2015 Top 10 Cybersecurity Resolutions for the New Year

NSCP CURRENTS
2015 Top 10 Cybersecurity Resolutions for the
New Year
By Brian Rubin, Sam Casey, and Charlie Kruly
E
very January 1, countless individuals make New Year’s
resolutions, most of which, we’re willing to bet, do not
involve cybersecurity. However, with cybersecurity on the hit
parades of both the Securities and Exchange Commission (SEC)
and the Financial Industry Regulatory Authority (FINRA),1 chief
compliance officers (CCOs) of broker-dealers and investment
advisers might want to add cybersecurity issues to their New Year’s
resolutions for 2015.
1. Get Organized.
After finishing your New Year’s resolution to organize your desk (at
least enough to see its top), consider organizing your firm’s policies
and procedures to address cybersecurity-related issues. (Of course,
if you’ve already addressed such issues, you may want to review
them anyway to make sure they are keeping up with the changing
landscape—or cyberscape, if you prefer—as discussed below.) These
steps might include writing and enforcing reasonable policies and
procedures to detect, address, and remediate breaches. FINRA and
the SEC have brought cases against firms for falling short in this
regard. For example:
•
The SEC has brought several cases against firms that failed to
follow up on cybersecurity shortcomings that the firms learned
of through breaches or regular audits.2
1
As every reader of this periodical likely knows, over the
past year, the SEC and FINRA have been conducting sweep exams
on cybersecurity issues. See National Exam Program Risk Alert:
OCIE Cybersecurity Initiative, at 3 (Apr. 15, 2014) [hereinafter SEC
Cybersecurity Sweep], available at http://www.sec.gov/ocie/announcement/
Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf (SEC’s
cyberexam sweep);.FINRA, Targeted Exam Letters: Re: Cybersecurity
(Jan. 2014), available at http://www.finra.org/industry/regulation/guidance/
targetedexaminationletters/p443219. In addition, reports indicate that FINRA
intends to ring in the New Year by “intensify[ing] its scrutiny of cybersecurity
practices at brokerage firms in 2015.” See Suzanne Barlyn, Wall St
watchdog to bolster reviews of brokerage cybersecurity, Reuters (Oct. 29,
2014), available at http://www.reuters.com/article/2014/10/29/finra-cybersecurityexaminations-idUSL1N0SO2AO20141029.
2 See, e.g., Exchange Act Release No. 64220, Admin. Proc. File
No. 3-14328, at 3 (Apr. 7, 2011) (finding that a former CCO aided and
abetted a firm’s violation of Regulation S-P), available at http://www.sec.
gov/litigation/admin/2011/34-64220.pdf; Exchange Act Release No. 60733,
Admin. Proc. File No. 3-13631, at 2, 4 (Sept. 29, 2009) (finding that the
firm violated Regulation S-P), available at http://www.sec.gov/litigation/
ABOUT THE AUTHORS
Brian Rubin is a partner at Sutherland. http://www.sutherland.com/People/
Brian-L-Rubin. He can be reached at [email protected].
Sam Casey is an associate at Sutherland. http://www.sutherland.com/People/
Samuel-J-Casey. He can be reached at [email protected].
Charlie Kruly is an associate at Sutherland. http://www.sutherland.com/
People/Charles-M-Kruly. He can be reached at [email protected].
The authors would like to thank former Sutherland associate Amanda Powell for
her assistance with drafting this article.
•
The SEC fined a firm $100,000 for, among other violations,
not auditing the computer security measures employed by
registered representatives at the firm’s branch offices.3
•
FINRA fined a firm $375,000 for, among other things,
failing to review server logs to detect unauthorized
network access or intrusions.4
CCOs may also want to help ensure that their firms’ cybersecurity
policies and procedures address administrative and physical steps
to help prevent a data breach, as required under SEC Regulation
S-P (the Safeguards Rule).5 Cyberpolicies that go beyond purely
technical safeguards may help firms comply with the Safeguards
Rule and may help decrease the likelihood of cyber-attacks from a
wider variety of sources. While malicious or criminal attacks cause
the plurality of data breaches (42 percent), the majority of breaches
are non-nefarious: 30 percent of breaches are caused by human
error and 29 percent of breaches are caused by system glitches.6
In addition, CCOs may want to create a cyber-incident response
plan so that their firms are prepared if a breach occurs. Once the
response plan is created, a CCO may want to regularly test it (just
like your New Year’s resolution to regularly check the batteries in
your smoke detectors). (Oops—do you need to add “check smoke
detector batteries” to your New Year’s resolutions?)
2. Learn Something New by Doing Crossword Puzzles
Performing Risk Assessments.
Consider conducting adequate self-assessments of your
cybersecurity readiness. FINRA has recommended that firms
“should consider . . . at a minimum . . . whether the [firm] is
conducting, or should conduct, periodic audits to detect potential
vulnerabilities in its systems and to ensure that its systems are,
in practice, protecting customer records and information from
unauthorized access.”7 FINRA’s point is important because
cybersecurity compliance is not static; what may have been stateof-the-art at one time (like 8 track tapes) (or, for the younger
generation, cell phones that only made phone calls), could well be
out of date by the time an attack hits. The SEC recognized as much
in 2008 when it proposed amending Regulation S-P to “set
admin/2009/34-60733.pdf.
3
Exchange Act Release No. 60733, Admin. Proc. File No.
3-13631, at 2 (Sept. 29, 2009), available at http://www.sec.gov/litigation/
admin/2009/34-60733.pdf.
4
FINRA Letter of Acceptance, Waiver and Consent No.
2008015299801, at 2-3 (Apr. 9, 2010) (finding that the firm violated
Regulation S-P and NASD Rules 3010(a) and (b)), available at http://
disciplinaryactions.finra.org/.
5
Regulation S-P requires, among other things, that firms establish
and enforce written policies and procedures reasonably designed to keep
customer records and information confidential and to secure and protect
such information from unauthorized access. See 17 C.F.R. § 248.30(a).
6
2014 Cost of Data Breach Study: Global Analysis, The Ponemon
Institute, Sponsored by IBM (May 2014) [Ponemon Study] at 8, available
at http://www-935.ibm.com/services/multimedia/SEL03027USEN_
Poneman_2014_Cost_of_Data_Breach_Study.pdf.
7
NASD Notice to Members 05-49 at 4 (July 2005), available at
http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/
notices/p014772.pdf.
DECEMBER 2014
3
NSCP CURRENTS
forth more specific requirements for safeguarding information and
responding to information security breaches.”8 As the SEC noted at
the time, “some firms do not regularly reevaluate and update their
safeguarding programs to deal with . . . increasingly sophisticated
methods of attack.”9
3. Read more.
Once you’ve finished your New Year’s resolution of expanding
your mind by reading War and Peace (and other classics you just
haven’t had time to get around to like Graham and Dodd’s Security
Analysis), consider reading more about cybersecurity issues. You
and your friends such as the Chief Technology Officer, the Chief
Information Officer, and in-house counsel may want to set your
news alerts beyond your favorite football team and celebrities (like
Warren Buffett), by adding terms like “cybersecurity,” “data breach,”
and “S-P.” If you’re really looking to read more (and impress your
friends at the office New Year’s party) take a crack at reading the
National Institute of Standards and Technology’s Framework for
Improving Critical Infrastructure Cybersecurity,10 which the SEC
relied on when it conducted its recent cybersecurity sweep exam.11
(SIFMA) recently issued its Small Firms Cybersecurity Guidance,
which provides an “action item checklist” that identifies several
steps that small firms can take to protect against data breaches.15
Despite the name of the guidance, its lessons can apply to firms of
all sizes.16 SIFMA has suggested that, at a minimum, firms consider
the following:
•
4. Save Money.
To save money in the long term, think about dealing with
cybersecurity issues before a breach or regulatory investigation
occurs. While cybersecurity issues will likely cost you one way or
another, the costs will probably be less if they’re invested on the
front-end rather than in cleaning up a breach. Post-breach costs
could include multiple high-cost items such as a regulatory penalty, a
forensic examination, notification of and follow-up with third parties,
credit or identity monitoring, public relations, and legal defense.12
Applying strict and robust password security items.17 Certain
firms that failed to heed this advice have been sanctioned,
including in the following actions:
•
The SEC ordered a firm to pay a $275,000 penalty for,
among other things, failing to take corrective measures
in response to an internal audit finding that the firm’s
password protection for its proprietary trading system
did not meet industry standards for “strong” password
protection because, for example, the firm did not require
(a) a minimum password length; (b) a complex password
involving an alphanumeric/special character combination;
(c) expiration of passwords after a specified period of time;
and (d) automatic lockout after failed login attempts.18
•
FINRA fined a firm $175,000 for, among other things,
failing to protect a firm database containing non-public
information by allowing the use of a generic user name
(“Administrator”) and password (“password”).19
•
Ensuring that only authorized individuals have access to a
firm’s systems and data.20 The SEC has also indicated it is
interested in what protection, if any, firms have in place to
prevent unauthorized access to customers’ online accounts and
how firms monitor for unauthorized activity on their systems.21
These costs can add up: in 2014, the average total cost of a U.S.
company’s data breach was more than $5.85 million.13 However, a
“strong security posture” may lessen a firm’s financial exposure. For
example, one study suggests that “[c]ompanies that had a strong
security posture at the time of the data breach could reduce the
average cost-per-record by $14.14 to $131.86” and that
“[c]ompanies that had an incident response plan in place also
reduced the average cost per record by $12.77.”14
•
Using an application “whitelist” to help ensure that only
“trusted software” is executed on firm operating systems.22
•
Securing standard operating systems so the firm is not
operating on “unsupported or outdated operating systems.”23
•
Making software updates automatic and “spot-check[ing] that
updates are applied frequently.”24
5. Stay Fit and Healthy.
•
Creating a back-up of data in the event a cyber-attack causes the
loss or destruction of data. To do so, SIMFA suggests that firms
use “cloud or physical external hard-drive backup systems.”25
Take steps to keep your cyberspace healthy and protect against
data breaches. There are a number of sources you can look to for
guidance to try to be healthy (and we’re not talking about Chuck
Norris and Christie Brinkley) (well, not just them, anyway). For
example, the Securities Industry and Financial Markets Association
8
See Proposed Amendment to Regulation S-P, Release No.
34-57427; IC-2712; File No. S7-06-08 (Mar. 4, 2008) at 1, available at
https://www.sec.gov/rules/proposed/2008/34- 57427.pdf. The Commission
ultimately did not enact its proposed Regulation S-P amendment.
9 Id. at 11.
10 National Institute of Standards and Technology, Framework for
Improving Critical Infrastructure Cybersecurity, (Feb. 12, 2014), available
at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework021214-final.pdf.
11 See SEC Cyersecurity Sweep, at 3.
12
Tim Stapleton, Zurich General Insurance, Data Breach Cost:
Risk, Costs, and Mitigation Strategies for Data Breaches, at 2-6, (2012),
available at http://www.zurichna.com/internet/zna/sitecollectiondocuments/
en/products/securityandprivacy/data%20breach%20costs%20wp%20
part%201%20(risks,%20costs%20and%20mitigation%20strategies).pdf.
13 Ponemon Study, supra note 2, at 6.
14
Robert P. Hartwig & Claire Wilkinson, Insurance Information
Institute, Cyber Risks: The Growing Threat at 15 (June 2014), available
at http://www.iii.org/sites/default/files/docs/pdf/paper_cyberrisk_2014.pdf.,
(citing Ponemon Study).
4
DECEMBER 2014
15
SIFMA, Small Firms Cybersecurity Guidance: How Small Firms
Can Better Protect Their Businesses (July 2014), available at http://www.
sifma.org/issues/operations-andtechnology/cybersecurity/guidance-for-smallfirms
[hereinafter SIFMA Cybersecurity Guidance].
16 See Brian Rubin, Shanyn Gillespie & Charlie Kruly, Eight
Days a Week and Eight Ways to Reboot Your Cybersecurity Program;
How All Firms Can Benefit from SIFMA’s New Cybersecurity Guidance,
Bloomberg BNA – Securities Regulation & Law Report (September 26,
2014), available at http://www.sutherland.com/portalresource/lookup/poid/
Z1tOl9NPluKPtDNIqLMRV56Pab6TfzcRXncKbDtRr9tObDdEnC3DmW3!/
fileUpload.name=/PDFArtic.pdf.
17 Id. at 6.
18
Exchange Act Release No. 58515, Admin. Proc. File No. 3-13181,
at 4-5 (Sept. 11, 2008),
available at http://www.sec.gov/litigation/admin/2008/34-58515.pdf.
19
FINRA Letter of Acceptance, Waiver and Consent No.
2007009780901, at 2-3, 7 (Apr. 28,
2009), available at http://disciplinaryactions.finra.org/.
20
SIFMA Cybersecurity Guidance at 3.
21 See SEC Cybersecurity Sweep, supra note 1 at 4-6.
22 SIFMA Cybersecurity Guidance at 3.
23 Id.
24 Id.
25 Id.
NSCP CURRENTS
6. Keep harmful things out of your system by installing antivirus,
email, and website filters.
Year after year, one of the most common New Year’s resolutions is to
quit smoking. While a nicotine addict may have trouble keeping the
harmful substance out of her body, a firm has tools at its disposal to
help protect against invasions into its cyberspace: antivirus software
and web security software. One of SIMFA’s action items is to
maintain “[u]pdated anti-virus software, in addition to web security
software,” and to train personnel to exercise “personal vigilance
against suspicious emails and attachments.” This resolution should
(hopefully) come as no surprise; many firms already maintain
current antivirus software as a standard protective measure.
(Indeed, in a recent cybersecurity survey, the North American
Securities Administrators Association found that 97 percent of
small, state-registered investment advisers used antivirus software,
while 87 percent took the additional step of having antivirus
software “installed on all computers, tablets, smartphones, or other
electronic devices used to access client information.”26
Firms should be aware that FINRA and the SEC have brought
enforcement actions against firms that failed to carry out these
steps. For example:
•
•
The SEC ordered a firm to pay a $100,000 penalty because,
among other things, its procedures recommended—but did
not require—that antivirus software be installed on registered
representatives’ computers.27
FINRA fined a firm $450,000 based, in part, on its failure to (a)
require that field representatives install anti-virus software on
their computers; and (b) review such computers to verify the
installation of the antivirus software.28
7. Control Your Mobile Device.
While the typical resolution may be to limit one’s use of mobiledevice screen time, firms may want to resolve to tackle mobile device
security. Indeed, SIMFA’s final action item is for firms to
“[e]nsure that mobile devices are secure with passwords and [that]
data is encrypted in the event of a loss.” Consistent with that analysis,
in 2011, FINRA fined a firm $300,000 for, among other things, not
requiring that information stored in a laptop be encrypted.29
8. Maintain Healthy Relationships.
One overriding theme from past New Years is that it’s good to
make new friends (and keep the old ones). Nowadays, that could
mean maintaining healthy relationships with vendors that have
access to your firm’s sensitive information. Indeed, as part of its
cybersecurity exam, the SEC asked firms how they manage cyberrisk from their vendors—for example, whether firms audit their
vendors’ cybersecurity practices and use contractual provisions
allocating cybersecurity-related risk.30 States have expressed similar
26 North Am. Sec. Admin. Assoc., Compilation of Results of a Pilot Survey
of Cybersecurity Practices of Small and Mid-Sized Investment Adviser Firms
(Sept. 2014)at 15, available at http://www.nasaa.org/wp-content/uploads/2014/09/
Cybersecurity-Report.pdf [hereinafter NASAA Cybersecurity Survey]. Surveyed
firms “average three employees and two investment adviser representatives.” Id.
27
Exchange Act Release No. 60733, Admin. Proc. File No.
3-13681, at 2, 4 (Sept. 29, 2009), available at http://www.sec.gov/litigation/
admin/2009/34-60733.pdf.
28
FINRA Letter of Acceptance, Waiver and Consent No.
2009018720501, at 4-5 (Feb. 16, 2011), available at
http://disciplinaryactions.finra.org/.
29
Letter of Acceptance, Waiver and Consent No. 2009019893801,
at 10 (Nov. 21, 2011) (finding that the firm violated the Safeguard Rule and
NASD Rule 3010), available at http://disciplinaryactions.finra.org/.
30 See SEC Cybersecurity Sweep, supra note 1 at 4-5.
concerns and some have enacted regulations to address them.
Massachusetts, for example, requires entities that “own or license”
personal information about Massachusetts residents to: (a) take
“reasonable steps to select and retain” vendors “that are capable of
maintaining appropriate security measures” and (b) incorporate
data security requirements in vendor contracts. In light of these
issues, firms may want to consider getting to know their vendors’
cybersecurity practices and possibly adding cybersecurity risk
allocation provisions to their vendor contracts.
9. Get Involved In The Community.
So, maybe you didn’t get invited to SEC Chair Mary Jo White’s
New Year’s Eve party. (Don’t feel bad—we’re still waiting for our
invitation. Hmmm . . . maybe our cyberdog deleted our e-vite.)
Don’t let this stop you from getting more involved in the (cyber)
community. Consider participating in industry-wide initiatives to
combat cybersecurity threats. For example, the Federal Financial
Institutions Examination Council (FFIEC) recommends that
financial institutions participate in its Financial Services Information
Sharing and Analysis Center (FS-ISAC) to help its efforts to identify,
respond to and mitigate cybersecurity threats and vulnerabilities.31
Also, think about getting involved in securities-related industry
groups that address cybersecurity issues, such as the NSCP.
10. Be Less Stressed.
Your resolution to relax by jetting away to the Bahamas is all well
and good, but for an easier way of lessening your anxiety, consider
obtaining specialized insurance to put you and your firm at ease
about the costs of a potential data breach. Traditional insurance
plans may not cover much of the costs associated with a data
breach, and surveys indicate there is a growing trend of companies
purchasing cyber-liability insurance.32 The following types of
insurance coverage may be available:
•
•
•
•
•
•
•
•
•
•
•
Loss/Corruption of Data;
Business Interruption;
Liability (breach of privacy due to theft of data, virus or
computer attack causing financial loss to third parties, failure
of security causing network system to be unavailable to third
parties, etc.);
D&O/Management Liability;
Cyber-Extortion;
Crisis Management;
Criminal Rewards;
Data Breach;
Identity Theft;
Social Media/Networking; and
Cloud Computing.33
When you pop the champagne and begin a rousing rendition of Auld
Lang Syne at the office’s New Year’s party, you don’t want your staff
singing “should cybersecurity be forgot and never brought to mind.”
Following these 10 resolutions in the coming year may help ensure
that your non-public information stays non-public information and
that your firm stays off the SEC’s and FINRA’s “naughty lists.”34
31
Federal Financial Institutions Examination Council, FFIEC Releases
Cybersecurity Assessment Observations, Recommends Participation in
Financial Services Information Sharing and Analysis Center (Nov. 3, 2014).
“The FS-ISAC is a non-profit, information-sharing forum established by financial
services industry participants to facilitate the public and private sectors’ sharing
of physical and cybersecurity threat and vulnerability information.” Id.
32
Insurance Information Institute, Cyber Risks: The Growing Threat
(June 2014), available at http://www.iii.org/sites/default/files/docs/pdf/paper_
cyberrisk_2014.pdf.
33 Id.
34
While this is really more of a Christmas thing than a New Year’s
thing, you get the idea.
DECEMBER 2014
5