Cybersecurity Insights for Securities Firms

Because the Securities and Exchange Commission CyberSecurity Insights for (SEC) and the Financial Industry Regulatory Authority Securities Firms (FINRA) have not yet issued any official cybersecurity guidance, SIFMA’s eight steps could establish a useful CSI: Sutherland Securities baseline for cybersecurity compliance in the securities industry. October 2014 In this edition of CSI: Sutherland Securities, we examine Sutherland’s Privacy and Data Security Team helps (1) preliminary unofficial findings from the SEC’s recent clients navigate the increasingly complex framework of cybersecurity sweep, which covered “more than 50 laws governing the collection, use, transfer, disclosure and registered broker-dealers and registered investment security of personal information. In connection with these advisers”;3 and (2) the results of a recent cybersecurity efforts, last month we launched CyberSecurity Insights for survey conducted by the North American Securities Security Firms (or “CSI: Sutherland Securities,” for short), Administrators Association (NASAA),which covered a newsletter focusing on cybersecurity issues facing 440 state-registered “small and mid-sized” investment broker-dealers (BDs) and investment advisers (IAs). As advisers (IA).4 Although the SEC’s results are, at this the saying goes, with cybersecurity incidents, it’s not if, but point, anecdotal and drawn from a relatively small when. sample size,5 and although NASAA’s results involve only

This edition’s focus: The results of the SEC’s and NASAA’s http://www.sutherland.com/portalresource/CyberSecurityIn recent cybersecurity surveys. sights.pdf. 3 See National Exam Program Risk Alert: OCIE Cybersecurity The Good, the Not-So-Good, and the Ugly: The SEC Initiative, Apr. 15, 2014, available at http://www.sec.gov/ocie/announcement/Cybersecurity+Risk and NASAA Indicate That Not All Firms May Be +Alert++%2526+Appendix+-+4.15.14.pdf. The SEC’s sweep, Ready to Tell Cyberattackers (and Regulators) to which began in April 2014, “is designed to assess “Go ahead, make my day”1 cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.” Id. at 2. Welcome to the second edition of CyberSecurity Insights 4 NORTH AM. SEC. ADMIN. ASSOC., Compilation of Results of a Pilot for Securities Firms (CSI: Sutherland Securities). Last Survey of Cybersecurity Practices of Small and Mid-Sized month, we looked at the Securities Industry and Investment Adviser Firms (Sept. 2014), available at Financial Markets Association’s (SIFMA) new http://www.nasaa.org/wp- content/uploads/2014/09/Cybersecurity-Report.pdf cybersecurity guidance for “small firms,” which firms of [hereinafter NASAA Cybersecurity Survey]. Of the 440 firms all sizes can possibly use to protect themselves from surveyed by NASAA, 36.7% reported having more than $25 both a cybersecurity attack and regulatory scrutiny.2 million in assets under management (mid-sized IAs), 46.9% reported having under $25 million in assets under management (small IAs), and 16.3% reported having no assets under management. Id. at 3. Surveyed firms “average three 1 See Sudden Impact (1983), employees and two investment adviser representatives.” Id. http://www.imdb.com/title/tt0086383/?ref_=ttqt_qt_tt. 5 Some early findings have been reported in the media. See 2 See Brian L. Rubin, Shanyn L. Gillespie, and Charles M. Kruly, Mark Schoeff Jr., SEC exam sweep reveals adviser cyber-efforts, CyberSecurity Insights: CSI Sutherland (Sept. 3, 2014) INVESTMENT NEWS (Sept. 16, 2014), available at [hereinafter CSI Sutherland Sept. 2014], available at http://www.investmentnews.com/article/20140916/FREE/1 1

state-registered IAs in just nine states, averaging just A. The Good: Antivirus Protection and three employees and two investment adviser Software Updates representatives per firm,6 both the SEC’s cyberexams and NASAA’s survey addressed similar cybersecurity As we reported last month, two of SIFMA’s eight practices, and both therefore provide an early cybersecurity “action items” suggest that firms indication of how some firms are protecting themselves maintain “[u]pdated anti-virus software, in addition to from the threat of a cyberattack. web security software,” and that firms “[u]tilize automatic software updates and spot-check that The SEC’s preliminary findings appear to be updates are applied frequently.”9 NASAA’s survey encouraging: “the ‘vast majority’ of firms conduct shows that nearly all surveyed state-registered IAs are ‘firmwide inventories’ of electronic resources taking both suggestions to heart. (hardware, software, data), maintain written security policies and conduct periodic risk assessments.”7 Ninety-seven percent of respondents in NASAA’s Similarly, NASAA’s survey shows that small and mid- survey reported utilizing antivirus software.10 Of that sized state-registered IAs generally appear to be taking number, 87% took the additional step of having cybersecurity seriously. However, NASAA’s survey also antivirus software “installed on all computers, tablets, reveals a number of cybersecurity shortcomings. smartphones, or other electronic devices used to access client information.”11 Further, showing that the clear So, to guide you through the results (and with apologies majority of surveyed state-registered IAs are also to Clint Eastwood), we’ve broken down the SEC’s and following SIFMA’s recommendation to maintain NASAA’s results into the Good, the Not-So-Good, and updated antivirus software, 82% of respondents the Ugly.8 reported downloading updates to their antivirus software on an automatic basis.12

Similarly, 73% of firms surveyed by NASAA reported patching software on “all laptop or tablet computers, or other portable electronic devices” automatically as 40919947/sec-exam-sweep-reveals-adviser-cyber-efforts. updates are released by the vendor. This simple step According to reports, Jane Jarcho, the SEC’s National Associate was recommended by another of SIFMA’s suggested Director of the Commission’s Investment Adviser and action items.13 Moreover, as Investment Company Examination Program, recently CSI: Sutherland Securities commented that based on the SEC’s early review of its 2014 cyberexam results, “the ‘vast majority’ of firms conduct 9 SIFMA, Small Firms Cybersecurity Guidance: How Small Firms ‘firmwide inventories’ of electronic resources (hardware, Can Better Protect Their Businesses at 6 (July 2014), available software, data), maintain written security policies and conduct at http://www.sifma.org/issues/operations-and- periodic risk assessments.” According to reports, Id. technology/cybersecurity/guidance-for-small-firms/ “[f]indings will be released through speeches by [SEC] officials [hereinafter SIFMA Cybersecurity Guidance]. in coming months, as well as in an investor risk alert.” Id. 10 NASAA Cybersecurity Survey at 15. 6 NASAA Cybersecurity Survey at 3. 11 Id. 7 Id. 12 Id. at 16. 8 See The Good, the Bad and the Ugly (1966), http://www.imdb.com/title/tt0060196/. 13 SIFMA Cybersecurity Guidance at 6.

noted last month, because “[m]alware is often designed Doing so would have revealed “that [the firm] to exploit flaws in software,” outdated software can failed to install essential monitoring software on leave a firm vulnerable to a cyberattack.14 Thus, firms the computers of approximately 19 should consider automatically installing software employees.”18 vendors’ updates to ensure that potential access points for would-be cyberattackers are blocked. B. The Not-So-Good

BDs and IAs should be aware that deficiencies related 1. Online Account Access to antivirus software have resulted in enforcement actions, including the following: Fifty-seven percent of firms surveyed by NASAA reported using “procedures to authenticate client • The SEC fined a dually- instructions received via email/electronic for, among other violations, recommending—but messaging.”19 (To provide context, 29% of firms not requiring—that registeredantivirus firmsoftware $100,000 be reported that authentication of clients’ electronic installed on registered representatives’ instructions was “not applicable to my firm’s business computers.15 model.” 20) Similarly, the SEC found a related “not-so- good” issue. According to reports of the SEC’s early • FINRA fined a broker- cybersecurity findings, “[w]here firms may be falling among other things, not requiring that its short is in getting to know their clients’ online habits. . . . representatives install or utilizedealer security $450,000 software for, [M]ore than one-third of advisers with retail clients do or applications such as antivirus software on not assess their login capabilities and practices.”21 their personal computers.16 Further, the firm “did not inspect . . . registered representative- FINRA has highlighted the possible risks. For example, owned personal computers to determine FINRA has observed “an increasing number of reports whether they contained any kind of security of incidents in which firms have wired customer funds application software,” including antivirus to third-party accounts based on instructions received software.17 from customers’ email accounts that had been compromised by third parties.”22 Similarly, FINRA has • FINRA fined a broker- highlighted instances in which “perpetrators appear to among other things, failing to enforce its policy have obtained customers’ brokerage information by requiring “quarterly rdealereviews $125,000of internal for, computer systems and privacy protections.” 18 FINRA Letter of Acceptance, Waiver and Consent No. 2009015980301, at 6 (Dec. 14, 2012). 14 See CSI Sutherland Sept. 2014, supra note 1 at 4. 19 NASAA Cybersecurity Survey at 9. 15 Exchange Act Release No. 60733, Admin. Proc. File No. 3- 20 Id. 13681, at 2, 4 (Sept. 29, 2009), available at 21 note 4. http://www.sec.gov/litigation/admin/2009/34-60733.pdf. See supra 22 FINRA Notice to Members 12-05 at 1 (Jan. 2012), 16 FINRA Letter of Acceptance, Waiver and Consent No. available

2009018720501, at 5 (Feb. 16, 2011). at http://www.finra.org/web/groups/industry/@ip/@reg/@no 17 Id. tice/documents/notices/p125462.pdf. (NTM 12-05)

accessing customers’ email accounts and searching contact lists or emails sent from the account.”23 In other 2. Risk Assessments words, hackers can gain access to a customer’s email account—for example, by trying one of the five million Another potential trouble spot identified by the SEC passwords with associated Gmail accounts recently and NASAA is whether firms conduct adequate self- posted on a Russian forum24—and then using: (1) the assessments of their cybersecurity readiness. Only client’s email account to send a fraudulent transfer 62% of firms surveyed by NASAA reported request to the firm, perhaps, as FINRA has reported, “conduct[ing] risk assessments to identify “stress[ing] the urgency of the requested transfer, cybersecurity threats, vulnerabilities, and potential pressuring the firm to release the funds before verifying consequences.”27 Of that number, 40% reported doing the authenticity of the emailed instructions;”25 or (2) so annually, while 34% reported making the practice at information learned from the customer’s hacked email least a quarterly event.28 In comparison, the SEC’s early account to log into the customer’s online account with review of its cyberexam results revealed that “the ‘vast the firm. majority’ of firms . . . conduct periodic risk assessments.”29 Although SIFMA’s cybersecurity These threats are different from many of the other guidance does not address the issue, FINRA has long threats identified by the SEC’s and NASAA’s surveys, but recommended that to adequately implement SEC they still expose firms to a large potential risk. In either Regulation S-P (the “safeguards rule”),30 firms “should situation, the firm itself is likely not being attacked; consider . . . at a minimum . . . whether the [firm] is instead, the firm may be an unknowing accomplice in a conducting, or should conduct, periodic audits to detect cyberattack on one of its customers. However, by failing potential vulnerabilities in its systems and to ensure to authenticate customers’ emailed transfer requests or that its systems are, in practice, protecting customer by failing to ensure that actual customers—and not records and information from unauthorized access.”31 hackers—are logging into an online account, a firm may expose itself to charges that the firm failed to implement adequate supervisory procedures designed to “review and monitor the transmittal of funds . . . or securities.”26 27 NASAA Cybersecurity Survey at 11. 28 Id. 29 See supra note 5. What constitutes a “risk assessment” is, to be sure, subjective; as Ms. Jarcho stated, “[a]lthough most [firms] do it, it really varies in how they do it and how frequently they do it.” Id. 23 Id. 30 In general terms, Regulation S-P requires firms to establish and enforce written policies and procedures reasonably 24 Will Oremus, Your Gmail Probably Wasn’t Hacked. But That designed to keep customer records and information Doesn’t Mean You’re Safe, SLATE (Sept. 10, 2014), available at confidential and to secure and protect such information from http://www.slate.com/blogs/future_tense/2014/09/10/gmai unauthorized access. 17 C.F.R. § 248.30(a). l_password_hack_russian_bitcoin_forum_leaks_credentials_but See _most_google.html. 31 NASD Notice to Members 05-49 at 4 (July 2005), available

25 NTM 12-05 at 1. at http://www.finra.org/web/groups/industry/@ip/@reg/@no 26 Id. at 2. tice/documents/notices/p014772.pdf.

While the SEC’s and NASAA’s findings show that many of mobile device security, SIFMA recommended that firms are taking cybersecurity seriously, the findings small firms “[e]nsure that mobile devices are secure also suggest that many firms may inadvertently be with passwords and data is encrypted in the event of a lulling themselves into the belief that by having loss.”35 Mobile device data encryption is meant to cybersecurity policies in place, they are safe from both mitigate a risk that continues to grow as mobile device cyberattacks and regulators. Cybersecurity compliance use becomes ever more commonplace. As NASD (now is not static; what may have been state-of-the-art FINRA) has noted, if firms or their representatives use compliance at the time it was implemented could well mobile devices to access customer information, “the be out-of-date by the time an attack hits. The SEC [customer] data is broadcast out into the airwaves, thus recognized as much in 2008 when it proposed making any confidential information in that data easier amending Regulation S-P to “set forth more specific to intercept than if the user is required to tap into a requirements for safeguarding information and physical network.”36 Further, “wireless connections responding to information security breaches.”32 As the present an attractive mechanism for hackers to tap into SEC noted at the time, “some firms do not regularly the user’s workstation to gain access to a corporate reevaluate and update their safeguarding programs to network. A corporate network’s protective measures deal with . . . increasingly sophisticated methods of (e.g., firewalls and similar defensive software) could be attack.”33 by-passed under such circumstances.”37

Thus, particularly in light of the financial and NASAA’s survey shows that a less-than-resounding reputational costs of a cyberattack, firms that do not 39% of respondents encrypt their files and devices, regularly assess their own cyber-vulnerabilities need to while 46% do not use encryption. (The remaining 15% ask themselves, in the immortal words of Dirty Harry, either were not sure whether they encrypt their data or “Do I feel lucky?”34 did not respond.) Further, of the 39% of respondents that reported utilizing encryption, only 60% reported C. And the Ugly requiring encryption “on all computers, tablets, smartphones, or other electronic devices used to access 1. Use of Encryption client information.” Thus, at least among certain small and mid-sized state-registered IAs, many firms have a Turning finally to the “Ugly” NASAA survey results, the ways to go towards ensuring that their data is protected use of data encryption among certain state-registered from theft. investment advisers appears to be spotty. In the context Particularly in light of these survey results, firms should 32 See Proposed Amendment to Regulation S-P, Release No. be aware that even though there is no rule that directly 34-57427; IC-2712; File No. S7-06-08 (Mar. 4, 2008) at 1, available at https://www.sec.gov/rules/proposed/2008/34- 57427.pdf. The Commission ultimately did not enact its proposed Reg. S-P amendment.

33 Id. at 11. 35 SIFMA Cybersecurity Guidance at 6. 34 To which a regulator or plaintiff may respond by 36 NTM 05-49¸ supra note 31, at 3.. completing the quote: “Well, do ya, punk?” Dirty Harry (1971), http://www.imdb.com/title/tt0066999/?ref_=ttqt_qt_tt. 37 Id.

requires encryption,38 FINRA has brought encryption- persistent Internet connection, thereby leaving related enforcement actions.39 For example: the information in the database exposed to the Internet.”43 Even though the database was • In 2011, FINRA fined a broker- constantly exposed to the Internet, the for, among other things, not having “procedures database “was not encrypted and the Firm for the encryption of [the firm’s]dealer laptops” $300,000 (one of never activated a password, thereby leaving the which had been stolen from an employee’s car) default setting of a blank password in place.” 44 “or a process in place for the encryption of data Both of these deficiencies contributed to a while stored in the laptop.” According to FINRA, hacker accessing information about 230,000 while the “Firm’s encryption policy required only firm clients, which the hacker then used in an that non-public financial information attempt to extort money from the firm.45 communicated to third parties was to be encrypted there was no requirement for the 2. Use of the Cloud encryption of all data contained on Firm laptops.”40 Finally, NASAA’s survey shows that a relatively small number of respondents may be taking a relatively large • In 2011, FINRA fined another broker-dealer risk with customer information. Seventeen percent of respondents reported using “free Cloud services such requiring that its representatives “install or as iCloud, Dropbox or Google Drive, to store personal utilize$450,000 security for, software among or otherapplications things, such not as and confidential client information.”46 Of that number, . . . encryption . . . software on their personal 53% reported not having a “policy that stipulates how computers.” 41 these services are to be used.”47 Although these numbers are small, they do represent a large potential • In 2010, FINRA fined a broker-dealer risk. As recent headlines have demonstrated, data stored in free cloud services may be at increased risk of confidential customer information was theft.48 hacked.$375,00042 afterAccording a firm to databaseFINRA, the containing firm’s database “was stored on a computer with a

43 Id. 38 At least as to internal or customer communications. FINRA Rule 8210 requires that firms that use “a portable media 44 Id. device” to send information to FINRA in response to a Rule 45 Id. 8210 request encrypt the information. See FINRA Rule 8210(g). 46 Id. at 21. 39 See FINRA Letter of Acceptance, Waiver and Consent No. 47 Id. 2009019893801, at 9-10 (Nov. 21, 2011). 48 See Andrea Peterson, Emily Yahr & Joby Warrick, Leaks of 40 Id. nude celebrity photos raise concerns about security of the cloud, WASHINGTON POST (Sept. 1, 2014), 41 FINRA Letter of Acceptance, Waiver and Consent No. available at http://www.washingtonpost.com/politics/leaks-of-nude- 2009018720501, at 5 (Feb. 16, 2011). celebrity-photos-raise-concerns-about-security-of-the- 42 See FINRA Letter of Acceptance, Waiver and Consent No. cloud/2014/09/01/59dcd37e-3219-11e4-8f02- 20080152997, at 2 (Apr. 9, 2010). 03c644b2d7d0_story.html.

The regulators are aware of the risks as well. For staying away from publicly-accessible online data example, FINRA recently fined a broker-dealer storage systems. management system” containing customer information.$250,000 after49 Althoughan employee FINRA’s built Leantter online of Acceptance, “document Conclusion Waiver, and Consent (AWC) did not indicate the nature of the online document management system, it did Until the SEC and FINRA release the results of their suggest the use of cloud storage. According to the AWC, cybersecurity exams, the SEC’s preliminary the firm employee who built the online data cybersecurity findings and NASAA’s survey provide a management system “inadvertently linked a website to useful snapshot of the state of cybersecurity an electronic location containing the [personally compliance in certain segments of the securities identifiable information] of 217 customers and 113 industry. The admittedly limited early findings from the related beneficiaries” from a firm branch.50 As a SEC suggest good efforts by many firms to implement consequence, this customer information “was then an effective cybersecurity program. Similarly, NASAA’s indexed and organized by . . . Google . . . and remained survey shows that many state-registered IAs have publicly exposed on the internet” for nearly a month.51 implemented the basics of a good cybersecurity The information was taken down only after a firm program—by, for instance, installing and maintaining customer found her account and other personal antivirus software. However, the survey also reveals a information on the Internet.52 number of major shortcomings. Perhaps most glaring, only 44.6% of respondents reported having “policies To be sure, cloud storage does not necessarily have to and procedures or training programs in place be a compliance risk. (Indeed, perhaps proving that the regarding” cybersecurity.54 This finding suggests that cloud—or at least a secure cloud—should not be many small and mid-sized IAs are still taking an ad hoc viewed as a per se compliance risk, FINRA recently approach to cybersecurity. To be sure, some of the embarked on a 30-month-long effort to implement survey’s less-than-encouraging results may be cloud computing in its market surveillance program.53) explained by the scope of NASAA’s survey, which However, firms that use cloud storage should consider surveyed only state-registered investment advisers that taking additional steps, such as data encryption, to “average three employees and two investment adviser ensure the safety and confidentiality of customer representatives” per firm.55 Indeed, the SEC’s findings information and, at the very least, should consider appear to be contrary to NASAA’s findings on this issue. In reported comments on the SEC’s early findings from

49 See FINRA Letter of Acceptance, Waiver and Consent No. its cybersecurity exam, Jane Jarcho, National Associate 20100239953 (Sept. 13, 2012). Director of the Commission’s Investment Adviser and 50 Id. at 3. Investment Company Examination Program, noted 51 Id. that the “‘vast majority’ of firms . . . maintain written security policies.”56 52 Id.

53 Herbert Lash, Wall St watchdog moves to cloud, big data, to 54 NASAA Cybersecurity Survey at 13. boost capabilities, REUTERS (June 20, 2014), available at http://www.reuters.com/article/2014/06/20/finra- 55 Id. at 3. technology-idUSL2N0P105020140620. 56 Supra note 4.

Nonetheless, as reports of cyberattacks become more frequent, it will become more difficult for firms of any size to take a wait-and-see attitude towards cybersecurity. Instead, firms should consider a proactive approach to cybersecurity if they want to be able to tell cyberattackers (and regulators) to “go ahead, make my day.”

* * * We will provide similar updates on a regular basis. If this newsletter was forwarded to you or if you are unsure whether you are on Sutherland’s list to receive Legal Alerts, please send an email to [email protected]. Also, if you have subjects you would like us to discuss in future editions, please let us know.