SEC’s Cybersecurity Playbook

Since beginning its cybersecurity sweeps of broker-dealers (BDs) and investment advisers (IAs) in April 2014[1] and Sept. 15, 2015,[2] the U.S. Securities and Exchange Commission has brought two significant enforcement actions — one in September 2015 against a small investment adviser (the IA), assessing a $75,000 penalty,[3] and one in June 2016 against a large, dually registered broker-dealer investment adviser (the BD/IA), assessing a $1 million penalty.[4] Based on these cases, we can now begin to see the outline of the SEC’ s cybersecurity playbook, and it’s not a “silver linings playbook.” In fact, it appears to be more of a “black cloud playbook,” applying a strict liability standard — if a firm has been breached, it appears that the SEC will find that the firm had unreasonable policies and procedures. Outlined below are the contours of the SEC’s cybersecurity playbook, including what’s important to the SEC in pursuing an enforcement action, what’s not important to the SEC and, most important, what firms should consider doing to try to avoid getting a call from the SEC.

What’s Important to the SEC

Whether There Has Been a Breach

So far, the one most important thing to the SEC is whether unauthorized third parties have accessed personally identifiable information (PII). Both of the enforcement actions involved a data breach. For example, in the IA case, an unknown hacker gained access and copy rights to server data, “render[ing] vulnerable to theft” the “PII of more than 100,000 individuals, including thousands of [the IA’s] clients.” In the BD/IA case, a firm employee “misappropriated data regarding approximately 730,000 customer accounts,” including customers’ full names, phone numbers, street addresses, account numbers, account balances and securities holdings. The employee then downloaded the “confidential customer data to his own data storage device.” Later, a third party “likely hacked into the [employee’s] personal server and copied the confidential customer data that [the employee] had downloaded.” Portions of this data were posted to at least three internet sites along with “an offer to sell a larger quantity of stolen data in exchange for payment in speedcoins, a digital currency.” In both cases, PII had been accessed but no information (as far as we know) was used to harm customers and clients.

In the future, it is possible that the SEC could begin to bring cases that do not involve breaches. For example, the SEC could bring an enforcement action where a firm did not comply with Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)), which requires firms to have policies and procedures to address protection of customer records and information,[5] regardless of whether a breach occurred. Indeed, the SEC has brought enforcement cases against firms in other contexts simply because the SEC found fault with the firm’s procedures. For example, in November 2011, the SEC charged three IAs with failing to put into place compliance procedures designed to prevent securities law violations without specifically alleging harm to investors.[6] In its press release for those cases, the cases stem from an initiative “to proactively prevent investor harm by working closely with agency examiners to ensure that viable compliance programs are in place at firms. Investment advisers are required by law to adopt and implement written compliance policies and procedures. When SEC examiners identify deficiencies in a firm’s compliance program, those deficiencies need to be corrected before they lead to other securities law violations that could harm investors.”

Whether the Firm Has Implemented Best Practices

The SEC has sanctioned firms for not implementing best practices. (As discussed below in more detail, the SEC has not considered whether those best practices could have prevented a breach.) Among the best practices cited by the SEC in the two orders are the following:

Periodic risk assessments;
A firewall;
Encryption;
Procedures for responding to a cybersecurity incident;
Auditing or testing authorization to access PII; and
Monitoring user activity to identify any unusual or suspicious patterns.

What’s Unimportant to the SEC

Whether There’s Been an Actual Harm to Investors

In both cases, there was no evidence that the “bad guys” used the personal information to cause harm to customers and clients. In the case against the IA, as of the date of the settlement, “the firm ha[d] not learned of any information indicating that a client has suffered any financial harm as a result of the cyber attack.” Similarly, in the case against the BD/IA, while PII had been accessed, the SEC did not allege that the information was used to harm customers and clients.

These cases stand in stark contrast to other enforcement cases in which customers suffered actual harm. For example, in September 2008, the SEC brought a case against a firm in which hackers gained access to an online trading platform and placed or attempted to place 209 unauthorized trades worth more than $700,000 in 68 customer accounts.[7] The firm had known that it had insufficient security controls to safeguard customer information at its branch offices, yet the firm failed to implement adequate controls, including developing a customer information policy for employees and branch-registered representatives and evaluating security controls, leaving customer information vulnerable to unauthorized access.

Similarly, in September 2009, the SEC brought an enforcement action against a firm that was hacked by an intruder through a computer virus.[8] The intruder accessed a list of 368 customer accounts and entered purchase orders before the activity was detected. This hack may have been prevented if the firm required (rather than merely recommended) that its registered representatives maintain antivirus software on their computers.

In contrast, in private data breach lawsuits, a key issue has been whether plaintiffs suffered actual harm. Indeed, plaintiffs have often faced difficulties showing standing under Article III of the Constitution for their cases to proceed. To withstand a motion to dismiss based on standing, plaintiffs must show an injury that is: (1) concrete, particularized and actual or imminent;[9] (2) fairly traceable to the challenged action; and (3) redressable by a favorable ruling.[10] Where plaintiffs’ data have not been obviously misused following a breach, “the vast majority of courts have held that the risk of future identity theft or fraud is too speculative to constitute an injury in fact ....”[11]

What the Firm Did After the Breach

Often, the SEC considers what a firm did after it discovered an issue in determining whether to pursue an enforcement action.[12] In both of the cybersecurity enforcement actions, the firms immediately responded with extraordinary measures after discovering the breach — yet the SEC still brought enforcement actions.

For example, after the breach, the IA took the following extraordinary steps:

Upon discovery of “a potential cybersecurity breach,” the IA promptly retained more than one cybersecurity consulting firm to confirm the attack and assess the scope of the breach.
After those consulting firms “could not determine the full nature or extent of the breach,” the IA “soon” afterwards retained another cybersecurity firm to review the initial findings and “independently assess the scope of the breach.”
Shortly after the breach, the IA provided notice of the breach to “all of the individuals whose PII may have been compromised” (emphasis added) and offered them free identity monitoring through a third-party provider.

According to the order, the IA also took the following “remedial efforts” to “mitigate against any future risk of cyber threats”:

Appointed an information security manager to oversee data security and protection of PII;
Adopted and implemented a written information security policy;
Stopped storing PII on its web server;
Encrypted any PII stored on its internal network;
Installed a new firewall and logging system to prevent and detect malicious incursions; and
Retained a cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security.

Similarly, the BD/IA “promptly” undertook the following “remedial” efforts, which the commission considered in determining to accept the settlement:

Discovered the data breach through a routine internet sweep, learning that certain data had been posted to at least three internet sites, purportedly for sale to a third party;
Promptly took steps to remove this data from the internet;
Identified the employee as the likely source of the data breach and later interviewed him;
Notified law enforcement and other authorities; and
Notified customers impacted by the data breach.

While the SEC stated that it took into account each firm’s remedial efforts, the SEC nonetheless brought enforcement actions despite these extraordinary steps. Prior to these cases, anecdotally, it was feasible to imagine that the SEC would apply prosecutorial discretion and decide not to bring an enforcement action in matters where there was a breach that resulted in no harm and the firm self-reported, remediated and cooperated with the staff.

Whether the Purported Failures Caused, or Different Procedures Would Have Prevented, the Breach

In both cases, the SEC alleged that the firms violated Rule 30(a) of Regulation S-P because each firm failed to take certain steps. However, the orders failed to allege that lack of these policies or procedures led to the breach or, conversely, that if the firms had instituted these policies and procedures, then the breaches would not have occurred. In contrast, when other firms have been charged for failing to have reasonable policies and procedures, those policies and procedures often directly relate to the conduct that harmed investors or the marketplace. For example, in one enforcement action, the SEC stated that the firm’s failure to adopt and implement written compliance policies and procedures reasonably designed to prevent violations of the Investment Advisers Act of 1940 “resulted in” the firm’s “engaging in hundreds of principal transactions with its advisory clients’ accounts without making the proper disclosures and obtaining consent in violation of Section 206(3) of the Advisers Act.”[13]

Here, the two SEC orders failed to connect the breaches with the firms’ purported failures to adopt and implement policies and procedures. For example, the order against the IA provides “examples” of policies and procedures that the firm did not have. These policies and procedures are simply a list of certain “best practices” that are not mandated by Rule 30(a). The SEC made no attempt to assert that if the IA had those policies, then the breach would not have occurred. The following are the SEC’s “example[s]” of the types of policies and procedures that the IA did not have in place “for protecting its clients’ information”:

Periodic risk assessments;
A firewall to protect the web server containing client PII;
Encryption of client PII stored on that server; and
Procedures for responding to a cybersecurity incident.

The SEC could have easily listed dozens of other “best practices,” including timely application of security patches, testing and validating software updates on a test server, requiring dual-factor authentication to access administrative functions on the server, mandating strong passwords, implementing intrusion detection software, implementing data exfiltration monitoring and prevention software, keeping detailed logs of security-related events, and periodically reviewing those logs. It is unclear why the SEC’s order listed certain practices but ignored others (when none of them is connected to the breach).

The order against the BD/IA acknowledged that the BD/IA had many policies and procedures (which, presumably, were reasonably designed to prevent breaches), including the following:

“[C]ertain policies and restrictions with respect to employees’ access to and handling of confidential customer data available through” the firm’s “portals,” which were web applications residing on the firm’s intranet that enabled certain employees to run reports that retrieved and organized customer data from underlying databases;

Written policies, including a code of conduct, that prohibited employees from accessing confidential information other than what the employees had been authorized to access to perform their responsibilities; and

Technology controls that, among other things, restricted employees from copying data onto removable storage devices and from accessing certain categories of websites.

Despite these apparently reasonable policies and procedures, a breach occurred, and therefore the SEC looked for, and found, some things about which to criticize the firm. For example, the SEC alleged that the firm:

“[F]ailed to conduct any auditing or testing of the authorization modules for the Portals at any point since their creation at least 10 years ago” and that “[s]uch auditing or testing would likely have revealed the deficiencies in these modules”; and

Did not monitor user activity to identify any unusual or suspicious patterns.

Regardless of what policies the SEC wishes the firms had instituted, or which best practices the firms failed to follow, it would have been difficult for the SEC to allege that the failure to have specific policies and procedures resulted in a breach because no security measures are foolproof in preventing cybersecurity attacks. According to one industry professional: “No firewall — whether a small, free host-based firewall or a multiple-thousand-dollar enterprise firewall array — will make your computers impervious to attack.”[14] While it is a nice sentiment that auditing or testing “would likely” have found deficiencies (as the SEC alleged against the BD/IA), firms (or auditors) do not always identify or properly take action on “red flags” after they conduct audits.[15] It seems odd for the SEC to know that audits are not perfect but for it to allege here that if the firm had, hypothetically, audited, then that audit likely would have worked perfectly. Similarly, regarding the SEC’s allegation about monitoring employees, wishing doesn’t make it so. The SEC often brings cases when firms monitor representatives or employees but do not find problems.[16]

In this arena, it is unlikely that any firm can have policies and procedures to make it impervious to all breaches. As then-FBI Director Robert Mueller said: “[T]here are only two types of companies: those that have been hacked and those that will be.[17] John Chambers, chief executive officer of Cisco, supposedly said something similar: “There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.”[18] Indeed, another industry professional (and white collar/securities enforcement specialist), SEC Chairwoman Mary Jo White, stated that “cybersecurity attacks cannot be entirely eliminated,” conceding that even if a firm were to take the most diligent preventive measures, a breach could still occur.[19] Thus, given that breaches are inevitable and that neither order alleged any evidence connecting the alleged deficiencies with the breaches, it appears that the SEC is applying a strict liability standard.

What Firms Should Consider Doing

Regardless of whether the SEC had an adequate factual or legal basis to bring its enforcement actions or whether, as a matter of policy and fairness, it should have charged the two firms, the SEC’s orders cannot be ignored. At this point, firms may be facing strict liability if they become the victim of a breach. It appears that the SEC may find that a firm’s procedures were unreasonable based on the simple fact that a breach occurred. To try to prevent a breach from occurring, to protect the interests of their clients, and to prevent the initiation of a subsequent enforcement action, firms may want to consider the following:

An Apple a Day (and Regular Reading About Breaches) May Keep Hackers Away. Review the various statements and reports by the commission and its staff (as well as those of the Financial Industry Regulatory Authority)[20] and relevant enforcement actions to determine what policies and procedures may be reasonable for your business models to protect customer records and information.

If You’ve Got It, Flaunt It. If firms have policies and procedures, they should consider whether they have adequately implemented those policies and procedures. Thus, while the BD/IA had many written procedures, the SEC’s case is built upon the firm’s failure to audit, test or monitor certain activities.

Keep Your Friends Close and Your Enemies Closer, But Don’t Forget About Employees and Representatives. Firms need to be concerned about outside and inside threats. A third party hacked the IA, while an employee hacked the BD/IA (although an outsider subsequently hacked the employee). Firms often focus on third-party threats, but BDs and IAs must not ignore that employees and advisers can also pose danger.

For Your Eyes Only (But What About My Eyes and My Favorite Websites?). Firms may need to analyze how to allow access to outside websites. The SEC’s order against the BD/IA was critical of the firm because it blocked access to some types of websites but not “uncategorized” sites like the personal portal of the employee. Employees and representatives may rise up and revolt against this “solution” if they can’t access their kids’ soccer schedules, their favorite shopping emporium, or their rock star stock-picking guru.

Keeping Up With the Joneses. Firms may want to assess industry “best practices.” As explained above, the IA was sanctioned because it failed to have in its arsenal certain “example[s]” of policies and procedures, including a firewall to protect a server containing client PII, encryption of client PII stored on that server, and procedures for responding to a cybersecurity incident.

A Stitch in Time Saves Nine (and Possibly the Imposition of an Even Larger Penalty). If firms do experience a breach (assuming they know about it), they should consider taking remedial steps including stopping the breach or the impermissible access, discovering what happened, notifying clients, and notifying regulators and/or law enforcement. While the SEC did bring charges against the IA and the BD/IA, the firms did receive some credit for their remedial efforts (although how much credit is not known).

While the SEC’s cybersecurity playbook is just coming to light (although it’s not ready to be made into a movie yet), it is providing clues about how the SEC views cybersecurity issues and, in particular, breaches. Firms that study SEC enforcement actions, speeches and reports, and then take appropriate steps given their business models should be well-positioned if a breach occurs or if the SEC conducts an exam. With adequate preparation, there should be no need to throw a Hail Mary pass or to deflate the SEC’s tires in the parking lot.

—By Brian Rubin, Mark Thibodeaux and Amy Xu, Sutherland Asbill & Brennan LLP