuals PII was potentially exposed due to application design and function. The matching of RTJ clients against a larger plan participant/sponsor database sounds is a classic technology trap which raises many additional questions. Your firm must be aware of such potential pitfalls in server and application construction, which may multiply your risk.
Finally and having experienced breach and attempts at many firms, we think a good mindset is to simply assume your firm is under attack. One forensic firm employed by RTJ stated that IP addresses pointed to mainland China. As the overused statement goes, it is not a matter of if but when you firm will be breached. The RTJ case is a cautionary tale of why having reasonable practices and written procedures in place is necessary. Regulators will ask about breach and your management of such events, and, unfortunately, there is risk here in addition to business concerns.
Resources:
SEC’s Order and Offer of Settlement Regarding R.T. Jones
https://www.sec.gov/litigation/admin/2015/ia-4204.pdf
Division of Investment Management’s Cybersecurity Guidance Update
https://www.sec.gov/investment/im-guidance-2015-02.pdf
2015 Cybersecurity Sweep Initiative
https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf