Cybersecurity

SEC Office of Compliance Inspections and Examinations Publishes Observations on Cybersecurity and Resiliency Practices

 

On January 27, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued observations gleaned from its examinations related to cybersecurity and operational resiliency practices taken by market participants (the “Observations”). The Observations impact the entire securities industry because OCIE conducts examinations of SEC-registered investment advisers, investment companies, broker-dealers, self-regulatory organizations, clearing agencies, transfer agents, and others. It uses a risk-based approach to examinations to fulfill its mission to promote compliance with U.S. securities laws, prevent fraud, monitor risk, and inform SEC policy.

The Observations cover a broad range of operations in the areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness. They highlight specific examples of cybersecurity and operational resiliency practices and controls that organizations have taken to safeguard against threats and respond in the event of an incident.

Organizations subject to examination by OCIE should expect that the primary elements highlighted will be a focus of routine, as well as targeted examinations. The Observations are best regarded as a set of “best practices” that should be considered by regulated organizations in developing, implementing and monitoring the effectiveness of their own compliance programs.

The following are selected excerpts from the Observations that we believe are the most significant. A complete copy of the Observations can be found here.

Governance and Risk Management

OCIE emphasized that effective compliance programs “start with the right tone at the top.” As a top priority of any examination, senior leaders should be committed to improving their organization’s cyber posture through working with others to understand, prioritize, communicate, and mitigate cybersecurity risks.

OCIE observes that a key element is the incorporation of a governance and risk management program that generally includes, among other things: (i) a risk assessment to identify, analyze, and prioritize cybersecurity risks to the organization; (ii) written cybersecurity policies and procedures to address those risks; and (iii) the effective implementation and enforcement of those policies and procedures.

Access Rights and Controls

OCIE observes that “access rights and controls” are used to identify and determine who are the appropriate users within an organization who should have access to organization systems based on job responsibilities. Access controls generally include: (i) understanding the location of data, including client information, throughout an organization; (ii) restricting access to systems and data to authorized users; and (iii) establishing appropriate controls to prevent and monitor for unauthorized access.

Data Loss Prevention

“Data loss prevention,” as conceived by OCIE, typically includes a set of tools and processes an organization uses to ensure that sensitive data, including client information, is not lost, misused, or accessed by unauthorized users.

Mobile Security

Mobile devices and applications may create additional and unique vulnerabilities. Examples of the mobile security measures OCIE has observed include the following elements: (i) establishing specific policies and procedures for the use of mobile devices, including managing the use of mobile devices., e.g., the compliance program addresses the special concerns that are presented when employees are permitted to use their own mobile devices in performing business functions; (ii) implementing security measures; (iii) training employees, including training employees on mobile device policies; and (iv) effective practices to protect mobile devices.

Incident Response and Resiliency

OCIE notes the importance of a compliance program including the following elements: (i) the timely detection and appropriate disclosure of material information regarding incidents; and (ii) assessing the appropriateness of corrective actions taken in response to incidents. OCIE emphasized that an important component of an incident response plan is a business continuity plan and resiliency plan that addresses how quickly the organization could recover and again safely serve clients if the operations of the organization were materially disrupted.

Vendor Management

OCIE found that practices and controls related to vendor management generally include policies and procedures related to: (i) conducting due diligence for vendor selection; (ii) monitoring and overseeing vendors, and contract terms; (iii) assessing how vendor relationships are considered as part of the organization’s ongoing risk assessment process as well as how the organization determines the appropriate level of due diligence to conduct on a vendor; and (iv) assessing how vendors protect any accessible client information.

Training and Awareness

Training and awareness are key components of cybersecurity programs. Training provides employees with information concerning cyber risks and responsibilities and heightens awareness of cyber threats.

OCIE has observed the following practices used by organizations in the area of cybersecurity training and awareness: (i) training staff to implement the organization’s cybersecurity policies and procedures and engaging the workforce to build a culture of cybersecurity readiness and operational resiliency; (ii) providing specific cybersecurity and resiliency training, including preventive measures in training, such as identifying and responding to indicators of breaches, and obtaining customer confirmation if behavior appears suspicious; (iii) monitoring to ensure employees attend training and assessing the effectiveness of training; and (iv) continuously re-evaluating and updating training programs based on cyber-threat intelligence.

The ESAs Published a Joint Committee Report on Cross-Sector Risks Facing EU Financial System

 

On April 20, 2017, the Joint Committee of the European Supervisory Authorities (the “ESAs“) published its April 2017 report on risks and vulnerabilities in the EU financial system.

The ESA highlights the following main risks to the financial system:

The banking sector is being affected by high levels of non-performing loans (“NPLs“), high litigation costs, overcapacity and lack of focus in strategies to return to sustained profitability. Addressing low profitability challenges includes increasing supervisory action, making progress in structural reforms and improving the efficiency of secondary markets. Insurers face substantial challenges arising from prolonged low interest rates, and the fund industry’s rates of returns are subdued and remain mostly negative.

Increased asset price volatility and liquidity concerns have heightened risks relating to adequate valuation of asset prices. This has been exacerbated by political uncertainties.

Interconnectedness adds to financial sector risks. This includes concentration risk caused by highly correlated equity price movements for insurers and banks and high exposures of EU insurers to EU banks. Interconnectedness with the wider financial system is also increasing.

Cyber risk appears as a major risk and is on the rise. Currently, denial-of-service attacks, data theft or manipulation, malicious software, misinformation and false identification are the most relevant forms. Operational risks related to ICT risks also appear to be on the rise across the financial sector. The ESAs are responding to cyber and IT-related risks by, for example, drafting guidelines on ICT risk assessment for supervisors, assessing cybersecurity capabilities of central counterparties and assessing the potential accumulation of risk for insurers deriving from newly developed cybersecurity coverages.

Agencies Issue Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards

 

On October 19, 2016, the Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency announced proposed rules relating to cybersecurity and risk management concerns that would apply to larger institutions under their purview. FDIC Press Release. Federal Reserve Press Release. OCC Press Release.

U.S. Treasury Department Issues White Paper on Online Marketplace Lending Industry

On May 10, 2016, the Department of the Treasury issued a white paper on online marketplace lending that maps the current market landscape, reviews industry insights and offers policy proposals for the road ahead.  Based on approximately 100 responses from online marketplace lenders, financial institutions, investors and other key industry figures, the Treasury, in consultation with the CFPB, FDIC, Federal Reserve Board, FTC, OCC, SBA and SEC, made several notable recommendations and observations.

The white paper explores policies that would expand regulatory oversight, including standardized representations and warranties in securitizations, pricing methodology standards, the implementation of a registry for tracking data on transactions and the reporting of loan-level performance, among others.  In addition, the Treasury mentions potential cybersecurity threats, anti-money laundering, the uneven protections and regulations in place for small business borrowers and the growth of the mortgage and auto loan markets as some of the emerging trends to monitor.  The Treasury is also considering the role of federal agencies in regulating these areas, including the formation of an interagency working group for online market place lending.  Press ReleaseWhite Paper.

SEC Staff Issues Update Guidance Regarding Cybersecurity

Recently, the Staff of the Division of Investment Management of the Securities and Exchange Commission (the “Staff”) issued updated Guidance that highlights the importance of cybersecurity of registered investment funds and registered investment advisers.  The Guidance discusses a number of measures that funds and advisers may wish to consider when addressing cybersecurity risks.  In particular, the Staff identified a number of measures that funds and advisers may with to consider in addressing cybersecurity risk.  It further advised that funds and advisers should identify their respective compliance obligations when assessing their ability to prevent, detect and respond to cyber attacks.  Fund managers and advisers should anticipate that cybersecurity will be a focal point of the Staff’s examination program.  Guidance Update.