Practical Tips for SEC Cybersecurity Exams

Completely insulating a business from cybersecurity risk is probably a pipedream in the modern world, but retirement plan advisers will be on the hook if, or when, a client data breach occurs.

It’s hard to grasp the sheer scope of cyber risk exposure in the financial services industry, but George Michael Gerstein, associate in the fiduciary responsibility group at Groom Law Group, says advisers can take heart from the fact that the Securities and Exchange Commission (SEC) has been clear about what security measures it expects.

“One important step in understanding the SEC’s stance on cybersecurity is to carefully review the appendix to the 2015 Risk Alert publication from the Office of Compliance Inspections and Examinations [OCIE], which summarizes quite nicely their ongoing cybersecurity initiative,” Gerstein tells PLANADVISER. “The appendix pretty much gives a play-by-play for how advisers should be dealing with cybersecurity issues.”

Because of the rapidly changing nature of cyber threats, Gerstein says the OCIE will clearly continue to focus on cybersecurity for some time to come, certainly beyond the end of 2015 and the formal examination initiative. If advisers haven’t taken proactive action to batten down the hatches against a cyber breach, now is the time to do so, he suggests.

Another place to look for practical tips and guidance for dealing with SEC cybersecurity reviews is the recent settlement action announced against a St. Louis-based investment adviser. In that case, the adviser agreed to settle various charges, including that it failed to establish required cybersecurity policies and procedures.

According to SEC officials, the failures occurred in advance of a data breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including but not limited to thousands of the firm’s clients. An SEC investigation found that R.T. Jones Capital Equities Management violated basic safeguard rules during a nearly four-year period when it failed to adopt any written policies and procedures to reasonably ensure the security and confidentiality of sensitive client information and protect it from anticipated threats or unauthorized access.

According to the SEC’s order instituting a settled administrative proceeding, R.T. Jones stored sensitive PII of clients and others on its third party-hosted web server from September 2009 to July 2013. The firm’s web server was subsequently attacked in July 2013 by “an unknown hacker who gained access and copy rights to the data on the server,” rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.”

NEXT: Consider yourself warned 

Gerstein suggests advisers should review the actual cease-and-desist letter from the R.T. Jones case, which is available online “and should be illuminating” for anyone running an advisory practice.

“In the document, the SEC accuses this firm of lacking anything close to adequate controls for a variety of sensitive areas,” he explains. “SEC investigators indicated that there has been no apparent financial loss to the individual clients involved, but they did identify serious shortcomings and found the advisory firm liable for certain damages. None of the particulars should be surprising for those of us who think about this kind of thing regularly.”

Gerstein observes some of the shortcomings cited “are as simple as lacking a sufficient firewall and encryption protocols for sensitive client data.”

“The R.T. Jones case has been the one significant action I have seen at this point,” he explains, “but given the wider trends it is likely this type of regulatory action will increase, I think. The advisory firm community can look to and carefully consider the R.T. Jones matter and the Risk Alert announcing the initiative and get a pretty clear picture of what the SEC expects.”

The SEC appears to be particularly interested in sound vendor management, Gerstein adds.

“For example, the SEC noted in its initial Risk Alert that a lot of the recent cyber issues we have seen have involved third-party platforms and lax vendor management,” he says. “The SEC has stressed they will be looking closely at how advisory firms consider these things.”

Gerstein feels advisers can turn to their existing expertise meeting the requirements of the Employee Retirement Income Security Act (ERISA) for further guidance on meeting cybersecurity risks head on.  

“In the end, cybersecurity exposure is similar to ERISA liabilities in that you can’t just expect to hire someone and then wash your hands of liability because you put them in charge of certain money or data,” Gerstein concludes. “If you would otherwise have to do something and you delegate that work to someone else, you are still responsible for choosing an appropriate partner and monitoring that partner."