US - The SEC makes its mark on cyber
The SEC is done playing around. This summer, particularly August, the SEC has demonstrated its resolve to bring the cyber house to order, first by actions against public companies for alleged poor cyber disclosures and the governance around such disclosures, and then by actions against SEC registrants (e.g., broker-dealers and investment advisers) alleging failures to implement basic cybersecurity controls even when internal policies called for such controls. The later actions, as noted, were aimed at broker-dealers and investment advisers, but the ramifications are much broader.
In its most recent action on cybersecurity disclosures, the SEC entered a $1 million settlement with a U.S.-listed, London-based public company over failure to adequately respond to and disclose a cyber breach. The company is an educational publishing company. In March 2019, the company discovered that it suffered a breach. Hackers exploited a known unpatched vulnerability to access the company’s network. During the breach, hackers stole over 11.5 million rows of student data. Also stolen were usernames and passwords. While the passwords were protected, the SEC alleged that the technology used to protect the passwords was outdated, leaving the passwords at risk of being exploited.
The company notified affected individuals in July 2019, but, according to the SEC, failed to disclose that the passwords were at risk, leaving the affected individuals susceptible to identify theft. Later in July, the company issued its Form 6-K, which discussed a “[r]isk of a data privacy incident or other failure to comply with data privacy regulations and standards and/or a weakness in information security, including a failure to prevent or detect a malicious attack on our systems, could result in a major data privacy or confidentiality breach causing damage to the customer experience and our reputational damage, a breach of regulations and financial loss.” The company made no mention of the incident discovered in March 2019.
Additionally, according to the SEC, a media statement released at the end of July 2019 had numerous issues including a statement that the data was “exposed” instead of “removed,” numerous attempts at minimizing the extent of the stolen data, and failure to disclose the vulnerability.
- Basic cyber hygiene is a necessity: Every regulator, including the SEC, discussing cyber this summer has mentioned basic cyber hygiene. At the top of the list are always vulnerability management and Multi-Factor Authentication (MFA). The company in the matter described above allegedly failed to address known vulnerabilities and suffered a breach. In simple terms, that’s like being told that burglars can get in via the back door because the lock doesn’t work and leaving that same lock in place. Regulators understand that data breaches happen, but they want to see companies fixing broken locks.
- Have a plan for addressing cyber disclosures: When a breach occurs, companies now have plans to hire forensic teams, bring in outside counsel, protect privilege, and many other steps. Consulting with disclosure counsel should be part of these steps. It is critical to be up front about breaches and appropriately disclose breaches. In a world full of cyber incidents, another one may have an incremental PR hit, but it will be less costly than an SEC enforcement action. Of course, investment advisers and broker-dealers also need to consider fiduciary responsibilities when it comes to appropriate disclosures.
- Transparency in Public Statements: Avoid all temptation to minimize the impact of a breach in public statements. Some companies try to finesse a hacker having “access” to data as distinct from having “exfiltrated” the data. It doesn’t work. Consider fiduciary duties and provide the transparency needed. Put clients, investors, and customers first and you’ll avoid this landmine.
Basic Cyber Hygiene
On August 30, 2021, the SEC sanctioned eight firms in three actions. In all three actions, the SEC found that these firms (investment advisers and broker-dealers) failed to adopt and/or implement sufficient controls to protect the personal information of customers.
As described in the enforcement actions, the SEC’s Safeguards Rule (Reg S-P) requires broker-dealers and investment advisers to “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Moreover, Section 206(4) of the Investment Advisers Act of 1940, and Rule 206(4)-7 thereunder, require investment advisers to adopt and implement written compliance procedures to seek to prevent violations of the rules.
In each of the three actions announced on August 30, with settlements totalling $750k, the broker-dealers allegedly failed to implement Multi-Factor Authentication on email accounts. Hackers were able to take over those accounts and steal thousands of people’s information located within the email accounts.
In an action against one of the firms and affiliated entities, the SEC alleged that hackers started in 2017 to infiltrate email accounts of independent contractors working for the firm. While the firm started to roll out MFA, not all contractors were included. More account takeovers occurred. The SEC found that the firm did not complete its roll out until 2020. The firm had a policy encouraging MFA, but not requiring it. The policy changed later to cover high risk accounts, but the implementation did not follow, according to the SEC. Also, when the firm finally disclosed the breach, the SEC stated that the firm told customers the breach related to incidents 2 months prior, when in fact it was 6 months prior.
The two other actions follow similar fact patterns, with alleged failures to have clear policies and implement security. In the action against one of the other firms, the SEC alleged that the firm was also deficient because it was using an affiliate’s security policy. Moreover, that same firm provided summaries of the breaches months after the discovery of the incidents.
In all three actions, the SEC alleged the violations amounted to a failure to implement policies and procedures consistent with the Safeguards Rule.
- Review your Cyber Compliance: Review your policies and procedures regarding cyber breaches and update them as needed to address new risks and technology. Even if you are not covered by the Safeguards Rule, you will be evaluated by a regulator or private plaintiff to see if you have “reasonable security.” Create policies and procedures to ensure such security.
- Basic cyber hygiene is a necessity: Multi-Factor Authentication is no longer truly optional. With every regulator calling for it, even for those entities not covered by cyber regulations, MFA is required as “reasonable security.” But it isn’t enough to have a policy about it: it must be implemented.
- Check on your contractors and third parties: Securing your own house is no simple task, but even if you achieve that it does not end there. Cybersecurity requires checking on your vendors and third parties. Everyone with access to your data needs to be covered by your policies. And you need contractual terms to ensure you can oversee security and be notified of problems.
- Test your policies: Compliance testing of cybersecurity policies is critical. It is not enough to have a good policy. And it is not good enough to rely on the information security office to tell you that the policies are implemented. Understand the cyber rules and implement compliance testing protocols.