When clients ask what advisers are doing to
protect their data, only the firms that can give a satisfying answer will build
trust with investors
Jan 12, 2019 @
6:00 am
By Ryan W.
Neal
After spending most of a decade offering
guidance and stern warnings, regulators are ready to put enforcement muscle
behind cybersecurity rules.
A flurry of activity in 2018 at federal and
state levels has many legal and security experts expecting 2019 to be a
watershed year for holding firms accountable for clients' digital data.
Penalties are coming for advisory firms that don't do enough to prevent a data
breach or don't respond to a breach effectively.
The Securities and Exchange Commission is
leading the charge. The agency took several actions in 2018 that should alert
every adviser that any grace period in adopting data security controls has
expired.
"The honeymoon phase is over," said
Askari Foy, managing director of ACA Aponix's global regulatory cybersecurity
practice and a former SEC associate director. "As they identify issues,
they're less likely to be friendly, for lack of a better word. They tend to
roll up their sleeves and really dig into the issues, particularly if they
smell blood or sense potential harm to investors."
Voya troubles
No alarm rings louder than the SEC's Sept. 26,
2018, announcement that Voya Financial Advisors would pay $1 million to
settle charges relating to a 2016 scam that compromised the personal
information of thousands of customers. It was the first time the SEC enforced
its "identity theft red flags rule," which has been on the books
since 2013.
Even though Voya had a cybersecurity policy in
place and responded to the breach within a matter of hours, it wasn't good
enough for the SEC. The regulator said Voya's cybersecurity policies and
procedures were out of date and failed to do enough to ensure they applied to
the entire workforce of financial advisers.
This issue of scant policies or ineffective
effort is common throughout the industry and it's exactly what the SEC wants to
eliminate. For many advisers, cybersecurity is just another compliance
procedure — put a policy in place, do some basic training, check off the box
and move on to more pressing business issues.
"Firms have cybersecurity policies, they
get one from an attorney or compliance firm. The policy looks great, but it
doesn't actually reconcile to reality in any way," said Sid Yenamandra,
CEO and co-founder of cybersecurity firm Entreda.
For example, the policy may say advisers can
only access the firm's network using a secure connection such as a virtual
private network, but there are no checks that the policy is actually followed,
he said.
Entreda's experts, who have provided data
protection software and training services to thousands of advisers, see a lot
of lip service paid to cybersecurity.
"People talk about having a good
cybersecurity policy, but who is actually implementing it? Our view on this
entire issue is we tend to see there is a false sense of security that a lot of
firms have," Mr. Yenamandra said.
These firms are more vulnerable to an attack,
and this year they also could face stiff fines and censure. Regulators' gloves
are off, and they are ready to crack down.
2018 warnings to heed
When the SEC first developed regulations
regarding email communications, it gave firms a few years to acclimate to the
new rules and get programs in place. As guidance became more detailed and rules
more specific over time, that's when sanctions started coming. Regulators are
following a similar pattern with cybersecurity, said Kim Peretti, co-chair of
law firm Alston & Bird's national security and digital crimes practice and
its cybersecurity preparedness and response team.
"Investment advisers and broker-dealers
of all sizes may be under scrutiny and should expect more enforcement actions
moving forward," she said. "For registered investment advisers and
broker-dealers, the primary implication of this focus is that the SEC will
continue to expect more mature cybersecurity programs that adapt to the
changing threat environment and appropriately manage and communicate risks to
investors."
"WE
TEND TO SEE THERE IS A FALSE SENSE OF SECURITY THAT A LOT OF FIRMS HAVE."Sid yenamandra, CEO
and co-founder, entreda
The agency last
year named cybersecurity as a priority in its examinations of investment advisers
and brokers; asked Congress for an additional $52 million to expand personnel, including four
people dedicated to cybersecurity; and issued new guidance on public companies'
obligations to disclose cybersecurity risks and incidents, updating its
previous guidance issued in 2011.
The SEC published a
report last year detailing an investigation of nine
undisclosed public companies that fell victim to cyberfraud and collectively
lost nearly $100 million. Though no charges were filed, the report served as a
stern warning to consider cybersecurity when implementing internal account
controls and specified the exact rule — Section 13(b)(2)(B) of the Securities Exchange Act of 1934 — that holds firms
accountable.
It isn't just the
SEC getting tougher with cybersecurity. In August, the Financial Industry
Regulatory Authority Inc. censured and fined a small broker-dealer $50,000 for
having inadequate procedures for preventing hackers from transfering money from
client accounts. In December, the self-regulatory organization updated its 2015 report on cybersecurity best
practices for broker-dealers.
State regulators
are making their own rules. Since New York issued rulesrequiring financial
institutions to establish cybersecurity programs, the number of bills and
proposals addressing cybersecurity at the state level has continued to
grow. According to the National Conference of State Legislatures,
265 bills were introduced in 2018, up from 240 bills in 2017 and 104 in 2016.
As of Nov. 6 (the latest data available), 52 of the bills proposed last year
became law.
The increased
activity provides a window into where regulators are focusing their energy and
what future enforcement actions might involve.
For example, the
SEC's February guidance on disclosure obligations and subsequent charges against Yahoo — $35 million for failing to
disclose a cybersecurity breach — show how seriously the regulator wants firms
to report data breaches. According to the New York Times, only 24 public companies
(across all industries) reported breaches to the SEC in 2017, but researchers
believe more than 4,000 breaches occurred.
The Voya charges
reveal another common weakness, specifically for financial advisers. It's not
enough to just have a cybersecurity plan in place. Regulators want to see firms
continually testing, reviewing and updating cybersecurity policies and procedures
to ensure they remain effective as threats evolve.
Business email
Another area of
focus, as evidenced by the SEC's investigative report and Finra's updated best
practices, is compromised business emails — an increasingly popular attack
method in which hackers pose as corporate executives or third-party vendors and
use emails to trick other employees.
"There's been
an increasing focus on the nexus between cyberintrusion and cyberfraud,"
Ms. Peretti said.
Preventing harm due
to phishing scams requires firms address human susceptibility to such scams in
addition to the technology element itself, she said.
Finally, the Voya
breach was caused by hackers impersonating an independent adviser and using the
custodian's support line to reset passwords and gain access to the system,
illustrating the vulnerability from third parties.
Regulators want
advisers to have an inventory of everyone who can access their data, including
both third-party technology vendors and independent contractors.
Where advisers can
improve
The good news is
that the financial services industry has done a pretty good job of adapting to
new cybersecurity requirements, at least in comparison to other industries like
retail, said Robert Cattanach, partner at law firm Dorsey & Whitney.
Where it's most
often falling apart is with the smaller registered investment advisers and
broker-dealers.
"Modest-sized
companies lack the resources to really make good on their paper policies,"
Mr. Cattanach said. "Someone can gin up the right-sounding IT governance policies
and procedures. But it's a whole additional step to make sure they are
followed."
At smaller firms,
there can be a sense of fatigue and helplessness when it comes to
cybersecurity, because even the largest companies get hacked.
"There is this
general feeling of, 'Holy cow, how can I, this little RIA out here, protect
[against a breach] if these large institutions can't?'" said Wes Stallman,
provider of cloud-based cybersecurity for advisers. "I do think that
causes some frustration."
Experts said the
adviser mindset should not be fixed on trying to safeguard data 100% because,
with attacks always evolving, it's less of a matter of "if" and more
of "when" there's a breach.
Regulators
understand this, and really just want firms to have checks and balances in
place to ensure they are doing the best they can to prevent breaches. More
importantly, regulators want firms to have an up-to-date and battle-tested plan
for an effective and timely response to a breach.
Finra's December
update to its best practices includes a new appendix to help small firms adopt
and implement cybersecurity controls. When used alongside Finra's previously
released small firm cybersecurity checklist, it should give smaller advisers an
effective guide to remaining compliant.
The bigger
challenge is how to get all financial advisers to move beyond the lip service
and actually realize that cybersecurity is something more important than
another compliance chore. The key to that may lie in thinking of cybersecurity
as a competitive advantage, Mr. Yenamandra said.
Clients are going
to increasingly ask what advisers are doing to protect data, and firms that can
give a satisfying answer will build trust with investors.
"Cybersecurity
needs to be viewed as not only an operational risk but also a strategic
function," he said.
https://www.investmentnews.com/article/20190112/FREE/190119985/crackdown-showdown-serious-cybersecurity-enforcement-is-coming-in?utm_source=BreakingNews-20190114&utm_medium=email&utm_campaign=investmentnews&utm_visit=696981&itx[email]=e06b4e645e2af5a8cdf41fd61c641308af802c6a87fcccd9edb043e1408493a3%40investmentnews
No comments:
Post a Comment