Cyberattacks are attempts by hackers to damage, destroy and/or steal data from a computer network or system. From 2013 to 2015, more than 153.6 million people had information stolen in cyberattacks involving companies such as Fidelity Investments, Charles Schwab, Experian, Anthem, The Ashley Madison Agency, and Sony. With the number of cyberattacks on the rise, directors and trustees of mutual funds should be aware that the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations has implemented a Cybersecurity Examination Initiative. In addition, the SEC has predicted more cyber enforcement cases as it continues to focus on cybersecurity and how the agency can protect investors.
While most funds have insurance coverage, insurance companies have become quite savvy in denying coverage for such attacks under traditional policies. Insurance policies, depending on the language, may not cover losses due to cyber-related damage.
This article discusses the focus of the Cybersecurity Examination Initiative and how to comply with the initiative, as well as how funds can obtain adequate coverage for losses and claims arising from a cybersecurity breach.
OCIE’s Cybersecurity Examination Initiative
OCIE implemented its Cybersecurity Examination Initiative last year, requiring registered broker-dealers and investment advisers to adopt and maintain adequate cybersecurity measures to defend against threats.
OCIE evaluates cybersecurity measures in the following areas:
- Governance and Risk Assessment: Whether registrants have cybersecurity governance and risk-assessment processes and whether those controls and processes are evaluated regularly and adequately personalized to the firm.
- Access Rights and Controls: How firms control access to systems and data through management of user credentials, authentication and authorization, including controls associated with remote access, customer logins and passwords.
- Data Loss Prevention: How firms review the volume of content transferred outside of the firm by employees or through third parties, such as by e-mail attachments or uploads; this includes an assessment of how firms monitor for unauthorized data transfers and verify the authenticity of a customer request to transfer funds.
- Vendor Management: Review of firm practices and controls related to vendor management, such as due diligence in selecting a vendor, monitoring and oversight of vendors and contract terms.
- Training: How training is customized to specific job functions and designed to encourage responsible employee and vendor behavior. Also, review of procedures for responding to cyber incidents under an incident response plan.
- Incident Response: Whether firms have established policies and procedures, assigned roles, assessed system vulnerabilities and developed plans to address a possible future cyber event.
Although the SEC has not yet brought an enforcement action alleging a corporate cyber disclosure violation, it has brought cases against firms for cyber market manipulation and failure to adopt and maintain policies and procedures in advance of a breach that compromised client information. For example, shortly after the Cybersecurity Examination Initiative was announced, the SEC brought a case against R.T. Jones Capital Equities Management, Inc., in which the SEC alleged that R.T. Jones failed to adopt written policies and procedures to ensure the security and confidentiality of personally identifiable information (PII) and failed to protect the information from anticipated threats or unauthorized access. (In the Matter of R.T. Jones Capital Equities Management, Inc., September 2015; Admin. Proc. File No. 3-16827.) Specifically, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents. The enforcement action followed a breach that compromised the PII of approximately 100,000 individuals, including firm clients. Without admitting or denying the SEC’s allegations, R.T. Jones agreed to cease and desist from committing or causing any future violations of the securities laws, agreed to be censured, and paid a $75,000 penalty.
More recently, in In the Matter of Morgan Stanley Smith Barney LLC (June 8, 2016; Adm. Proc. File No. 3-17280), Morgan Stanley Smith Barney was charged with failing to comply with Regulation S-P, the Safeguards Rule, that requires broker-dealers and investment advisers registered with the SEC to adopt written policies and procedures reasonably designed to insure the security and confidentiality of customer information and records, protect against anticipated threats or hazards to those records, and protect against unauthorized access or use. Information from approximately 730,000 Morgan Stanley customer accounts was compromised when a former employee downloaded the data to a personal account and it was hacked by a third party. The SEC placed blame on Morgan Stanley because it failed to implement proper controls on its internal portals and failed to monitor employee access to the information. Morgan Stanley consented to the entry of a cease-and-desist order and will pay a penalty of $1 million. The former employee was criminally charged, sentenced to three years’ probation, and ordered to pay $600,000 in restitution. The SEC also banned the former employee from working in the securities industry for five years.
In order to be compliant with the Initiative, registered investment advisers need to have reasonable safeguards in place. Best practices include, but are not limited to:
- Adopting and implementing written security policies and procedures.
- Hiring an expert in cybersecurity as a chief information officer, chief security officer, and/or a chief privacy officer.
- Creating a cybersecurity committee with tech-savvy members to assist with issues.
- Retaining a well qualified cybersecurity firm to provide ongoing reports and advice on the firm’s information technology security.
- Conducting periodic risk assessments of policies and procedures.
- Removing any PII stored on third-party web servers.
- Encrypting any PII stored on an internal network.
- Installing a firewall and logging system to prevent and detect malicious incursions.
- Ensuring that affiliate organizations that handle PII have protection measures for storing and transmitting the information.
- Investing in cybersecurity insurance and ensuring affiliate organizations also have insurance.
The insurance policies that funds traditionally have relied upon may not cover all or any of the costs and liabilities arising from a cybersecurity incident. In addition to gaps in coverage, insurers have started to add limitations and exclusions specifically aimed at reducing or eliminating coverage relating to cyber incidents.
Cybersecurity policies can help fill the holes in coverage left by traditional policies. Although cyber policies are non-standard, policies can include the following types of cyber coverage:
- Liability: The costs of defending against lawsuits and other types of claims alleging, for instance, the failure to protect confidential personal information or the failure to comply with any law, statute, or regulation governing the storage and protection of such information, as well as settlements and judgments.
- Regulatory: The costs of defending against investigations brought by regulators relating to, for instance, the failure to implement privacy and security practices required by law or regulations, as well as civil fines and penalties imposed by regulators.
- Breach response and crises management: The costs to investigate a known or suspected cybersecurity incident and to comply with the data breach reporting requirements, as well as the costs to retain a crises communication firm to help minimize damage to a fund’s reputation.
- Cyber extortion: Ransom payments made to terminate a cyber extortion threat.
- Business interruption and extra expense: Loss from business interruption and extra expenses arising out of a cyber incident that interrupts operations.
- Data recovery: Costs to replace or restore damaged or destroyed computer programs, software, and electronic data.
Because cyber policies vary from insurer to insurer and cyber exposures vary from fund to fund, it is important to compare proposed cyber policies carefully to find the best fit. In addition, some cyber policies feature vague and subjective exclusions such as the failure to satisfy “minimum requirements” that should be avoided. Some insurers may be willing to work with insureds to make coverage-enhancing changes to their policies. Funds should not hesitate to consult qualified advisors, including legal counsel, to assist them with reviewing and selecting a cybersecurity policy.
Thomas Westle (pictured, left) is a corporate and securities partner at Blank Rome LLP with extensive experience in legal issues relevant to registered and unregistered investment companies and investment advisers. Michelle Gitlitz (pictured, middle) is a corporate and commercial litigation partner at Blank Rome who also has extensive experience in legal issues relevant to registered and unregistered investment companies and investment advisers. James S. Carter (pictured, right) is of counsel at Blank Rome in the policyholder-only insurance coverage practice.
 Clair Groden, Here’s who’s been hacked in the past two years, FORTUNE (Oct. 2, 2015), http://fortune.com/2015/10/02/heres-whos-been-hacked-in-the-past-two-years/.