The U.S. Securities and Exchange Commission (SEC) recently announced it was levying a series of sanctions against eight registered advisory firms for failures in their cybersecurity policies and procedures.
According to the SEC, the failures led to pernicious “email account takeovers” exposing the personal information of thousands of customers and clients at each firm. The SEC says the eight firms, some of which operate collectively, have agreed to settle the charges, together paying $750,000 to settle the matter without formally admitting fault or wrongdoing.
The SEC’s order against one of the entities alleges that, between November 2017 and June 2020, cloud-based email accounts of more than 60 firm personnel were taken over by unauthorized third parties, resulting in the exposure of personally identifying information (PII) of more than 4,000 customers. According to the SEC, none of the taken-over accounts were protected in a manner consistent with the registered firm’s stated policies and procedures.
In a new interview, called to discuss the sanctions and the SEC’s expanding focus on connected issues, two expert attorneys with Baker McKenzie—Peter Chan and Valerie Mirko—say the ball is just getting rolling when it comes to SEC enforcement actions related to cybersecurity failures. Chan is a member of Baker McKenzie’s North American Financial Regulation and Enforcement Practice who spent 20 years working in senior enforcement roles at the SEC, and Valerie Mirko was general counsel at the North American Securities Administrators Association (NASAA) prior to joining Baker McKenzie.
Notable to the dialogue, presented in summary below, is the fact that Chan served as assistant regional director in the SEC’s Chicago regional office, where he led investigations and litigations of high-profile enforcement cases. Additionally, as the head of the Municipal Securities and Public Pensions Unit at the SEC’s Chicago office, he oversaw cases involving municipalities and public pensions throughout the Midwest, including disclosure failures by states, cities and underwriters in municipal bond offerings; pay-to-play and public corruption; and securities fraud victimizing municipalities and public pensions. For her part, Mirko’s prior experience includes providing advice on, among other areas, the SEC Regulation Best Interest (Reg BI) rule set, the fiduciary duty/standards of care, Employee Retirement Income Security Act (ERISA) pre-emption, retail enforcement issues, investment adviser oversight and data privacy.
PLANADVISER: Before we examine the SEC’s cybersecurity enforcement, can you both please comment on the agency’s activities during the early days of the Biden administration and under the leadership of the new SEC Chair Gary Gensler?
Peter Chan: So far, we are largely seeing what we expected in terms of elevated enforcement activity. Since Labor Day, in fact, it seems that SEC enforcement actions have picked up even more significantly.
When you think back to the prior administration, there was significant enforcement activity as well, much of it focused on retail investors. Under the new chair, Gary Gensler, I think we have seen the enforcement focus become somewhat stronger, but also broader. Our sense is that the policy focus and boundaries are broadening, for example in terms of cybersecurity, but also in terms of, as another example, reviewing the regulation of digital assets in a potentially very aggressive way. I also think that, as Chair Gensler has mentioned directly, the SEC is not going to shy away from addressing big market structure issues—and using enforcement as opposed to merely guidance to do so.
Valerie Mirko: I agree with that. The SEC’s mission has been pretty stable for the past several administrations, with the focus on protecting retail investors. Of course, there is always some change in the types of enforcement cases that ultimately are pursued.
PLANADVISER: What do you make of the SEC’s recent enforcement actions that focused on cybersecurity failures—and, specifically, the use, or lack of use, of multifactor authentication?
Mirko: The three enforcement actions that came out at the end of August have already been coming up a lot in our discussions with clients. One practical takeaway is that the SEC has signaled an expectation that multifactor authentication, or ‘MFA,’ should probably be in place for email accounts operated by registered entities. The assumption is that these are email accounts being operated by people who are likely going to have access to sensitive information, so the SEC believes MFA should be in place as a matter of course.
In a way, this is a departure from earlier SEC cases, which focused much more on the lack of stated cybersecurity policies and procedures. The current enforcement actions are actually looking closely at the content and execution of the stated procedures. For example, if you say in your procedures that you use MFA and in practice you do not, that is automatically an issue. Or if a firm had a third-party account takeover and it turns out its policy did not address using MFA, that’s a problem.
Chan: I would just add that MFA is expected, we can say, but it’s not enough and it’s not the end of cybersecurity innovation. Both Valerie and I know from prior experience that the SEC, as a regulator, is careful about making absolute policy prescriptions. In this case, there is a strong endorsement of MFA, but the bigger message is that advisers and others who have a duty to protect customer information are expected to evolve and to be fully caught up with the latest type of attacks and the latest type of protection. We need to be careful and note that the SEC is promoting best practices that are currently considered to be reasonable and effective. Three to five years from now, MFA might not be enough, and the SEC’s view on reasonableness will have evolved.
Focusing on the protection of information is the key here. For the SEC to sanction eight firms and to announce it in one press release, it is sending a message. Advisers must be alert to the changing cybersecurity environment.
PLANADVISER: Does it make sense for firms to be trendsetters in this area? For example, would a firm want to explore relatively novel security technologies such as voice print authentication or facial recognition?
Chan: I don’t know that I would go as far as recommending any specific technology like voice or face recognition. What we can say is that, from a regulatory hygiene perspective, it is better for the industry as a whole to lead in terms of answering what is the right approach to cybersecurity—versus having the regulators try to do it. That’s the way it should work best. If the SEC sees that the industry as a whole has taken the lead and is taking cybersecurity seriously, there is going to naturally be less incentive to control and dictate. If the whole industry is not moving forward together, it is inviting regulatory intrusion.
PLANADVISER: And can you share any advice or insight for firms that experience a negative cybersecurity event, such as an email breach or a network intrusion?
Mirko: I think the most important thing for firms to do is to not wait until there is a cyber intrusion to put a response plan in place. This means taking the time and resources to do tabletop exercises and simulations, so that you can have various plans in place to be ready for the different types of cyber intrusions that could occur. I will say that, by and large, the industry has been very forward-thinking in this way. The big challenge, of course, is that businesses evolve, and the threats evolve, so it is always hard to game out everything in advance. There needs to be more of a robust plan in place and better internal coordination compared with what happened at the sanctioned firms.
Chan: ‘Stop the bleeding’ is a piece of guidance that is commonsense but so important. You must figure out what the parameter and scope of the breach is and how to minimize or stop it as soon as possible. This will require having relationships and contacts in place with the right technical resources, attorneys and forensic researchers who you can rely on. You don’t want to spend the first 24 to 48 hours after a major breach asking for names and referrals.
In the recent sanctions, the SEC also cited a failure of adequate and timely disclosures going to clients. Responding to an event like this is not just about informing the regulators. Firms have a duty to tell those who are potential victims what happened, so they will be alert and take steps to protect themselves. By trying to sugarcoat the extent of a breach, you are actually handicapping the client from taking measures to protect themselves.
PLANADVISER: Any other important themes or lessons learned you can share?
Chan: Just having written policies and procedures is not enough. The SEC criticized one of the firms for failing to actually follow existing policies that the SEC otherwise found to be sufficient. Firms should review and operationally confirm that their actual practices are consistent with their written cybersecurity policies. Periodic training and awareness initiatives will also help personnel consistently follow firm written cybersecurity policies.
Mirko: Ensure that statements on cybersecurity incidents are timely but also accurate. The SEC faulted one firm for inadequate compliance in connection with inaccurate statements as to when the firm actually discovered the incidents. Finally, the SEC did not specifically say that its regulations require MFA in all cases, but it made clear its expectations that firms should likely have MFA in place, as it is a reasonable approach to thwart phishing, credential stuffing and other modes of attack. Firms should take steps to assess MFA requirements to protect sensitive client and customer information.