In August, the SEC filed the largest and most important group of “outsider trading” cases in its history, pushing new limits on cybersecurity and securities fraud. Outsider trading is when hackers are charged with securities fraud for trading on illegally exfiltrated/stolen on information.
Now, during September, the SEC continued to mark its cybersecurity territory with: 1) last week’s SEC announcement of its 2015 Cybersecurity examination Initiative; and 2) yesterday’s SEC announcement of its settled R.T. Jones administrative proceeding.
The SEC is clearly doubling down on its latest cybersecurity play and showing no signs of relent.
The SEC’s 2015 Cybersecurity Examination Initiative.
On September 15, 2015, the SEC announced its second sweep of examinations into brokerage and advisory firms’ cybersecurity practices (SEC Sweep#2), a clear indication of more aggressive cybersecurity-related enforcement. Specifically, in an SEC Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (OCIE) provided an outline of the factors that it will take into consideration during SEC Sweep #2 and reinforced its interest in the area of cybersecurity at SEC regulated entities.
SEC Sweep #2 comes exactly seventeen months after OCIE’s April 2014 cybersecurity sweep of examinations which was also announced in an SEC Risk Alert (SEC Sweep #1).
When the SEC announced SEC Sweep#1, the SEC made quite a splash and then, almost a year later, culminated with a very interesting report announcing its findings. Though published without much fanfare, Sweep #1’s report contained some strong sentiments about cybersecurity and its contents evidenced a decisive and steady hand of engagement.
Notably, SEC Sweep #1’s report criticized companies for failing to prevent cyber attacks despite having written policies in place to handle and prevent such incidents, and revealed that a sizable majority of investment advisory firms that the SEC examined had experienced cyber attacks, but most of the firms had written policies to handle and prevent such incidents. However, SEC Sweep #1’s report was also somewhat measured and did not make any specific or otherwise scathing conclusions. The report fell short of specifically indicating that enforcement actions were definitively on the horizon.
In the end, SEC Sweep #1 seemed a mission more along the lines of reconnaissance than actual investigation. With SEC Sweep #1, the SEC staff clearly sought to gain a better understanding of the cybersecurity risks in the securities industry and hoped to assess how firms were preparing for and responding to these risks – and also sought to clearly mark cybersecurity as its territory.
Now, with the announcement of SEC Sweep#2, the SEC gloves are off.
OCIE is now plainly telling SEC regulated entities that they have had fair warning, especially given the SEC’s unusual and almost unprecedented move in making public, as a “resource,” the so-called “examination module” that OCIE staff will use during SEC Sweep #2 (as they did with the “examination module” used during SEC Sweep#1).
The “examination module” is nothing more than a sample list of information that OCIE may review in conducting examinations of registered entities regarding cybersecurity matters. However, the SEC has historically NOT made public OCIE examination modules, so as not to tip off examination targets as to OCIE staff’s priorities and specific areas of interest while also keeping the examinations more of a surprise.
One important additional note: SEC Sweep #1 was a bit tougher and more forceful than FINRA’s concomitant 2014 cybersecurity targeted sweep of broker-dealers, which FINRA characterized as more of a “survey,” than a series of exams, and which resulted in this FINRA Report published in February 2015. I would expect that SEC Sweep #2 will be followed by a similar FINRA second cybersecurity initiative, that will also be more aggressive and more targeted (and less akin to FINRA’s initial self-styled “survey”).
The SEC’s Filing of In the Matter of R.T. Jones Capital Equities Management.
Yesterday, the SEC announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, has agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.
According to the SEC’s order instituting a settled administrative proceeding: R.T. Jones violated the SEC’s “Safeguards Rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access.
The Safeguards Rule, which the SEC adopted in 2000, requires that every investment adviser registered with the Commission adopt policies and procedures reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. The Commission adopted amendments to the Safeguards Rule, effective January 2005, to require that the policies and procedures adopted thereunder be in writing.
According to the SEC:
- T. Jones stored sensitive PII of clients and others on its third party-hosted web server from September 2009 to July 2013.
- The firm’s web server was attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.
- The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information. For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
- After R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determine the scope.
- Shortly after the incident, R.T. Jones provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.
- To date, the firm has not received any indications of a client suffering financial harm as a result of the cyber attack.
Taken as a whole, the SEC charged that R.T. Jones’s policies and procedures for protecting customer records and information were not reasonable to safeguard customer information.
The SEC’s order found that R.T. Jones violated Rule 30(a) of Regulation S-P under the Securities Act of 1933. Without admitting or denying the findings, R.T. Jones agreed to cease and desist from committing or causing any future violations of Rule 30(a) of Regulation S-P. R.T. Jones also agreed to be censured and pay a $75,000 penalty.
The SEC’s Office of Investor Education and Advocacy also published a new Investor Alert, “Identity Theft, Data Breaches, and Your Investment Accounts.” The alert, available on Investor.gov, the SEC’s website for individual investors, offers steps for investors to take regarding their investment accounts if they become victims of identity theft or a data breach.
The First Message of R.T. Jones: This Was An Egregious Cybersecurity Failure at a Small Firm.
R.T. Jones cybersecurity was a fairly egregious compliance failure. The firm failed to conduct periodic risk assessments; failed to implement a firewall; failed to encrypt PII stored on its server; and failed to maintain a response plan for cybersecurity incidents.
R.T. Jones’s failures were serious, blatant and obvious — which made the matter ideal as the SEC enforcement action coming first out of the gate after SEC Sweep #1, and is likely a harbinger of the kind of investigations in the SEC enforcement division pipeline.
In other words, the SEC enforcement division will likely be looking to charge only egregious cybersecurity failures, as opposed to more technical and less grave cybersecurity failures. This charging calculus is an indicator of a measured, intelligent and effective cybersecurity enforcement program — because there is a lot of gray area in the field of cybersecurity. In fact, there does not exist a specific cybersecurity standard adopted universally. Thus, determining that a financial firm’s cybersecurity violates the federal securities laws, i.e. is “inadequately safeguarding personal information,” is never easy, because the violations are rarely straightforward and clear-cut.
(As a quick aside, there is however an emerging and respected cybersecurity standard written by the National Institute of Standards and Technology (NIST) Cybersecurity Framework. Unlike the millions of other standards out there, the NIST Framework combines the best of existing rules, assessments, regulations and guidelines into a unifying cybersecurity reference guide. While it’s created for critical infrastructure — banking, transportation, oil and gas, defense, and so on — the standard is applicable to most organizations and offers a useful single reference for organizations to build their own cybersecurity best practices. My guess is that more and more governmental agencies will be applying the NIST standard as more and more cybersecurity failures are charged by the government.)
R.T. Jones is also a relatively small investment firm, handling approximately 8,400 client accounts and about $480 million in assets, which is not surprising. In my experience, the smaller the investment firm, the more likely there will exist large and significant cybersecurity failures. Why? Because the resources needed to implement proper cybersecurity, with respect to both technological infrastructure and personnel, remain extraordinarily expensive and complex – and can be overwhelming and simply unattainable for a small financial firm.
The Second Message of R.T. Jones: A New Seaboard Report.
Interestingly, the R.T. Jones settled order reads a bit like a Seaboard Report for companies experiencing a cybersecurity breach. What is the Seaboard Report and why the analogy? A little history:
When Harvey Pitt became chairman of the SEC way back in 2001, he made clear his personal desire to rectify one of his biggest frustrations as an SEC enforcement defense attorney – namely, that the SEC never seemed to offer any of his clients actual “credit” when they cooperated, took remedial measures or otherwise tried to mitigate any damage they may have caused.
Hence, Chairman Pitt launched a movement for the SEC to elaborate on some of the criteria it would employ in determining what actions to bring, if any, against publicly reporting companies for securities law violations. Chairman Pitt chose as his vehicle for this list of criteria, In the Matter of Gisela de Leon-Meredith (Securities Exchange Act Release No. 44969, October 23, 2001), in which the SEC issued a relatively unusual Report of Investigation under Section 21(a) of the Securities Exchange Act of 1934.
The Report of Investigation became commonly known as the Seaboard Report, which oddly, because Seaboard was never actually charged (due to their remedial and cooperative actions), does not actually contain the word “Seaboard” anywhere in its content. A bit bizarre but logical.
The Seaboard Report highlights the value placed by the SEC on timely internal investigations that are followed by prompt disclosure of the misconduct to the public, cooperation with the SEC, discipline of those responsible, and establishment of more effective controls and procedures designed to prevent a recurrence of the misconduct.
The Seaboard Report is notable, however, for more than its non-exhaustive list of factors the SEC may consider in seeking sanctions against a company. The report also emphasizes the importance of a public company employing outside counsel with little, if any, prior engagement with the company to conduct the requisite internal investigation.
Like the Seaboard Report, yesterdays R.T. Jones action, with its detailed list of mitigating factors scattered throughout the SEC administrative papers, offers what the SEC will probably refer to as an “enticing carrot” in its implicit promise that good regulatory behavior after a data breach can help mitigate culpability, and, in the right circumstances, perhaps even help a company avoid an SEC enforcement action altogether or at least lessen then fine. In fact, the $75,000 penalty in R.T. Jones does not seem substantial; perhaps it would have been higher but for R.T. Jones’s remedial actions.
Specific remedial actions cited by the SEC as relevant in the R.T. Jones matter include: 1) the appointment of an information security manager to oversee data security and protection of PII; 2) the adoption and implementation of a written information security policy; 3) the promise to no longer store PII on its webserver; and 4) the commitment to encrypt any PII stored on its internal network; 5) the installation a new firewall and logging system to prevent and detect malicious incursions; 6) the retention of a cybersecurity firm to provide ongoing reports and advice on the firm’s information; 7) the speedy hiring of an outside and independent consulting firm to investigate the data breach; and 8) the prompt and effective provision of notice of data breaches and free identity theft monitoring to those individuals whose PII may have been compromised.
This laundry list of mitigating factors in R.T. Jones, while not as explicit or extensive as those factors listed in the Seaboard Report and while lacking the ballyhoo of Chairman’s Pitt’s celebration of the Seaboard Report, provide a useful and telling roadmap of proper compliance behavior amid data breaches. SEC regulated entities would be wise to take note of this interesting and important remedial language sprinkled throughout the R.T. Jones administrative order.
The Third Message of R.T. Jones: No Need to Identify Actual Customer Harm, and No Need to Identify the Actual Perpetrator of the Crime.
Not surprisingly, breached investors (i.e. customers whose data may have been exfiltrated or otherwise compromised) need not suffer any harm in order for the SEC to bring charges. Just like any of the recent data breaches making headlines, in R.T. Jones: 1) no one could identify the actual perpetrator of the data breach (though the firm apparently traced the intrusion to China); and 2) actual harm to customers is presumed (which is always a bit of a logical leap, but that is a subject for another article).
It seems unfair that the SEC is blaming the victim of this data breach but such is the harsh reality for all companies, not just SEC regulated entities. Unfortunately, the government’s view of cyber-attack victims can sometimes be less about understanding and sympathy, and more about suspicion and finger-pointing. The world of incident response is an upside-down one: rather than being treated like criminal victims, companies experiencing data breaches are often treated like criminals, becoming defendants and respondents in federal and state enforcement actions, class actions and other proceedings. And given in particular the 47 or so separate state privacy regimes, together with a growing range of federal agency jurisdiction, instead of accepting a helping hand, cyber-attack victims are instead accepting service of process of multiple subpoenas.
The Fourth Message of R.T. Jones: The SEC’s Administrative Forum is the Preferred Venue for Cybersecurity Failures.
As expected, the SEC selected as its forum for the R.T. Jones matter, an administrative courtroom in its own backyard, rather than a federal courtroom. This makes sense because the SEC has historically charged technical securities law violations committed by SEC regulated entities in its own specialized and uniquely capable administrative forum (as opposed to more generic fraud violations, which the SEC historically charged in federal court, though the SEC has recently begun charging in their own administrative forums too.)
I would expect that in future SEC enforcement matters involving cybersecurity failures, the SEC will also file the charges administratively, especially given that the matters will typically involve regulated entities who are alleged to have violated some of the more opaque and lesser known SEC rules and regulations.
Conclusion: The SEC’s Cybersecurity Swagger Continues . . .
The announcement of SEC Sweep #2, followed on its heels by the settled administrative order of R.T. Jones, makes clear that the SEC’s wave of interest in cybersecurity continues to swell. In fact, given that data breaches not only pose a dangerous threat to investors, but can also disrupt the entire global financial marketplace, the SEC’s cybersecurity campaign has probably only just begun.
So stay tuned for more cybersecurity-related SEC enforcement actions, SEC regulatory pronouncements, SEC initiatives, etc. The SEC is staffed with a bright, enthusiastic and energetic cadre of staff who are not only becoming better equipped and better trained to handle cybersecurity matters but are also quite justified in their vigilance. Data breaches are not a threat going away anytime soon and it makes sense that an historically capable, creative and industrious government agency like the SEC is so willing to take it on.
So from where I sit, kudos to the SEC for the double whammy of Sweep#2 and R.T. Jones. Although occasionally carelessly pushing the outer edges of the envelope (see Ray Dirks and Mark Cuban), for the most part, the SEC has a rich history of tackling tough and emerging capital market threats with vigor, thoughtfulness, alacrity and optimism – something we all could use a shot of every now and then.