Because the Securities and Exchange Commission CyberSecurity Insights for (SEC) and the Financial Industry Regulatory Authority Securities Firms (FINRA) have not yet issued any official cybersecurity guidance, SIFMA’s eight steps could establish a useful CSI: Sutherland Securities baseline for cybersecurity compliance in the securities industry. October 2014 In this edition of CSI: Sutherland Securities, we examine Sutherland’s Privacy and Data Security Team helps (1) preliminary unofficial findings from the SEC’s recent clients navigate the increasingly complex framework of cybersecurity sweep, which covered “more than 50 laws governing the collection, use, transfer, disclosure and registered broker-dealers and registered investment security of personal information. In connection with these advisers”;3 and (2) the results of a recent cybersecurity efforts, last month we launched CyberSecurity Insights for survey conducted by the North American Securities Security Firms (or “CSI: Sutherland Securities,” for short), Administrators Association (NASAA),which covered a newsletter focusing on cybersecurity issues facing 440 state-registered “small and mid-sized” investment broker-dealers (BDs) and investment advisers (IAs). As advisers (IA).4 Although the SEC’s results are, at this the saying goes, with cybersecurity incidents, it’s not if, but point, anecdotal and drawn from a relatively small when. sample size,5 and although NASAA’s results involve only This edition’s focus: The results of the SEC’s and NASAA’s http://www.sutherland.com/portalresource/CyberSecurityIn recent cybersecurity surveys. sights.pdf. 3 See National Exam Program Risk Alert: OCIE Cybersecurity The Good, the Not-So-Good, and the Ugly: The SEC Initiative, Apr. 15, 2014, available at http://www.sec.gov/ocie/announcement/Cybersecurity+Risk and NASAA Indicate That Not All Firms May Be +Alert++%2526+Appendix+-+4.15.14.pdf. The SEC’s sweep, Ready to Tell Cyberattackers (and Regulators) to which began in April 2014, “is designed to assess cybersecurity preparedness in the securities industry and to “Go ahead, make my day”1 obtain information about the industry’s recent experiences with certain types of cyber threats.” Id. at 2. Welcome to the second edition of CyberSecurity Insights 4 NORTH AM. SEC. ADMIN. ASSOC., Compilation of Results of a Pilot for Securities Firms (CSI: Sutherland Securities). Last Survey of Cybersecurity Practices of Small and Mid-Sized month, we looked at the Securities Industry and Investment Adviser Firms (Sept. 2014), available at Financial Markets Association’s (SIFMA) new http://www.nasaa.org/wp- content/uploads/2014/09/Cybersecurity-Report.pdf cybersecurity guidance for “small firms,” which firms of [hereinafter NASAA Cybersecurity Survey]. Of the 440 firms all sizes can possibly use to protect themselves from surveyed by NASAA, 36.7% reported having more than $25 million in assets under management (mid-sized IAs), 46.9% both a cybersecurity attack and regulatory scrutiny.2 reported having under $25 million in assets under management (small IAs), and 16.3% reported having no assets under management. Id. at 3. Surveyed firms “average three 1 See Sudden Impact (1983), employees and two investment adviser representatives.” Id. http://www.imdb.com/title/tt0086383/?ref_=ttqt_qt_tt. 5 Some early findings have been reported in the media. See 2 See Brian L. Rubin, Shanyn L. Gillespie, and Charles M. Kruly, Mark Schoeff Jr., SEC exam sweep reveals adviser cyber-efforts, CyberSecurity Insights: CSI Sutherland (Sept. 3, 2014) INVESTMENT NEWS (Sept. 16, 2014), available at [hereinafter CSI Sutherland Sept. 2014], available at http://www.investmentnews.com/article/20140916/FREE/1 1 state-registered IAs in just nine states, averaging just A. The Good: Antivirus Protection and three employees and two investment adviser Software Updates representatives per firm,6 both the SEC’s cyberexams and NASAA’s survey addressed similar cybersecurity As we reported last month, two of SIFMA’s eight practices, and both therefore provide an early cybersecurity “action items” suggest that firms indication of how some firms are protecting themselves maintain “[u]pdated anti-virus software, in addition to from the threat of a cyberattack. web security software,” and that firms “[u]tilize automatic software updates and spot-check that The SEC’s preliminary findings appear to be updates are applied frequently.”9 NASAA’s survey encouraging: “the ‘vast majority’ of firms conduct shows that nearly all surveyed state-registered IAs are ‘firmwide inventories’ of electronic resources taking both suggestions to heart. (hardware, software, data), maintain written security policies and conduct periodic risk assessments.”7 Ninety-seven percent of respondents in NASAA’s Similarly, NASAA’s survey shows that small and mid- survey reported utilizing antivirus software.10 Of that sized state-registered IAs generally appear to be taking number, 87% took the additional step of having cybersecurity seriously. However, NASAA’s survey also antivirus software “installed on all computers, tablets, reveals a number of cybersecurity shortcomings. smartphones, or other electronic devices used to access client information.”11 Further, showing that the clear So, to guide you through the results (and with apologies majority of surveyed state-registered IAs are also to Clint Eastwood), we’ve broken down the SEC’s and following SIFMA’s recommendation to maintain NASAA’s results into the Good, the Not-So-Good, and updated antivirus software, 82% of respondents the Ugly.8 reported downloading updates to their antivirus software on an automatic basis.12 Similarly, 73% of firms surveyed by NASAA reported patching software on “all laptop or tablet computers, or other portable electronic devices” automatically as 40919947/sec-exam-sweep-reveals-adviser-cyber-efforts. updates are released by the vendor. This simple step According to reports, Jane Jarcho, the SEC’s National Associate was recommended by another of SIFMA’s suggested Director of the Commission’s Investment Adviser and action items.13 Moreover, as Investment Company Examination Program, recently CSI: Sutherland Securities commented that based on the SEC’s early review of its 2014 cyberexam results, “the ‘vast majority’ of firms conduct 9 SIFMA, Small Firms Cybersecurity Guidance: How Small Firms ‘firmwide inventories’ of electronic resources (hardware, Can Better Protect Their Businesses at 6 (July 2014), available software, data), maintain written security policies and conduct at http://www.sifma.org/issues/operations-and- periodic risk assessments.” According to reports, Id. technology/cybersecurity/guidance-for-small-firms/ “[f]indings will be released through speeches by [SEC] officials [hereinafter SIFMA Cybersecurity Guidance]. in coming months, as well as in an investor risk alert.” Id. 10 NASAA Cybersecurity Survey at 15. 6 NASAA Cybersecurity Survey at 3. 11 Id. 7 Id. 12 Id. at 16. 8 See The Good, the Bad and the Ugly (1966), http://www.imdb.com/title/tt0060196/. 13 SIFMA Cybersecurity Guidance at 6. 2 noted last month, because “[m]alware is often designed Doing so would have revealed “that [the firm] to exploit flaws in software,” outdated software can failed to install essential monitoring software on leave a firm vulnerable to a cyberattack.14 Thus, firms the computers of approximately 19 should consider automatically installing software employees.”18 vendors’ updates to ensure that potential access points for would-be cyberattackers are blocked. B. The Not-So-Good BDs and IAs should be aware that deficiencies related 1. Online Account Access to antivirus software have resulted in enforcement actions, including the following: Fifty-seven percent of firms surveyed by NASAA reported using “procedures to authenticate client • The SEC fined a dually- instructions received via email/electronic for, among other violations, recommending—but messaging.”19 (To provide context, 29% of firms not requiring—that registeredantivirus firmsoftware $100,000 be reported that authentication of clients’ electronic installed on registered representatives’ instructions was “not applicable to my firm’s business computers.15 model.” 20) Similarly, the SEC found a related “not-so- good” issue. According to reports of the SEC’s early • FINRA fined a broker- cybersecurity findings, “[w]here firms may be falling among other things, not requiring that its short is in getting to know their clients’ online habits. representatives install or utilizedealer security $450,000 software for, [M]ore than one-third of advisers with retail clients do or applications such as antivirus software on not assess their login capabilities and practices.”21 their personal computers.16 Further, the firm “did not inspect . registered representative- FINRA has highlighted the possible risks. For example, owned personal computers to determine FINRA has observed “an increasing number of reports whether they contained any kind of security of incidents in which firms have wired customer funds application software,” including antivirus to third-party accounts based on instructions received software.17 from customers’ email accounts that had been compromised by third parties.”22 Similarly, FINRA has • FINRA fined a broker- highlighted instances in which “perpetrators appear to among other things, failing to enforce its policy have obtained customers’ brokerage information by requiring “quarterly rdealereviews $125,000of internal for, computer systems and privacy protections.” 18 FINRA