On Friday, May 12, the WannaCry ransomware attack struck hundreds of thousands of users across the globe, causing major disruptions in private and public networks. The attack, which encrypts a user’s files and holds them for ransom, may infect a computer without any action taken by the user. With similar attacks expected, and as we have previously discussed, businesses would be well served to proactively take steps to protect themselves from WannaCry and other malicious cyberattacks.
On the heels of yet another high profile cyberattack, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) issued an alert to broker-dealers, investment advisers, and investment companies warning them of WannaCry and reminding them of the importance of addressing cybersecurity issues to protect investors and clients. Regulated entities are required by Regulation S-P, 17 C.F.R. § 248.30(a), to adopt written policies and procedures (administrative as well as technical) to safeguard the personally identifiable information of their investors, clients, and customers. The regulation requires that these procedures be reasonably designed to protect against anticipated cyber threats and unauthorized access to or use of customer records or information.
In 2015, OCIE launched its cybersecurity examination initiative, and the SEC’s Division of Investment Management and FINRA simultaneously offered guidance to regulated entities on cybersecurity. The OCIE alert serves as a reminder to regulated entities of their obligation to safeguard client data. In conducting a recent examination of 75 SEC registered broker-dealers, investment advisers, and investment companies, OCIE found that 26% of investment advisers and investment companies surveyed did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, and 57% of investment advisers and investment companies did not conduct penetration tests and vulnerability scans on critical systems. Broker-dealers fared better, with only a 5% deficiency rate in both categories.
Both the SEC and FINRA have made enforcement of cybersecurity issues a focus, and recent SEC enforcement actions demonstrate its willingness to pursue firms that have suffered from cyberattacks and that lacked policies and procedures that the SEC deemed to be “reasonably designed” to safeguard customer information. For example, R.T. Jones Capital Equities Management recently settled a cease-and-desist proceeding after an unauthorized, unknown intruder gained access to the personally identifiable information of over 100,000 individuals. This breach cost R.T. Jones a $75,000 civil monetary penalty.
The WannaCry attacks and OCIE’s alert should serve as a reminder that regulators are watching how broker-dealers and other regulated entities safeguard customer data. For a regulated entity, crafting effective cybersecurity policies and procedures is essential not only to preventing harmful and embarrassing attacks, but also to prevent a potentially costly regulatory action. As a regulatory compliance matter, these policies and procedures are more than an IT policy and require scrutiny from well-advised in-house counsel.