Armed with the Securities and Exchange Commission’s go-tool enforcement tool of the moment in such matters—Regulation S-P—expect a fresh wave of actions against investment advisers and broker-dealers who take their cyber-security responsibilities half-heartedly.
“Cyber is obviously a focus of ours,” Andrew Ceresney, director of the SEC’s Division of Enforcement, said during a day-long “Compliance Outreach Program” for investment adviser and investment company senior officers held on April 19. Taking stock of notable cyber-security-related sanctions leveled against firms in recent months, he pledged: “There will be others coming down the pike.”
That warning will do little to ease the minds of firms preparing for an overall increase in scrutiny, as well as for chief compliance officers who fear they may be the next martyr for a firm’s failures.
Earlier this month, the SEC brought a settled administrative proceeding against Craig Scott Capital, a registered broker dealer, and its two principals, under Reg S-P for its “failure to adopt written policies and procedures reasonably designed to ensure the security and confidentiality of customer records and information.”
Rule 30(a) of Regulation S-P is known as the “Safeguards Rule.” It requires that SEC-registered investment companies adopt policies and procedures reasonably designed to ensure the security and confidentiality of customer records and information and protect against unauthorized access to customer records that could result in substantial harm or inconvenience.
Previously, in September 2015, investment advisory firm R.T. Jones reached a $75,000 settlement with the SEC for its violations of the “Safeguards Rule,” connected to a cyber-attack that compromised the personally identifiable information of 100,000 individuals. The first enforcement action under Reg S-P related to cyber-security; the case is also notable because the Commission didn’t even allege that a hacker actually stole the exposed data.
Those cases—a clear warning shot that the SEC is shifting its cyber-security focus from guidance and examinations to enforcement—also fit within a larger context. Trying to do better than the mere 10 percent of registered investment advisers the Commission examines each year, it has shifted resources from broker-dealers to RIAs. Chairman Mary Jo White has also floated the idea of authorizing third-party compliance exams to ease the Commission’s backlog and burden.
RIA exams, so far as cyber-security is concerned, may have plenty to uncover. At the SEC’s compliance conference, Steven Levine, associate regional director for the National Exam Program, explained that inaugural cyber-security exams were conducted by the Office of Compliance Inspections and Examinations last year. Nearly 100 firms were targeted, divided fairly evenly among registered broker-dealers and investment advisers.
“In some cases, the RIA community is a little behind the curve relative to the broker-dealer community,” he said. In the area of policies and procedures, 88 percent of broker-dealers had plans that discussed mitigating the effects of a cyber-attack or had an outline or plan for recovering from such an incident; only 55 percent of advisers had considered the issue. Only 13 percent of investment advisers had any written policies or disclosures related to the allocation of losses due to a cyber-event.
“You can have the best policies on paper, but if your employees aren’t buying into the importance of cyber-security, or you aren’t testing employees to make sure they are complying with your systems, you are going to have problems.”
Steven Levine, Associate Regional Director, National Exam Program
Another finding: A much higher percentage of broker-dealers than RIAs have utilized external standards, such as those from the National Institute of Standards and Technology, International Organization for Standardization, or the Federal Financial Institutions Examination Council. The assistance of these organizations can be essential for “getting ahead of the curve as to what the next threat is,” Levine said.
“We looked for the weak link and there were two we identified,” he added. One was vendors. Only 24 percent of the examined RIAs incorporated requirements related to cyber-risk into their contracts with vendors and business partners, compared to 72 percent of the broker-dealer community. Only 32 percent of investment advisers required a cyber-security risk assessment of vendors with access to firm networks.
Employees were the other weakness. “You can have the best policies on paper, but if your employees aren’t buying into the importance of cyber-security, or you aren’t testing employees to make sure they are complying with your systems, you are going to have problems,” Levine said. “Almost all the time cyber-breaches come from an employee weakness—the employee who used a thumb drive they shouldn’t have used, or who clicked on a phishing e-mail, or who violated one of your other policies.”
“Tests we may be performing during an exam could review how firms control their access to various systems and data by managing user credentials, authentication, and access rights,” he said. “Firms may be particularly at risk for a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information.” Also planned is examining how firms monitor the volume of content transferred outside the firm by its employees or by third parties, as well as how they monitor for potentially unauthorized data transfers
Examiners may also focus on practices or controls related to vendor management, including due diligence, effective vendor selection, monitoring, and oversight. “Due diligence of a vendor in furtherance of protecting client information and assets is an obligation,” Levine said. “If you go blindly into a relationship with a vendor without having conducted any due diligence, you are taking a tremendous risk as a CCO, and your firm is taking a risk.”
While employee training must be effective, employees aren’t the only problem. Levine tells the story of how one firm’s management made the decision that, despite being a well-known path for malware viruses, employees could use external, web-based e-mail. “For the convenience of the staff, they decided it was an acceptable business risk,” he says.
SWAPS DEALERS FACE COMPLIANCE DEMANDS
Below, is a summary of new rules required by the SEC for swaps dealers.
Chief compliance officers in the world of financial services have a lot more than cyber-security to worry about. Earlier this month, the Securities and Exchange Commission adopted new rules to implement business conduct standards and CCO requirements for security-based swap dealers SBS and participants.
Covered entities are required “to deal fairly with potential counterparties” by disclosing material information about the security-based swap, including material risks, characteristics, incentives and conflicts of interest, and adhering to other professional standards of conduct. Additional requirements apply to dealings with special entities, which include municipalities, pension plans, and endowments.
The rules, among other things, require security-based swap dealers and major security-based swap participants to verify whether a counterparty is an eligible contract participant; and disclose to the counterparty material information about the security-based swap, including material risks, characteristics, incentives and conflicts of interest.
The rules also require security-based swap dealers to establish a supervisory and compliance infrastructure. They must:
Designate a chief compliance officer who is required to fulfill the described duties and prepare an annual compliance report;
Determine that any recommendations they make regarding security-based swaps are suitable for their counterparties;
Establish, maintain and enforce policies and procedures designed to obtain and retain a record of the essential facts concerning each known counterparty that are necessary to conduct business with such counterparty;
Determine that any security-based swap or trading strategy involving a security-based swap that it recommends is in the best interests of the special entity;
Make reasonable efforts to obtain information that it considers necessary to make a reasonable determination that the recommendation is in the best interests of the special entity.
The CCO must be identified on the firm’s registration form and report directly to the board of directors (or its equivalent) or to the senior officer of the SBS Entity. The compensation and removal of the CCO be approved by a majority of the board of directors.
As part of the CCO’s obligation to review compliance by the SBS Entity, it must establish, maintain, and review policies and procedures that are reasonably designed to achieve compliance with the Exchange Act and all applicable rules and regulations.
The CCO, in consultation with the board of directors or the senior officer, is required to promptly resolve conflicts of interest that may arise; and establish, maintain and review policies and procedures reasonably designed to promptly remediate non-compliance issues identified by the CCO through any compliance office.
CCOs are required to annually prepare and sign a report describing the entity’s compliance policies and procedures, including the code of ethics and conflicts of interest policies. Each compliance report also contain, at a minimum, a description of: the SBS Entity’s enforcement of its policies and procedures relating to its business; any material changes to the policies and procedures since the date of the preceding compliance report; any recommendation for material changes to policies and procedures as a result of the review, the rationale for such recommendation; and any material compliance matters identified since the date of the preceding compliance report.
The compliance report must include a certification, under penalty of law, that it is accurate and complete.
Source: Securities and Exchange Commission
The lesson from recent enforcement actions, according to Adam Aderton, assistant director for the Enforcement Division’s Asset Management Unit: “With either no policies or grossly inadequate policies an enforcement action is possible.”
Wendy Fox, vice president and CCO for Ariel Investments, a Chicago-based firm that specializes in small and mid-capitalized stocks, said cyber-concerns have prompted many in the industry to beef up controls and, where possible, address cyber-security in vendor contracts. “One thing that everybody is doing is identifying someone who is responsible for cyber-security and conducting risk assessments,” she added. Those steps include penetration testing and vulnerability scans.
“Obviously the CCO is concerned with preventing security breaches and about business continuity,” Fox said. “Some firms are implementing stand-alone cyber-security policies, while others are leveraging their existing privacy policies and business continuity plans to touch upon cyber-security.”
Fox, while expressing appreciation for the cyber-security guidance the SEC has offered, did admit to being concerned about CCOs facing personal liability for a firm’s failures.
CCO liability concerns emerged last year after high-profile enforcement cases against those holding that position at Blackrock Advisors and SFX Financial Advisory. In the SFX case, the SEC found that its CCO failed to review cash flows in client accounts and did not perform an annual compliance review; he agreed to pay penalties of $25,000. In the Blackrock case, a former CCO was to blame for failure to report another executive’s violation of the firm’s private investment policy. The firm paid $12 million to settle the charges, Battista $60,000.
Fox finds the use of “wholesale compliance failures” as a means to charge CCOs as disconcerting. When does the firm’s failure to have adequate compliance procedures arise to chief compliance officer liability? “We work all day long,” she said. “We have lots of issues coming at us. We are doing our reviews every day, identifying issues with our compliance program, and trying to come up with ways to improve the program. How do we delineate between that work we do every day in the ordinary course, versus when we deem there is something inadequate in our program and we want to improve upon it? When does that become our liability?”
The question might also be asked: Could cyber-security failures be another danger zone for CCOs?
As has been the case, SEC officials downplayed the significance of those two cases involving CCO settlements. Aderton used the Blackrock case as a case-in-point. “He was not charged because he was the CCO,” he said. “He was not charged because we had to shoot one of the hostages. That wasn’t what happened here. He was charged because he was aware that one of the portfolio managers had significant outside business activities. As a compliance officer, he had some role in causing the firm to adopt and implement policies and procedures related to those outside business activities and that didn’t happen for several years, despite his knowledge.”
Aderton reminded the audience that there have been only five CCO settlements during a span of 13 years, that two occurred so close in time to each other was a coincidence and “created the impression that the SEC is looking to target CCOS.”
“That is certainly a misinterpretation and certainly not the case,” he added. “From enforcement’s perspective, CCOs are our number one partners.”