SEC Levies Fine, Reaffirms Focus on Cyber Security Planning & Data Safeguarding

By Kaleigh Alessandro | Thursday, June 9th, 2016

In case you missed it, the SEC just announced this week that it levied a $1 million fine to a prominent financial services firm for failing to adopt written policies and procedures reasonably designed to protect customer data. The SEC also stated it expects “SEC registrants of all sizes to have policies and procedures that are reasonably designed to protect customer information.”

Eze Castle Integration and Sadis & Goldberg just published ‘A Fund Manager’s Cyber Security Action Plan’ that covers what the SEC expects from managers. You can download the paper at www.eci.com/cyberplan or read an excerpt below.

Cybersecurity has fast become an imminent and pervasive threat to the investment management industry. Investment advisers, including those managing private funds (“Fund Managers”) are required to disclose and report a higher quantum of more sensitive and meaningful information than ever before, via Form ADV, Form PF, CPO-PQR and (for some Fund Managers) Annex IV. Cyber-attacks can be manifested in a variety of ways from multiple sources and can lead to direct losses (e.g., theft of funds, data or other property), reputational harm, regulatory actions, third party litigation and other forms of liability.

While it’s reasonable to believe that a typical CFO would not respond to a “spear-phishing” email from a fictional Nigerian prince, consider the risks presented by a more realistic cyber-attack wherein a personal email is sent to the CFO, purporting to be from your prime broker, auditor or administrator (information discoverable from your Form ADV), mimicking the patterns and style of previous email communications (discoverable from your email server) and asking for confirmation of a recent wire or some other sinister request. Internal attacks such as this are discussed further throughout this paper, and each one has the potential to cripple a fund and/or damage thousands of investors.

Several of the regulatory bodies that oversee Fund Managers (including the Securities and Exchange Commission (“Commission” or “SEC“), FINRA, the CFTC and the NFA) have highlighted cybersecurity as a critical issue that poses a myriad of direct threats to Fund Managers and have taken a collective position that Fund Managers must take action to design, implement and monitor a program that will protect the confidential information and other data entrusted to them (a “Cybersecurity Program”). In fact, one commissioner recently characterized cybersecurity preparedness as a “defining issue of our time” and, at a later date, instructed Fund Managers and their Boards of Directors who choose to ignore or minimize cybersecurity risks, that they “do so at their peril”. The Commission, in particular, has made numerous speeches, conducted roundtables and issued materials on this matter. Moreover, alerts, updates, primers, releases and other purported “guidance” materials abound the Internet and crowd the inboxes of Fund Managers.

By any measure, the investment management community as a whole has been put on notice of the significance of this issue and the severity of the risks it poses and, for those Fund Managers who have not yet designed and begun to implement a Cybersecurity Program, it is accurate to state that such managers have failed to comply with a regulatory hot-button issue that has ranked as one of the Commission’s top examination priorities over the last three years.

To be fair, however, the regulatory guidance issued to date does not provide clear standards, checklists or protocols for developing a Cybersecurity Program. Rather, such directives are more ‘principals-based’ and provide various considerations for Fund Managers to recognize as they develop their Cybersecurity Programs. And although the guidance materials from the SEC, the NFA, the CFTC and FINRA are not entirely in consonance, the common theme among them is an overarching directive that Fund Managers must commit to adopting a culture of cybersecurity compliance that permeates the entire enterprise. The materials do not map out a program, provide draft policies or describe a particular technology or other solution but rather, taken together, they set a regulatory expectation for Fund Managers to:

do the initial work of assessing, designing and customizing such a program; and
follow through with continued efforts of integrating, testing and monitoring the program for its effectiveness.

The Commission’s position in this regard was demonstrated in its 2015 action against a St. Louis-based registered investment adviser, R. T. Jones Capital Equities Management, Inc. (“R.T. Jones”).   In this case, R.T. Jones stored certain personally identifiable information (“PII”) of more than 100,000 individuals1, on its third-party hosted servers, for a period between September 2009 and July 2013. These servers were infiltrated by a cyber-attack, emanating from China.

Although R.T. Jones: (i) promptly engaged more than one cybersecurity consulting firm to take remedial action; (ii) provided notice to all parties that their PII was compromised; (iii) offered free identity theft monitoring to such parties; and (iv) found no evidence that such PII was actually ever stolen or even affected, the SEC still took the position that R.T. Jones had violated the law by failing to adopt policies and procedures reasonably designed to protect against threats to the security of its customer and third-party information. Ultimately, the SEC censured R. T. Jones, ordered it to cease and desist from further violations and to pay a $75,000 fine. And thus, the Commission has made clear that even in the absence of an actual attack or a security breach, the failure of a Fund Manager to design and implement a Cybersecurity Program is actionable.

The Commission’s assertion of authority over the data management practices of Fund Managers is derived from Section 30(a) of Regulation S-P2 (the “Safeguard Rule”), which generally requires all Fund Managers registered with the Commission to adopt policies that are reasonably designed to protect the security and confidentiality of customer records and information from anticipated threats or hazards and unauthorized access or use. The Safeguard Rule thus provides the statutory basis for the Commission’s position on devising a Cybersecurity Program. Of course, this simple directive – to adopt policies reasonably designed to protect client information – becomes less simple when applied to each manager’s unique business DNA (i.e., its infrastructure, operations, network, staff, client base, trading activity and investment program).