Cyber Security
Cyber incidents can result from deliberate attacks or unintentional events. Cyber attacks include gaining unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, corrupting data, or causing operational disruption. Cyber attacks may also be carried out in a manner that does not require gaining unauthorized access, e.g., the initiation of denial-of-service attacks on websites. Cyber attacks may be carried out by third parties or insiders using techniques that range from highly sophisticated efforts to electronically circumvent network security or overwhelm websites to more traditional intelligence gathering and social engineering aimed at obtaining information necessary to gain access, e.g., “dumpster diving” for password or other security sentinels. The SEC expects that advisers will have compliance policies and procedures that address data protection and identity theft, including service provider oversight by the adviser in these areas. Advisers must acquire, implement, and diligently monitor appropriate resources to both address ongoing cyber security risk sets and the process by which the adviser will deploy a rapid response and notification capability to mitigate the impact of any such attacks and their related effects on fund investors and advisory clients. This must be achieved in congruence with the federal securities laws that address privacy and safeguarding client material nonpublic information and increasingly, those statutes that speak directly to cyber security. Speech, Norm Champ, ICI Mutual Funds Conference (3.17.2014).
When designing and creating a cyber security program, your firm should take an inventory of assets they are trying to protect (e.g., client data and company records, intellectual property etc.) and implement controls to protect those assets. It must also be prepared to respond to such attacks in the appropriate ways (e.g., notification protocol vis-a-vis state statutes).
Assessment
Advisers should assume that the risk of a “hacking” or cyber intrusion is relatively high and design policy and procedure with this threat set in mind. Consider the quantitative and qualitative magnitude of those risks were an event to occur (i.e., disaster recovery, reputational risk, legal consequences, etc.). In evaluating whether risk factor disclosure should be provided, you should also consider the adequacy of preventative actions taken to reduce cyber security risks in the context of the industry in which they operate and risks to that security, including threatened attacks of which they are aware.
Prevention
Advisers must manage who has access to its computer and other systems and under what circumstances authorized employees have such access. An anti-virus ring must be maintained around its assets. This ring should guard against hacking, malware, physical attack and stolen credentials. Qualified third-party experts should be engaged to advise on the particulars of developing and monitoring this virus ring.
Responses
To the extent that the adviser has identified and prioritized the qualitative and quantitative risks attendant to a cyber attack, regulators expect that the firm must have a response when a breach or vulnerability occurs. Patches for the IT architecture should be fully tested (via integration with the BCP) and ready to go. If possible, your firm should implement a system that detects incoming threats and automatically triggers patches.
Mobile Devices and the Cloud
Advisers may permit their personnel to use/access proprietary and client data via mobile devices and cloud networks. If so, this represents an added level of risk to the adviser’s privacy and information safeguarding policy, which, on the basis of establishing risk-based policy pursuant to Rule 206(4)-7, necessitates that the firm develops controls to address the incremental risk this policy entails. Advisers should consider adopting and implementing a “permissible use” policy for electronic communications as part of their compliance policies and procedures. A permissible use policy should set forth, among other things:
• the types of communications that are permitted,
• the types of mobile devices permitted for business use/access to material nonpublic information (i.e., encrypted to specific protocol),
• the social media websites that are permitted,
• recordkeeping requirements for retaining and archiving business communications made on such devices, and
The privacy and security risks associated with mobile devices include:
• Recordkeeping concerns due to the commingling of personal and company email accounts on devices;
• Data breaches resulting from the loss or theft of personal communications devices containing or having access to confidential client data, such as information in corporate email;
• Inadvertent storage of sensitive data on unauthorized computers or servers when devices are configured to back up data to a personal laptop or to the cloud;
• Interception of wireless network communications to and from a mobile device across unsecured wireless access points (e.g., public Wi-Fi hotspots located in many airports). Even wireless networks protected by a password are vulnerable to attack if not properly configured;
• Data leakage concerns involving corporate data stored on a mobile device or accessible via an app on such a device (e.g., Dropbox), and the difficulties in controlling the flow of proprietary company information and intellectual property outside the firm;
• Surveillance obstacles in monitoring compliance on personal devices; and
• Rogue software, apps, spyware, mobile adware (also known as “madware”), viruses, and worms that can infect the device. These threats can compromise not only the device itself, but also can spread to the firm’s corporate network and infect other machines. For example, Apple iPhones running operating system version iOS 6.1.1 were recently vulnerable to exposing access to contacts, calendars, and other information, and to a vulnerability permitting the passcode to be circumvented. As often is the case, these threats can also contribute to data loss or degraded performance of the device. With respect to your firm’s cyber security policy and security, consider the following: • Have an action plan (i.e., an escalation and notification protocol) to be implemented
immediately in the event of a security breach;
• Have a team already established that can begin to deal with a data breach as soon as it is discovered. Make sure the various constituencies of your company are represented on the team (e.g., management, information security, information technology technical experts, legal, public affairs, business continuity, human resources, compliance, and facilities management);
• Conduct periodic “fire drills” to test the readiness of your company’s data breach policy (it is recommended that this be included in annual test of the adviser’s BCP);
• Review and reassess record/data retention policies and destroy unneeded data if permitted by books and records requirements of applicable statutes and regulations. In order to limit the universe of information that is susceptible to a data breach, consider whether older or unneeded data must continue to be retained. If a computer or other equipment that holds data on a hard drive is being replaced, make sure that such data
is completely erased. In reality, the only way to absolutely guarantee that information on a hard drive is unretrievable may be to destroy the hard drive (which may not be practicable);
• Review and reassess your employee education/training programs. Conduct training to make employees aware of the various computer threats so they can be recognized when they occur. Require employees to practice computer security best practices (e.g., use passwords with a mix of uppercase and lowercase letters, numbers, and symbols); • Review and reassess your company’s business continuity and disaster recovery plans to
make sure it covers a cyber attack or other type of computer disruption;
• Review and reassess the data privacy and computer security policies and procedures of your third-party service providers. While the level of detail of review that you apply to a third-party service organization may not be as exacting as it is for your own organization, do you have a high level of confidence that their data privacy and computer security policies and procedures are sufficient for protecting your company’s and your customers’ information;
• Review and reassess service contracts with third-party service providers to ensure that privacy and computer security issues are adequately addressed. Consider whether an amendment to a service contract may be necessary;
• Remotely wiping a lost or stolen device, through either a selective wipe of strictly corporate data or a full wipe of the entire device, restoring it to factory default settings (although wiping an entire device should be done as a last resort, this feature can give compliance personnel peace of mind in knowing that data is less likely to be compromised in the event a device is lost or stolen);
• Review and reassess insurance policies. Confirm whether your company’s insurance coverage includes losses, remediation costs, and litigation costs associated with a data breach, and consider whether such coverage is adequate. Such insurance coverage is evolving, so consider consulting with an insurance broker knowledgeable about the latest policies in the marketplace for the coverage you may need.
Education and Training
The success and efficacy of a cyber security program is directly correlated to the employee training that complements the policy. In this regard, it is posited that the majority of successful cyber attacks are unknowingly abetted by employees. In this regard, advisers should consider the following policy considerations:
• Restricting installation of certain apps (blacklisting), such as Dropbox, Evernote, iCloud, or apps which your firm has determined are not consistent with its security policy;
• Permitting installation only of certain approved apps (whitelisting);
• Restricting access to certain functions on a device, such as the camera, Bluetooth wireless access, GPS, screen shots, or browser, while connected to the firm’s network; • Prohibiting non-compliant, “jailbroken,” and non-employee devices from accessing a
• Monitoring which devices are not in compliance with a firm’s policies, such as those that do not have a pass-code set, those that have not upgraded to the latest operating system, and those that contain unauthorized apps;
• Locking down USB ports; and
• Notifying employees whose devices are non-compliant to bring their devices into compliance.
Regulatory Developments
You should keep abreast of regulatory developments related to cyber security. Regulatory expectations for advisers may arise out of actions involving other financial firms.
Gramm-Leach-Bliley Act, Safeguard Rule, and Disposal Rule
Essential privacy rights were conveyed to financial consumers over the past several years, and key among them were the privacy protection provisions of Gramm-Leach-Bliley (GLB). The regulatory implementation of GLB put an affirmative obligation upon advisers to observe and protect non-public personal information (NPPI) and the rights and choices of financial consumers. Effective and appropriate management of NPPI begins with clear and accountable supervision of employees exposed to it both in the workplace and through outside activities.
Safeguard Rule
Rule 30(a) of Regulation S-P (the “safeguard rule”), requires that SEC advisers, among others, adopt policies and procedures to address administrative, technical, and physical safeguards for the protection of customer records and information and protect against the unauthorized access or use of customer information. The SEC amended Rule 30 of Regulation S-P to require that policies and procedures adopted in compliance with the safeguard rule be written to help ensure reasonable protection for customer records and information, and facilitate compliance oversight by SEC examiners.
Disposal Rule
The SEC also adopted amendments that created Rule 30(b) (the “disposal rule”) to implement requirements of section 216 of the Fair and Accurate Credit Transactions Act of 2003,
requiring proper disposal of consumer report information and records. The disposal rule requires registered investment advisers, among others, that maintain or possess “consumer report information” for a business purpose to take “reasonable measures to protect
against unauthorized access to or use of the information in connection with its disposal.” In determining what measures are “reasonable” under the disposal rule, the SEC stated in the Proposing Release that it expects firms to consider the sensitivity of the consumer report information, the nature and size of the entity’s operations, the costs and benefits of different disposal methods, and relevant technological changes. The SEC also noted that “reasonable
measures” are very likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training. The Adopting Release included examples intended to provide guidance on disposal measures that would be deemed reasonable under the disposal rule. Regulation S-P generally allows a firm to tailor its policies and procedures to its own system of gathering and transferring information.
Regulation S-AM
Regulation S-AM became effective January 1, 2010. This SEC Rule limits the extent to which certain financial institutions can provide consumer information to affiliates for marketing purposes. Under Regulation S-AM, a covered person is prohibited from using eligibility information that it receives from an affiliate to make a marketing solicitation unless: (1) the potential marketing use of that information has been clearly, conspicuously, and concisely disclosed to the consumer; (2) the consumer has been provided a reasonable opportunity and a simple method to opt out of receiving the marketing solicitations; and (3) the consumer has not opted out.
Here are the highlights of the Rule:
• Applies to brokers, dealers, investment companies, registered investment advisers, and registered transfer agents;
• Limits sharing of “eligibility data” about consumers between affiliates for the purpose of initiating marketing solicitations (eligibility data is information used to identify the consumer as a marketing target, e.g., net worth);
• Requires consumer to be granted an opt-out option before using eligibility information to initiate a marketing solicitation;
• Opt-out notices can be included with existing notice requirements, e.g., a privacy notice. Regulation S-AM specifies the parameters of compliant opt-out methodologies, including details about the:
• Scope and duration of the opt-out notice; • Contents of the opt-out notice;
• Definition of reasonable opportunity to opt out;
• Definition of reasonable and simple method of opting out; • Delivery of opt-out notices;
• Renewal of opt-out elections.
The SEC offers a compliance guide for regulated entities to assess the new Rule and its relevance to their business model. Go to the following link to access the guide and model forms: http://www.sec.gov/divisions/marketreg/tmcompliance/34-60423-secg.htm
State Data Breach Notification Laws
Privacy policies are nothing new to regulated entities; however it is our experience that compliance programs often lack provisions to manage a security breach, which upon occurrence will significantly flex the registrant’s privacy policy and procedures. Breach provisions are required to meet existing and emergent state regulations. Taking California’s lead, many states have implemented or will soon implement statutes requiring that their residents receive early warning from commercial entities that experience breach of access to the personal information of consumers and customers. Specifically, if the enterprise knows or suspects that the information has been divulged to (hacked by) unauthorized parties, the enterprise is required to notify the consumer or customer so the latter may take appropriate steps to mitigate or correct the risk attendant to the privacy breach.
Privacy policy should incorporate breach event management and notification accordingly. The CCO is encouraged to oversee policy formulation which takes the following steps, at a minimum:
• Define the threshold for reporting a possible or real security breach;
• Clearly articulate the steps to be taken by all parties when reporting and escalating a breach;
• Ascertain the geographic residence of all victims of the breach;
• Cross reference state law with geographic analysis to ensure that the enterprise response meets all applicable requirements within every state where residents are impacted by the enterprise breach;
• Report the security breach to all parties, per state requirements;
• Minimize the risk of future breaches by adding internal controls as necessary;
• Implement the disciplinary policy as necessary to address any employee behavior that may have contributed to the breach;
• Use the event as a training opportunity to reinforce enterprise policy and the negative implications associated with security failures;
• Place security breach testing at the top of the compliance test list and be ever vigilant for risks and gaps in the business processes;
• Add privacy and security protocols to each new business process and partner relationship taken on by the enterprise.
Strong policy and continuous communication and training will go a long way to prevent data leakage and breach. To the extent that a breach does occur, a swift and effective response will help preserve the reputation of the enterprise and minimize regulatory backlash. The website breachprep.org is a good place to start for CCOs in search of state security breach notification laws and related resources.
Privacy Notice
When the Gramm-Leach-Bliley Act (GLB) was passed in 1999, it obliterated the barriers remaining in the commercial and investment banking markets that were instituted with the passage of the Glass-Steagall Act during the Great Depression. As these barriers fell, concern grew regarding the safety and privacy of customer information heretofore largely segregated by the business model in the regulated financial services industry. Regulatory protocol directs advisers in their efforts to safely and effectively leverage non-public personal information of customers (NPI) while preserving the integrity of advisory client NPI. These provisions speak directly to the risk of consumer fraud and identity theft, both federal crimes.
GLB conveys an affirmative obligation upon SEC advisers to observe customer choices regarding the sharing of NPI of customers. Regulation S-P was instituted by the SEC to implement the GLB privacy provisions and prohibits advisers from sharing “retail” customer NPI with non-affiliated third parties unless the firm has provided customers with the ability to “opt out” of the adviser’s privacy policy of sharing customer data. The opt-out is generally provided through an annual privacy notice requirement and a corresponding opt-out notification that must be provided to advisory clients.
The privacy notice must provide information regarding: the types of NPI that the adviser will aggregate and what NPI it may disclose (if any), similar processes for former customers, and how the NPI is protected pursuant to Fair Credit Reporting Act requirements. The adviser must establish clear and conspicuous notices to customers both at the time of establishing a relationship and on an ongoing basis (annual notice) thereafter, including the provision of privacy notices upon demand to consumers (customers and prospects). Many states have additional privacy notice and/or opt-out thresholds that must also be met. Non-SEC registered advisors are required to follow the Privacy Rules of the Federal Trade Commission to the extent that relevant state requirements do not.
The SEC further requires advisers to summarize privacy policies in the ADV Form Part 2.
Implementation Tips
Effective December 31, 2009, the SEC (and other adopting agencies) approved a “model privacy form” that may be utilized by investment advisers and broker-dealers as a safe harbor to provide privacy disclosures. The template may be viewed here: http://www.ftc.gov/ os/2007/03/CorrectedNeptuneMarsandGenericFormsfrn.pdf
Summary of Requirements
On April 10, 2013, the SEC voted to adopt rules requiring certain investment advisers to adopt programs to detect red flags and prevent identity theft. The SEC recommends the program include policies and procedures designed to identify relevant types of identity theft red flags; detect the occurrence of those red flags; respond appropriately to the detected red flags; and periodically update the identity theft protection program. The rule also requires staff training on the subject. SEC-regulated investment advisers with “covered accounts” are required to establish an Identity Theft Prevention Program (“ITPP”) that is designed to detect, prevent, and mitigate identity theft. The ITPP must be reasonably and appropriately designed for the size and nature of a particular firm.
Effective Date: May 20, 2013
Compliance Date: November 20, 2013
History
During recent decades, the federal government has taken steps to help protect individuals, and to help individuals protect themselves, from the risks of theft, loss, and abuse of their personal information. The Fair Credit Reporting Act of 1970 (“FCRA”), as amended in 2003, required several federal agencies to issue joint rules and guidelines regarding the detection, prevention, and mitigation of identity theft for entities that are subject to their respective enforcement authorities (also known as the “identity theft red flags rules”).
In 2010, the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”) amended the FCRA to add the CFTC and SEC to the list of federal agencies that must jointly adopt and individually enforce identity theft red flags rules.
Who Is Subject to Rules?
The final rules apply to “financial institutions” and “creditors” subject to the Commissions’ respective enforcement authorities and do not exclude any entities registered with the Commissions from their scope. By way of illustration, the types of entities listed by name in the scope section are the registered entities regulated by the SEC that are most likely to be financial institutions or creditors, i.e., brokers or dealers (“broker-dealers”), investment companies, and investment advisers.
Financial Institution
A financial institution includes certain banks and credit unions, and “any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer.”
A “transaction account” includes an “account on which the ... account holder is permitted to make withdrawals by negotiable or transferable instrument, payment orders of withdrawal, telephone transfers, or other similar items for the purpose of making payments or transfers to third persons or others.” 50 Section 603(c) of the FCRA defines “consumer” as an individual; 51 thus, to qualify as a financial institution, an entity must hold a transaction account belonging to an individual.
The following are illustrative examples of an SEC-regulated entity that could fall within the meaning of the term “financial institution” because it holds transaction accounts belonging to individuals:
i. a broker-dealer that offers custodial accounts;
ii. a registered investment company that enables investors to make wire transfers to other parties or that offers check-writing privileges; and
iii. an investment adviser that directly or indirectly holds transaction accounts and that is permitted to direct payments or transfers out of those accounts to third parties.
Investment advisers who have the ability to direct transfers or payments from accounts belonging to individuals to third parties upon the individuals’ instructions, or who act as agents on behalf of the individuals, are susceptible to the same types of risks of fraud as other financial institutions, and individuals who hold transaction accounts with these investment advisers bear the same types of risks of identity theft and loss of assets as consumers holding accounts with other financial institutions.
For instance, even if an investor’s assets are physically held with a qualified custodian, an adviser that has authority, by power of attorney or otherwise, to withdraw money from the investor’s account and direct payments to third parties according to the investor’s instructions would hold a transaction account. However, an adviser that has authority to withdraw money from an investor’s account solely to deduct its own advisory fees would not hold a transaction account, because the adviser would not be making the payments to third parties.
Registered investment advisers to private funds also may directly or indirectly hold transaction accounts. If an individual invests money in a private fund, and the adviser to the fund has the authority, pursuant to an arrangement with the private fund or the individual, to direct such individual’s investment proceeds (e.g., redemptions, distributions, dividends, interest, or other proceeds related to the individual’s account) to third parties, then that adviser would indirectly hold a transaction account.
Creditor
The Commissions’ final definitions of “creditor” is a person that regularly extends, renews or continues credit, or makes those arrangements, that “regularly and in the course of business … advances funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.” The FCRA excludes from this definition a creditor that “advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person ….”
An investment adviser could potentially qualify as a creditor if it “advances funds” to an investor that are not for expenses incidental to services provided by that adviser. For example, a private fund adviser that regularly and in the ordinary course of business lends money, short-term or otherwise, to permit investors to make an investment in the fund, pending the receipt or clearance of an investor’s check or wire transfer, could qualify as a creditor.
Definition of Covered Account
Under the final rules, a financial institution or creditor must establish a red flags Program if it offers or maintains “covered accounts.” As in the proposed rules, the Commissions are defining the term “covered account” in the final rules as: (i) an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions; and (ii) any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
The CFTC’s definition includes a margin account as an example of a covered account. The SEC’s definition includes, as examples of a covered account, a brokerage account with a broker-dealer or an account maintained by a mutual fund (or its agent) that permits wire transfers or other payments to third parties.
The Commissions are defining an “account” as a “continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes.”
Footnote: To be a financial institution, an entity must hold a transaction account with at least one “consumer” (defined as an “individual” in 15 U.S.C. 1681a(c)). However, once an entity is a financial institution, it must periodically determine whether it offers or maintains “covered accounts” to or on behalf of its customers, which may be individuals or business entities. Although the definition of “customer” is broad, not every account held by or offered to a customer will be considered a covered account, as the identification of covered accounts under the identity theft red flags rules is based on a risk-based determination.
Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this periodic determination, a financial institution or creditor must conduct a risk assessment that takes into consideration: (1) the methods it provides to open its accounts; (2) the methods it provides to access its accounts; and (3) its previous experiences with identity theft. A financial institution or creditor should consider whether, for example, a reasonably foreseeable risk of identity theft may exist in connection with accounts it offers or maintains that may be opened or accessed remotely or through methods that do not require face-to-face contact, such as through email or the Internet, or by telephone. In addition, if financial institutions or creditors offer or maintain accounts that have been the target of identity theft, they should factor those experiences into their determination. The Commissions acknowledge that some financial institutions or creditors regulated by the Commissions do not offer or maintain accounts for personal, family, or household purposes, and engage predominantly in transactions with businesses, where the risk of identity theft is minimal. A financial institution or creditor that initially determines that it does not need to have a Program is required to periodically reassess whether it must develop and implement a Program.
Alternatively, the financial institution or creditor may determine that only a limited range of its accounts present a reasonably foreseeable risk to customers, and therefore may decide to develop and implement a Program that applies only to those accounts or types of accounts. Other Interesting Provisions
Approval of Program
The final rules provide direction to financial institutions and creditors regarding the administration of Programs as a means of enhancing the effectiveness of those Programs. First, the final rules require that a financial institution or creditor obtain approval of the initial written Program from either its board of directors, an appropriate committee of the board of directors, or if the entity does not have a board, from a designated senior management employee. This requirement highlights the responsibility of the board of directors in approving a Program. The designated senior management employee who is responsible for the oversight of a broker-dealer’s, investment company’s or investment adviser’s Program may be the entity’s chief compliance officer.
Five Categories of Red Flags to Consider
Section II(c) of the guidelines identifies five categories of red flags that financial institutions and creditors must consider including in their Programs, as appropriate:
• Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
• Presentation of suspicious documents, such as documents that appear to have been altered or forged;
• Presentation of suspicious personal identifying information, such as a suspicious address change;
• Unusual use of, or other suspicious activity related to, a covered account; and
• Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.
Oversight of Service Provider Arrangements
Section VI(c) of the guidelines provides that whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts, the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. ... Section VI(c) of the guidelines also includes, as an example of how a financial institution or creditor may comply with this provision, that a financial institution or creditor could require the service provider by contract to have policies and procedures to detect relevant red flags that may arise in the performance of the service provider’s activities, and either report the red flags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft. In those circumstances, the Commissions expect that the contractual arrangements would include the provision of sufficient documentation by the service provider to the financial institution or creditor to enable it to assess compliance with the identity theft red flags rules.
Appendix A
Appendix A to Subpart C of Part 248—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation
The Adopting Release Appendix A (pages 105-115) offers practical guidance about implementing your program and is worth reading.
