A few days ago, on April 28, 2015, the Securities and Exchange Commission’s (SEC’s) Division of Investment Management released Cybersecurity Guidance for registered investment companies and registered investment advisers (the “IM Guidance”). In the IM Guidance, the SEC Division of Investment Management identifies the cybersecurity of funds and advisers as an important issue and discusses various cybersecurity measures to be considered when addressing cybersecurity risk.
The gist of the recommendations (which are not deemed exclusive) are for funds and advisers to consider: (1) periodic assessments of cybersecurity threats and vulnerabilities, (2) a prevention, detection and response strategy and (3) policies, procedures, training and education.
The IM Guidance is an update, issued almost exactly one year after the Office of Compliance, Inspections and Examinations’ (“OCIE’s) April 2014 Risk Alert, which outlined OCIE’s “Cybersecurity Sweep Initiative, which in turn, was followed by OCIE’s February, 2015 Cybersecurity Examination Sweep Summary (the “OCIE Risk Alert” and the “OCIE Sweep Summary”).
This is quite a handful of important recent SEC staff-issued advice — though these SEC publications are not new statutes; not new rules; not new interpretive releases; not new “no-action letters;” and not new administrative decisions. These pieces of SEC staff intelligence are merely SEC unilateral proclamations issued via the SEC website. However, don’t be fooled — many would argue that pronouncements like the IM Guidance, OCIE Risk Alert and OCIE Sweep Summary may have more precedential power than statutes, rules, releases and judicial pronouncements combined.
Under any circumstance, taken altogether, the IM Guidance, OCIE Risk Alert and OCIE Sweep Summary are clear indicators that the SEC considers regulating cybersecurity an important priority of its mission. Historically, the SEC’s cybersecurity interest was geared toward the protection of customer data – now it seems the SEC’s cybersecurity paradigm has shifted. Now the SEC’s concern about cybersecurity stems from its self-stated mandate to protect the global financial marketplace. I predicted this increased scrutiny in an article I wrote in early 2014 for Bloomberg BNA entitled, Cybersecurity and Financial firms: Bracing for the Regulatory Onslaught, and I admire the SEC’s marking of territory in the realm of cybersecurity. Cybersecurity is especially critical for SEC regulated entities, like broker-dealers, investment advisers, mutual funds, exchanges, etc. – and it is important for the SEC to play an active role in cybersecurity regulation.
But having said the above, the SEC is somewhat schizophrenic in the area of cybersecurity. On the one hand, despite issuing the three regulatory pronouncements I mention above, the SEC has been fairly careful to avoid speaking generally on cybersecurity issues and practices. The SEC staff’s hesitance is because the SEC ultimately has a very limited mandate in the area of cybersecurity. Specifically, the SEC’s mandate is as follows:
- Certain SEC rules address cybersecurity practices at SEC-registered firms in the securities industry, such as Rule 30(a) of SEC Regulation S-P, commonly referred to as the ‘‘Safeguard Rule,’’ which requires broker-dealers and SEC-registered investment advisers to adopt written policies and procedures reasonably designed to protect customer information against unauthorized access and use;
- The SEC monitors to see whether public companies are appropriately disclosing cybersecurity risks and incidents that are material to investors, as set forth in the SEC Division of Corporation Finance (“Corp Fin”) October 2011 Cybersecurity Disclosure Guidance, (which I discussed in a Law 360 Article entitled, “Disclosing Cyber Attacks: How to Follow SEC Guidance.”); and
- The catch all – the SEC is responsible for protecting the integrity of securities markets.
Otherwise, the SEC is not a general-purpose enforcer of good cybersecurity practices. The SEC’s rules are also carefully drafted as “technology and process neutral,” setting objectives that SEC registrants must meet, but not requiring the use of any particular technology or the use of any particular process for achieving those objectives.
Technology and process neutral rules are a good thing. Given the speed and intensity of technological changes and the rapid evolution of data breach modus operandi, any specific governmental technological mandate could backfire big-time. For instance, the SEC staff understands that specifically prescribing any particular type or level of security could establish an acceptable baseline, which could quickly become obsolete or even laughable.
Along those lines, most SEC staff public appearances and speeches relating to cybersecurity to date have been before audiences made up mainly of securities industry firms, or of public company attorneys and compliance personnel concerned with corporate disclosure issues.
Interestingly, the IM Guidance warns that cybersecurity risks can contribute to a violation of the federal securities laws by a fund or adviser. I don’t believe the SEC Enforcement Division will be making weak cybersecurity practices and procedures a priority, though from what I have witnessed at registered investment advisers in particular, policing cybersecurity failures at registered investment advisers, especially small and medium sized ones, would be like shooting fish in a barrel.
However, I would bet that the Enforcement Division will take action if OCIE or Corp Fin identifies any egregious violations – or perhaps bundle a slew of cybersecurity violations in a sweep, with minor penalty settlements for firm’s having cybersecurity failures that the SEC staff identified as rampant or prevalent.
The bottom line is that the SEC staff expects SEC-registered entities to assess their ability to prevent, detect and respond to cyber-attacks. The IM guidance states:
For example, the compliance program of a fund or an adviser could address cybersecurity risk as it relates to identity theft and data protection, fraud and business continuity, as well as other disruptions in service that could affect, for instance, a fund’s ability to process shareholder transactions.
What probably makes the most sense for SEC regulated entities is to engage an outside firm to conduct a risk and security assessment of its cybersecurity (and physical security because the two are intertwined). Regulated firms should make sure the appropriate tools, personnel and planning are in place when the inevitable cyber-attack occurs.
Thankfully, the IM Guidance specifically acknowledges that “it is not possible for a fund or adviser to anticipate and prevent every cyber-attack.” Like other government agencies, the SEC staff is beginning to appreciate the upside-down reality of data breaches i.e. that data breaches don’t define victim companies, how they respond to them does.