Rarely has so small a spark fanned such large fires of concern so quickly among businesses that register with the Securities and Exchange Commission.
In September, R.T. Jones Capital Equities Management, an investment adviser in St. Louis, settled charges with the SEC that it failed to establish adequate cyber-security policies and procedures in advance of a breach that compromised the personally identifiable information of roughly 100,000 individuals. The firm agreed to pay a $75,000 penalty.
The case, experts say, is a warning shot for financial and non-financial firms alike—that the SEC is shifting its cyber-security focus from guidance and examinations to enforcement.
The agency’s first big stab at cyber-security guidance came in 2011, with a missive from the Division of Corporation Finance that urged disclosure when a breach or uncovered risk affects what a “reasonable investor would consider important to an investment decision.” The SEC has made several efforts to underline the point since then, with cyber-security examination priorities from the Office of Compliance, Inspections, and Examinations, and a terse bit of guidance this year from the Investment Management Division that set expectations for investment advisers.
Speaking last week at the Association of Corporate Counsel’s annual meeting in Boston, Vincente Martinez, chief of the Enforcement Division’s Office of Market Intelligence, rattled off several SEC rules that also address cyber-security. Regulation S-P has requirements that financial firms must meet for safeguarding customer information. Regulation S-ID requires broker-dealers, financial advisers, and others to have customer identity theft protection programs and “red flag” protocols.
Investment advisers and investment companies are expected to have compliance programs designed to help them satisfy federal securities laws, “and part of being able to do that is to be able to talk about safeguarding client assets, protecting the privacy of client records, and having business continuity plans,” Martinez said. Regulation SCI, which applies to self-regulatory organizations, including stock exchanges, has specific reporting obligations related to prevention, recovery, and resilience regarding disruptions to their business operations.
Firms covered by these rules “should think about their regulatory obligations when determining what their risks are,” Martinez said. “You need to think about the ways that a cyber-security attack could affect your ability to meet regulatory obligations.”
“You need to think about the ways that a cyber-security attack could affect your ability to meet regulatory obligations.”
Vincente Martinez, Chief, Enforcement Division’s Office of Market Intelligence
Cyber-security efforts must be tailored to the type of business that you are, Martinez added. A retailer has one set of vulnerabilities (customer information), that is quite different from the infrastructure concerns of a utility company. “Those distinctions need to be made in the company’s risk disclosures,” he said. “A company’s Management Discussion and Analysis should be talking about those material drivers of your business that have cyber-security risks.”
Back to Enforcement
So what makes the R.T. Jones case important? It is the first enforcement action under Regulation S-P related to cyber-security. The SEC’s case against the firm was that R.T. Jones failed to adopt written policies and procedures; did not conduct periodic risk assessments; lacked security provisions, including adequate firewalls and encryption; and had little in the way of a response plan.
The enforcement action sets a curious precedent, says Brian Rubin, a partner at law firm Sutherland Asbill & Brennan and former senior enforcement counsel at the SEC. While R.T. Jones’ data was vulnerable to theft, the Commission didn’t allege that a hacker actually stole the exposed data. This stands in stark contrast to other SEC enforcement actions where data was stolen by hackers.
R.T. Jones did retain cyber-security consulting firms after it discovered the security hole, notified customers, and took a variety of actions intended to mitigate future threats. Among them: a written information security policy; encrypting personally identifiable information stored on its internal network; and installing a new firewall and logging system to prevent and detect malicious incursions, Rubin adds.
APPLYING REGULATION SP
The following is from the Securities and Exchange Commission’s Order Instituting Administrative and Cease-and-Desist Proceedings against R.T. Jones Capital Equities Management.
The Safeguards Rule, which the Commission adopted in 2000, requires that every investment adviser registered with the Commission adopt policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
The Commission adopted amendments to the Safeguards Rule, effective January 2005, to require that the policies and procedures adopted thereunder be in writing.
During the relevant period, R.T. Jones maintained client PII on its third party-hosted web server. However, the firm failed to adopt any written policies and procedures reasonably designed to safeguard its clients’ PII as required by the Safeguards Rule. R.T. Jones’s policies and procedures for protecting its clients’ information did not include, for example: conducting periodic risk assessments, employing a firewall to protect the web server containing client PII, encrypting client PII stored on that server, or establishing procedures for responding to a cybersecurity incident. Taken as a whole, R.T. Jones’s policies and procedures for protecting customer records and information were not reasonable to safeguard customer information.
While acknowledging those efforts, the SEC dug in its heels on a “reasonableness” standard for pre-breach policies and procedures. “Often, when the SEC finds that a firm doesn’t have reasonable policies and procedures, it tells the firm to cure the deficiency,” Rubin says. “Here, instead, the SEC sanctioned the firm.”
Rubin worries that the SEC seems to have picked and chosen from the voluminous list of “best practices” detailed in guidance issued by it and other regulators.
“The SEC chose to provide guidance by punishing the victim, rather than issuing a regulatory notice or adopting new rules,” is how Rubin describes the application of Regulation S-P. “The message here is that the SEC will hold firms to strict liability, or close to strict liability, if there is a breach.” Expect more cases like this as guidance and examinations help build future enforcement cases, he warns.
Clarity, and Lack Thereof
As the SEC enters the enforcement phase of its cyber-security efforts, businesses would benefit from a better explanation of their disclosure obligations and what best practices are most important to regulators. Providing that clarity may be easier said than done.
“It is not always clear what the rules of the road are,” says Stephen Lilley, an associate at law firm Mayer Brown. “But it is also not clear from a policy perspective whether you want regulators to start describing a bunch of very specific rules, because that can lead to static, checklist-based compliance which loses perspective on what we are really trying to do—which is to understand the risks you face and develop a strategy that is attuned to those risks. Writing clear rules can be very difficult.”
Lilley gives the example of insurance for cyber-security failures. “The insurance industry is still trying to figure out how to underwrite cyber-security risk, so the idea that you could boil it all down to a couple of paragraphs in a disclosure—but at the same time include information that is valuable to the markets—is unreasonable,” he adds. “It’s a puzzle that needs to be worked through. I think everyone is smart enough to realize it is hard to write a rule that’s definitive because the playing field keeps shifting.”
“I don’t know if there are enough rules, and it is probably too early to write them,” says Dennis Whalen, head of KPMG’s Board Leadership Center. While the SEC certainly wants cyber-risks to be part of its disclosure regime, “it is not the panacea they were hoping for, because it tends to be more boilerplate.”
Whalen agrees that more guidance, and better defined roles for regulators, would be helpful. “Some level of understanding about who really has the ball from a regulator perspective would be a positive for the business community,” he says.
Regulatory enforcement brings concerns that go beyond disclosure obligations, says Linda Lerner, a partner with the law firm Crowell & Moring. She gives the example of broker-dealers getting a risk control statement from their audit firms as part of the annual audit. “As part of their PCAOB annual audit, broker-dealers are given a risk control statement in which gaps in cybersecurity policies and implementation may be identified," she says. "It is obviously advantageous to a firm if appropriate cybersecurity steps are in place so the risk control statement does not serve as a roadmap for the firm’s regulators. If they ask for it, you don’t want to have that big negative sitting there.”