Cybersecurity is high on the Securities and Exchange Commission’s radar screen this year, by its own admission. With this in mind, the New York law firm of K&L Gates looks at the regulator's growing concern with the problem and summarises the rules and guidance.

It was in 2011 that the SEC's Division of Corporation Finance published guidance which contained its views regarding disclosure obligations relating to cybersecurity risks and cyber incidents. In March 2014 it hosted a 'round-table event' at its headquarters in Washington, DC, to discuss cybersecurity and the issues and challenges it raised for market participants and public companies, and how they were addressing those concerns. The SEC's Office of Compliance Inspections and Examinations, which acts as its 'eyes and ears', issued a Sweep and Risk Alert (2014/15) on the subject that year and in its list of priorities for 2015 stated: “Last year, we launched an initiative to examine broker-dealers’ and investment advisors’ cybersecurity compliance and controls. In 2015, we will continue these efforts and will expand them to include transfer agents.” SEC staff have also made numerous references to the subject recently. Lastly, on 28 April this year, the Investment Management division of the SEC published a guidance update, more of which later.

Overview of the SEC regulations

Under the SEC’s Regulation S-P, firms are required to have policies and procedures to deal with the protection of customers' information and records. This includes protection against any anticipated threats or hazards to the security or integrity of customers' records and information and against unauthorized access to or use of customers' records or information. Rule 30 of that regulation, known as the 'safeguard rule', requires each firm to set up written policies and procedures to protect customers' records and information administratively, technically and physically. They must be designed reasonably to:

• ensure security and confidentiality;

• protect against anticipated threats or hazards to the security or integrity of the information; and

• stave off unauthorized access that could harm or inconvenience the customer to a significant extent.

The Dodd-Frank Act obliges the SEC and CFTC to prevent identity theft, so in 2013 they jointly adopted Regulation S-ID (Identity Theft Red Flags). This obliges firms to formulate programmes to detect, prevent and mitigate identify theft if they run certain types of accounts for clients. In the case of SEC-regulated entities, this includes broker-dealers, investment companies and investment advisors.

Then we come to IAA Rule 206(4)-7 and ICA Rule 38a-1 (Compliance Rules). Together they apply to registered investment advisers and registered funds. Cybersecurity compliance policies and procedures that address requirements under the federal securities laws should be included in compliance programmes and evaluated as part of an annual review, which should include risk assessments, policy and procedure reviews, and service provider reviews.

Rule 206(4)-7 of the Investment Advisors Act requires an investment advisor registered with the SEC to:

• write and follow policies and procedures reasonably designed to prevent violations of the federal securities laws;

• revise them each year; and

• designate a chief compliance officer (CCO) to oversee them.

Outsourced CCO arrangements are very common in this area and their influence seems to be increasing. [Editor's note – outsourced CCOs and advisors are now facing Form ADV, books and records charges. An external compliance expert can be named as the CCO on Form ADV and his duties can cover the drafting, maintenance and implementation of the firm’s compliance manual, performing formal, periodic compliance reviews and risk assessments, and training the firm’s staff.]

SEC cybersecurity sweep examinations regarding CCO involvement in cybersecurity have produced some interesting findings. A significant majority of advisory firms assign information security responsibilities to chief technology officers (CTOs) or to other senior officers, including Chief Compliance Officers, to liaise with third-party consultants who are responsible for cybersecurity. Only 30% of the examined advisers have a chief information security officer.

CCO duties carry entail liabilities. SEC Enforcement Director Andrew Ceresney, in a keynote address at “Compliance Week 2014” (20 May, 2014), said: ‘‘I need to be clear that we have brought – and will continue to bring – actions against legal and compliance officers when appropriate’’

Rule 38a-1, issued under the Investment Company Act 1940, prohibits investment fund personnel such as officers, directors, employees or advisors from "coercing, manipulating, misleading, or fraudulently influencing" the fund's chief compliance officer. Numerous enforcement actions have indeed been taken against CCOs for a variety of alleged failures, including failures to set up appropriate procedures to remedy risks, and failures to assess the effectiveness of those procedures adequately. Caution is advised here.

Next we come to IAA Rule 204-2(g) and ICA Rule 31a-2(f) (Electronic Recordkeeping Rules). Rule 204-2 (Books and Records To Be Maintained by Investment Advisors) states that every investment advisor registered or required to be registered under section 203 Investment Advisors Act [15 USC 80b-3] should make and keep true, accurate and current various books and records relating to its investment advisory business. (These include a journal of journals, ledgers, a memorandum of each order it has given, its bank statements, copies of bills, financial statements and originals of written communications.)

Part (g) states that such records can be produced or reproduced by photographic film or computer storage medium (and, by extension, in cyberspace/the cloud) and that if they are, the investment advisor should: (i) arrange things so as to permit the immediate location of any particular record, (ii) be ready at all times to provide, and promptly provide, any copy that SEC examiners or other representatives may request, (iii) store separately from the original one other copy of the film or computer storage medium for the time required, and (iv) with respect to records stored on computer storage media, maintain procedures for maintenance and preservation of, and access to, records so as to reasonably safeguard records from loss, alteration, or destruction.

Rule 31a-2(f) under the IC Act, meanwhile, states that investment companies can keep their records on photographic film, magnetic tape, disk, or other computer storage medium. These records are subject to the same requirements as those of hard copy documents and must be available for immediate access and retrieval upon SEC request. ICA Rule 30a-3 (Internal Controls) dictates that registered management investment companies should maintain, and regularly evaluate the effectiveness of, controls and procedures designed to ensure that the information required in filings on Form N-CSR (which is used to send off reports not later than 10 days after the transmission to stockholders of any report that is required to be transmitted to them) is recorded, processed, summarized and reported in a timely fashion.

Disclosure obligations – the SEC's private opinion

The SEC's views on disclosure obligations which it published in 2011 (mentioned earlier) are the nearest it has come to formal rule-making about cybersecurity risks and breaches. [See CF Disclosure Guidance: Topic No. 2: Cybersecurity, Division of Corporation Finance, October 13, 2011.] It states that appropriate disclosures in company annual and quarterly reports may include:

• discussions of aspects of the registrant’s business or operations that give rise to 'material' cybersecurity risks and the potential costs and consequences;

• to the extent the registrant outsources functions that have material cybersecurity risks, descriptions of those functions and how the registrant addresses those risks;

• description of cyber incidents that the registrant has experienced that are 'material,' including costs and other consequences;

• risks related to cyber incidents that may remain undetected for an extended period; and

• descriptions of relevant insurance coverage.

It also states: “We are mindful...that detailed disclosures could compromise cybersecurity efforts – for example, by providing a “roadmap” for those who seek to infiltrate a registrant’s network security – and we emphasize that disclosures of that nature are not required under the federal securities laws.”

The SEC believes that registrants should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky. It invokes Regulation S-K Item 503(c) (which deals with risk factor disclosures to investors generally) and says that cybersecurity risk disclosures to investors must adequately describe the nature of the material risks and specify how each risk affects the registrant.

The paper also contains a little list of types of attack such as unauthorized access to digital systems for purposes of misappropriating assets or sensitive information, the corruption of data, and operational disruption that might happen through denial-of-service attacks on websites. Cyber attacks may be carried out by outsiders or insiders using techniques that range from highly sophisticated efforts to circumvent network security electronically or overwhelm websites to more traditional intelligence-gathering and social engineering aimed at obtaining information necessary to gain access. The objectives of cyber attacks vary widely and include the theft of financial assets, intellectual property, or other sensitive information belonging to registrants, their customers, or other business partners and the disruption of their operations.

If a 'material' (a word that peppers the whole paper) and pending legal proceeding to which a registrant (financial firm) or any of its subsidiaries is a party involves a cyber incident, the SEC believes that that registrant 'may' have to disclose information regarding this litigation in its 'legal proceedings' disclosure. For example, if a significant amount of customer information is stolen, resulting in material litigation, the registrant should disclose the name of the court in which the proceedings are pending, the date instituted, the principal parties to it, a description of the underlying facts and the relief being sought. It goes no farther than the word 'may', however.

Despite the tentative language, it has been said that the SEC's personnel treat this paper as though it were an actual SEC regulation.

Business continuity plans

In a recent risk alert, staff at the SEC's Office of Compliance Inspections and Examinations said that written business continuity plans these days often address the consequences of cyber-attacks or intrusions. Such written policies and procedures, among 82% of broker-dealers and 51% of advisors, discuss the mitigation of the effects of cybersecurity incidents and/or outline plans to recover from such incidents.

SARs

The paper went on to say that 65% of the broker-dealers that received fraudulent emails reported the emails to the Financial Crimes Enforcement Network (FinCEN) in suspicious activity reports or SARs, but only a small number of those firms reported the fraudulent emails to law enforcers or other regulatory agencies (7%). Advisors generally did not report incidents to regulators or law enforcement bodies.

CFTC regulations, part 160.30

Brokers and advisors regulated by the Commodity Futures Trading Commission must also be mindful of 17 CFR 160.30 ("Procedures to safeguard customer records and information," which dates from 2011). This states that every futures commission merchant, retail foreign exchange dealer, commodity trading advisor, commodity pool operator, introducing broker, major swap participan, and swap dealer subject to the jurisdiction of the CFTC must adopt policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information.

FTC enforcement of section 5 FTCA and state regulation

Section 5 Federal Trade Commission Act (15 USC 45) prohibits ‘‘unfair or deceptive acts or practices in or affecting commerce.’’ The prohibition applies to all persons engaged in commerce, including banks.

[Editor's note: Kevin Lacroix of the D&O Diary has written recently that the Federal Trade Commission has been very active in the cybersecurity area, noting: “Historically, the agency has leveraged the FTC Act’s 'deception' prong to challenge allegedly false data security representations made by companies. Up until 2014, all but one cybersecurity civil action brought by the FTC and more than half of FTC data security administrative actions invoked the deception prong. More recently, the FTC has challenged cybersecurity practices under the 'unfairness' prong of s5, developing minimum cybersecurity standards for companies that collect personal information, even in the absence of any allegedly false representations concerning data security.”]

Meanwhile, practically every state in the Union has enacted laws relating to cybersecurity, including information security programme and data breach notification requirements.

The latest Investment Management guidance update

In this update of 28 April 2015, SEC staff identified a number of measures that every advisor and fund may wish to consider in addressing cybersecurity risk, including the following commands.

• Conduct a periodic assessment of: (1) the information held and systems used by the firm; (2) threats and weaknesses; (3) existing controls; (4) the potential consequences of an incident; and (5) the cybersecurity governance structure.

• Create a strategy designed to prevent, detect and respond to threats, which may include: (1) access and technical network controls; (2) encryption; (3) restricting use of removable storage media and deploying software that keeps an eye out for threats and incidents; (4) data back-up and retrieval; and (5) the development of an incident response plan. The routine testing of strategies could also make any strategy more effective.

• Implement the strategy through written policies and procedures and training.

Implications for compliance programmes and regulatory risk exposure

The update said: “In the staff’s view, funds and advisors should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks….[F]unds and advisors may wish to consider reviewing their operations and compliance programmes and assess whether they have measures in place that are designed to mitigate their exposure to cybersecurity risk.”

The staff stated that compliance policies and procedures could address cybersecurity risks relating to identity theft and data protection (Regulations S-P and S-ID), business continuity and fraud (Codes of Ethics –insider threats), “as well as other disruptions in service that could affect, for instance, a fund’s ability to process shareholder transactions” (Section 22(e) and Rule 22c-1).

* Mark Amorosi is available on +1.202.778.9351 or at mark.amorosi@klgates.com; András Teleki is available on +1.202.778.9477 or at andras.teleki@klgates.com; and Gregory Wright is on +1.202.778.9250 or at gregory.wright@klgates.com. To listen to a recent webinar, go to http://www.klgateshub.com/details/?media=088c47cd-b062-4bcc-ba17-d7b16dcf1274