Brokers and Investment Advisers Will be Examined on Information Technology Asset Management
By: Matt MacLean
This white paper was also published on Cascade Asset Management's web site.
Executive Summary:
Responding to a string of recent high-profile electronic data breaches, the Securities and Exchange Commission (“SEC”) issued a Risk Alert regarding its focus on cybersecurity. As proof of its heightened interest in cybersecurity matters, the SEC included a seven-page sample document request, a rare move for the regulator, consisting of twenty-eight comprehensive questions for broker-dealers and investment advisers. Among other things, the questions cover Information Technology Asset Management (“ITAM”), including network maps, logging capability, and destruction or disposition of equipment. Regulated entities should carefully evaluate existing cybersecurity and ITAM policies and practices in light of the extensive sample requests, making any necessary adjustments in advance of routine regulatory examinations.
Introduction: SEC Focuses on Data Loss
On April 15, 2014, the SEC issued a National Exam Program Risk Alert entitled "Cybersecurity Initiative" (“Risk Alert”).[i] The Risk Alert is the latest in a series of public pronouncements on cyber and data security by the SEC and other financial markets regulators this year. It comes on the heels of the SEC's Cybersecurity Roundtable, at which SEC Chair Mary Jo White underscored the importance of cybersecurity to "the private data of the American consumer" as well as to "the financial markets and other risks."[ii]
In January, the Financial Industry Regulatory Authority (“FINRA”) notified broker-dealers about upcoming assessments of the firms' approaches to managing cybersecurity threats.[iii] In February 2014, the Commodity Futures Trading Commission (“CFTC”) issued a Staff Advisory outlining recommended best practices, including the development and implementation of a written information security and privacy program for futures commission merchants, commodity trading advisers, and other commodity market participants.[iv] With increased focus on cybersecurity from key financial industry regulators, financial services firms must assess their policies and procedures covering cyber and data security, including their Information Technology (“IT”) hardware assets.
Financial Industry Technology Landscape
As with all industries, the financial services industry’s technology landscape is steadily evolving. Companies increasingly use IT services to increase their value and grow their businesses. Whether through the use of smartphones, tablets, cloud computing, or paperless office policies, financial firms store an ever-increasing amount of confidential client data digitally. In an environment where financial firms make increasing use of technology and data breaches receive regular news coverage, it is no wonder the regulatory bodies are taking a closer look at cybersecurity and ITAM.
SEC Cybersecurity Initiative
As part of its “Cybersecurity Initiative,” the SEC sent extensive cybersecurity document requests to more than 50 registered broker-dealers and registered investment advisers. Although the document requests went to a relatively small set of regulated entities, the SEC intended the Risk Alert to provide to others in the industry “questions and tools they can use to assess their firms’ level of preparedness.”[v] In other words, the SEC is telling all registered firms they should be taking steps now to assess and upgrade their data security infrastructure, policies, and procedures.
The SEC’s National Examination Program routinely examines registered broker-dealers and registered investment advisers, with many private equity funds and hedge funds added to the mix as a result of the registration requirements imposed by the Dodd-Frank Act of 2010. Despite ever-increasing media focus on data loss, 2014 marks the first time the SEC cited “cybersecurity” as an examination focus area.
According to the Risk Alert, the SEC’s initiative is “to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.”[vi] In a rare move, the SEC included a sample questionnaire, giving all regulated firms an idea of the areas the SEC believes are crucial to its view of cybersecurity preparedness. The SEC believes that the sample questionnaire will assist compliance professionals in the industry and may be used to make appropriate changes to address and strengthen firms’ risk management systems.
The questionnaire, which contains twenty-eight questions, covers a broad range of cybersecurity issues. Unlike the prior general pronouncements from the CFTC and FINRA, the SEC provided specific topics that should be considered by the firms under its authority. This topics included in the SEC list includes: (1) inventories of physical IT assets; (2) written information security plans; (3) risk assessments regarding physical security threats and vulnerabilities; and (4) management of IT assets through removal, transfer, and disposition.[vii]
Focus on Physical Assets
Unlike prior pronouncements from other regulators, the Risk Alert includes questions related to the physical security of IT assets. Increased focus on physical asset security makes sense in light of the Verizon 2014 Data Breach Investigations Report, which reported “lost or stolen assets” as “among the most common causes of data loss/exposure.”[viii] Indeed, the Verizon report specifically cites disposal of IT assets as a key control mechanism, making the ITAM practices of registered firms a crucial part of data security compliance.
Recent events have shown that the cybersecurity threat is real. Data loss comes at a high price in terms of real dollars lost, money spent on litigation, and the loss of investor and market confidence. The SEC has not undertaken an update to Regulation S-P, its principal privacy and security regulation, since an interim rule was issued in 2008. Given the SEC’s new focus on cybersecurity and ITAM, additional regulation in this area would not be unexpected. Whether or not the SEC’s heightened interest in cybersecurity will result in specific changes, firms and companies regulated by the SEC that have not implemented cybersecurity and ITAM programs should begin the process. Those that have programs in place should review them in light of SEC’s demonstrated interest and the guidance already issued by other financial regulators.
Proper IT Asset Management Procedures Are Critical
As a result of the increased focus on data loss and cybersecurity, the financial industry is moving quickly to implement changes in data securities policies and procedures, placing an increased burden on already stretched compliance resources. Since 2006, broker-dealers and investment advisers have been forced to expend more money and resources on compliance matters. Now those compliance matters overlap with IT resources with increasing scope. IT resources and personnel often serve as the backbone of firms, who have disaster response plans in place to protect against the debilitating impact of IT failures. With IT resources having to place even more focus on compliance matters, however, there is a risk that the IT resources become strained.
Of course, the integrity of customer data is a top priority for regulated entities. IT managers and other compliance personnel will need to ensure they have the right tools in place to support the complex infrastructure required to design, build and run the applications and databases. Also necessary is an ITAM program to protect and safely retire IT hardware assets.
When examining potential cybersecurity failure points, the traditional focus has been network security or encryption, with keyboard security gaining attention. While these approaches are certainly important and may prevent data hacking, a surprising number of firms ignore the tremendous risk inherent when taking IT resources out of service. All the protective measures in the world can be completely undone by a poorly secured end-of-life program, where hard drives and other IT hardware components containing vast amounts of confidential data are removed from service. Whether companies choose destruction or recycling for their ITAM programs, they must be mindful of protecting their clients’ data. As discussed in the Verizon report, this stage is often the weak link in the data-security chain, and situations such as these open the door to a serious security breach.
Conclusion: Preparation is Key
In 2013, the average cost of a data breach in the United States rose to $5.8 million—an 8 percent increase over 2012.[ix] Thus, not only are data breaches devastating to a company’s reputation, but they are also expensive. In order to prevent third-party data breaches, and to satisfy the SEC’s new focus on cybersecurity, companies must ensure all phases of their data security procedures are sound and that their partner organizations take data security seriously.
While these data breaches all have significant costs, the real cost is the damage to a company’s reputation. Once a client’s trust in a financial firm is broken, the damage may be permanent. Moreover, a breach can lead to embarrassing public relations incidents and legal proceedings. Given the high sensitivity of client information held by broker-dealers and investment advisers, customers and regulators hold companies responsible for data security failures. Customers expect higher security standards because they are aware of the negative implications that a security breach has for their personal information. Thus, broker-dealers and investment advisers must undertake a top-to-bottom review of their cybersecurity policies and procedures, from network protection, to keyboard-level security, to ITAM programs.
About the Author
Matt MacLean earned a Doctor of Jurisprudence from Vanderbilt University School of Law and a Bachelor of Arts from St. Norbert College. He was a partner with a large Milwaukee, Wisconsin law firm before becoming Chief Compliance Officer for an SEC-registered investment management firm. Matt also helped co-found BrickStix LLC, where he served as Director of Business Development. Matt recently joined Cascade Asset Management, LLC, where he works in business development.
[i] OCIE Cybersecurity Initiative, National Exam Program Risk Alert Vol. 4 Issue 2, p. 1 (Apr. 15, 2014), available at http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf.
[ii] Webcast of the March 26, 2014 Cybersecurity Roundtable, available at http://www.sec.gov/spotlight/cybersecurity-roundtable.shtml.
[iv] CFTC, Division of Swap Dealer and Intermediary Oversight, Staff Advisory No. 14-21 (Feb. 26, 2014), available at http://www.cftc.gov/ucm/groups/public/@lrlettergeneral.documents/letter/14-21.pdf.
[v] OCIE Cybersecurity Inititative, p. 2.
[vi] Id.
[vii] Id. at App. pp. 1-3.
[viii] Verizon 2014 Data Breach Investigations Report p. 27, available at www.verizonenterprise.com/DBIR/2014/.
[ix] Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis, pp. 5-6, available at http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis.