The Securities and Exchange Commission argued this week that a number of large companies had implemented flawed cybersecurity policies and procedures, leading to the breach of customers’ personal information. However, a number of industry legal watchers say the commission should be clearer about what it is asking in the first place.
“Obviously, past SEC enforcement actions in this area have highlighted the importance of cybersecurity policies that must be implemented and followed,” said A. Valerie Mirko, partner at Baker McKenzie, in an interview with WealthManagement.com. “The SEC did not specifically state that Reg SP requires MFA in all cases, but what they do make it really clear that companies should set up MFA, especially if a company learns that there may have been email account takeovers.”
The SEC’s actions were directed against a number of consulting and brokerage firms Cetera, Cambridge Investment Research and KMS financial services, a former Ladenburg-Thalman company that was eventually incorporated into Securities America, ab / d under the Advisor Group.
According to the commission, the eight companies had not put in place (and in many cases not implemented) adequate cyber policies and procedures, making them vulnerable to attacks from unauthorized third parties who hijacked company emails, thereby removing the personal Data disclosed by thousands of customers.
The complaint states that in many cases, employees did not enable MFA for their email accounts, even though MFA was set out in the company’s written cyber policies.
Would these firms have escaped the Commission’s judgment and the fines had they not written out the MFA policy in their own documents? It is unclear. Regulation SP requires companies to have policies and procedures that are “adequately designed” to protect customer information.
The ambiguity of this sentence leaves a wide window for interpretation. Max Schatzow, an attorney at law firm Stark & Stark, said the commission’s cyber assignments this week were frustrating, arguing that the SEC failed to provide adequate guidance on what is appropriate (he also believed the SEC “a stone on a glass house”, as it was the victim before own data breaches).
“Data security is just a really difficult subject; It’s really hard to be perfect and consultants across the country and around the world struggle with it, ”said Schatzow. “I think everyone has good intentions and tries to do their best, but there should be stronger collaboration to protect Americans’ public data. I don’t think investment advisors should be the scapegoat for that. “
Even when security measures like multi-factor authentication are properly implemented, the biggest challenge facing the industry is addressing risks that many are unaware of, given the evolving tactics of hackers and cybercriminals, said Susan Schroeder, partner and vice chairman the securities and financial services division of WilmerHale law firm (and former head of enforcement for FINRA). Company policy must constantly evolve, because no matter how vigilant the company may be, there will always be innovations from “bad actors” who try to exploit weaknesses.
“We will always look in the rearview mirror (and say) that people should have known that this could have happened,” said Schroeder. “The industry tries to manage risks that it cannot name at the moment.”
For Schatzow, the SEC’s actions show that multi-factor authentication remains the simplest and most cost-effective protection measure when firms and independent contractors use email to contain non-public information with customers. While he did not expect the SEC to immediately take similar cyber-related enforcement actions against smaller companies, he hopes the Commission staff will issue guidance on what they consider “appropriate,” including adequate funding spending on IT work and proven Procedure.
“Just tell us what you want and we will try to deliver. If that is not possible, we at least make informed decisions, ”he said. “But until then, it’s kind of a guessing game.”