Views on Financial Services Sector Cybersecurity From J.C. Boggs, Dixie Johnson of King & Spalding

The Securities and Exchange Commission recently released an alert detailing the results of its sweep of financial services firms to gauge their cybersecurity readiness.  At the same time, SEC released a cybersecurity investor bulletin detailing cybersecurity steps individual investors should take.

Bloomberg BNA Privacy & Security Law Report Senior Legal Editor Donald G. Aplin posed a series of questions about the SEC's recent cybersecurity activity to J.C. Boggs and Dixie Johnson , partners at King & Spalding in Washington. Boggs works in the firm's Government Advocacy and Public Policy practice group. Johnson leads the firm's securities enforcement and regulation practice. The two often work together representing businesses and individuals.

Bloomberg BNA: Was there anything in the SEC sweep report-good or bad--that really surprised you?

Johnson: Yes, but before I say, it’s important to note what the SEC sweep report is not. It is not guidance from the Commission, or even the examination staff that authored it. The report makes this clear in the very first footnote. So no matter where you or your firm appear to fall within the various cybersecurity observations in the report, relying too much on it can only give you a false sense of, well, security.

The primary source of authority for the SEC’s policing in this area is Rule 30 of Regulation S-P. It requires “reasonably designed” procedures to insure security and protect against threats or unauthorized access of customer information. Other securities laws impose similar reasonableness requirements on policies and procedures to protect material nonpublic information. By their terms, these are not one-size-fits-all rules. And the SEC’s report doesn’t suggest favored procedures or create safe harbors by adopting any of the practices that were observed. 

Nevertheless, the report does have value. It shows the SEC’s general priority and focus on cybersecurity threats on the financial services industry. And it gives you some idea of what the Commission thinks is included as a measure to protect against those threats. One other benefit of the report is that it gives everyone who’s regulated by the Commission a sense of where they stand in relation to their peers, which isn’t conclusive of the reasonableness of your own policies, but it can help in your assessment. 

With that said, though, one notable thing about the SEC sweep report is that it covers broker-dealer practices through 2013 and investment adviser practices a little more recently, through April 2014. In other words, the report’s observations are about a year old already. That doesn’t make them obsolete, but cybersecurity is advancing quickly. Which just brings me back to my first point about not relying too heavily on the specific observations in the SEC sweep report, but instead to take the issues in it seriously and do your own cybersecurity assessment and update it periodically. 

Boggs: Frankly, I was more than a little surprised that only 24 percent of the examined investment advisor firms incorporate cybersecurity requirements into their contracts with vendors and other business parties. As we noted in a client alert, the cybersecurity chain is only as strong as its weakest link and all companies, including those in the financial services industry, must examine their supply chain, vendors, and network partners to ensure that they are not exposing themselves to weaknesses through their relationships with other companies. In addition, very few of the firms examined addressed how they determine whether they are responsible for client losses resulting from cyber incidents, and only a few firms purchased cybersecurity insurance.

The cybersecurity chain is only as strong as its weakest link and all companies, including those in the financial services industry, must examine their supply chain, vendors, and network partners.

J.C. Boggs, King & Spalding

While perhaps beyond its intended scope, I also found it interesting that the report did not point to any specific lapses that could lead to enforcement proceedings. Nor did the report address whether the staff will recommend new rules to the SEC. Even so, it was an important effort and financial institutions should find value in reviewing industry-wide survey information from a regulator that will enable it to benchmark against peer firms in the industry. 

Bloomberg BNA: Do the differences in how broker-dealers and investment advisors approached various data security issues--e.g. that 84 percent of broker dealers did data security risk assessments of vendors but only 32 percent of investment advisors did so--show investment advisors to be the weak link in the investor cybersecurity chain?

Johnson: That is a possible inference to draw from the reported observations, but I don’t think that’s the full picture. The investment adviser links in the cybersecurity chain that were covered by the examination tended to be smaller, which does not necessarily mean weaker. For example, as you can see from appendix B, about two-thirds of the examined investment advisers handle retail/individual accounts and about the same proportion manage $900 million or less. Also, about one-third of the examined investment advisers do not have custody of their accounts, meaning that someone else--a broker-dealer--does. This is a very small portion of the investment adviser community.

By contrast, appendix A of the sweep report shows over two-thirds of the examined broker-dealers have over 200 registered representatives (i.e., brokers) and over 40 percent of them have over 2,000 brokers. The breakdown of broker-dealers by category/peer group also tends to show a representation of larger firms. 

This is not to say, however, that a small retail investment adviser doesn’t need to have procedures in place to protect customer data. 

But doing a data security risk assessment of a vendor may or may not be a prudent use of limited resources to deal with an adviser’s particular cybersecurity threats. In fact, in many cases, it would be unreasonable to expect a small investment adviser to impose its own cybersecurity requirements through its contracts with a much larger vendor it uses.

In the end, it’s all about adopting reasonable cybersecurity practices, which turns on an individualized assessment of the risks at issue for the particular firm’s business, the resources available and a keen awareness of prevailing practices.

It’s also not just customer account data that may be targeted--old fashioned material nonpublic information may be targeted as well. It will be interesting to see how advisers’ and broker-dealers’ compliance with the SEC’s rules requiring them to adopt policies and procedures to protect against abuse of material nonpublic information may intersect with the cyber world over time.
Bloomberg BNA: Although the report doesn’t specifically indicate what kinds of data security deficits might lead to enforcement action, do you have any guidance for financial institutions about what they should be most concerned about SEC focusing on in the near term?

Johnson: Because the SEC, in general, most frequently focuses on disclosure, it seems probable that the likeliest enforcement actions against publicly traded financial institutions will follow actual data breaches where no prior disclosures warned of the possibility of a breach or where prior or subsequent disclosures gave inaccurate information about the protections in place or what had occurred.

With respect to Regulation S-P, the Commission will look for policies and procedures, including supervisory procedures, designed to safeguard client assets and information. Thinking of the old adage, “where there’s smoke, there’s fire,” in this context, the data breach is the smoke and the lack of relevant cybersecurity procedures and/or appropriate disclosures is the fire the Commission will likely be looking to fight.
Bloomberg BNA: Given that absolute data security is likely impossible, particularly in an environment in which hackers and other malicious actors seem always ahead of the curve and increasingly aggressive, should financial institutions focus more, or at least as much, on mitigating the effects of a breach?

Boggs: What I have learned over the years is that organizations are better off not adopting an either/or approach to prevention and mitigation. Both should be built into your overall cybersecurity plan. And I wouldn’t discount prevention because of a feeling of helplessness or inevitability about an attack.

It’s definitely true that the convenience of access and information transfer, all born of the digital age, has made data security more difficult, and absolute data security likely impossible. With innovation in technology has come the evolution of methods to deliver financial services.

The industry has gone from the widespread use of ATMs in the 1980s, to modern point of sale terminals in the 1990s, to Internet banking in the 2000s and mobile banking in 2010s. Long gone are the days of a firm being able to set up an ironclad security “perimeter” around its network. The perimeter is gone.

To compete today, firms need and want to give employees and customers access to data from anywhere on any device. These new and evolving ways of meeting consumer demand, however, come with new fraud patterns and evolving risks of cyber-attacks.

And bad actors are trying to exploit these technological developments for their own gains. Financial firms’ cybersecurity efforts just need to keep up with--or better yet, stay ahead of--the bad guys. Plus, from a regulatory perspective, it must keep evolving. You’ve got to focus adequate attention and resources to have a set of reasonable procedures to protect customer data in today’s environment.

Just to highlight one area on the prevention front, the SEC report found many of the companies examined were remiss in vetting their vendors and partners. While 84 percent of broker-dealers require cybersecurity risk assessments of vendors that have access to their networks, less than a third of investment advisers had any such requirements. Moreover, the report showed that only about half the broker-dealers have cybersecurity training policies and procedures in place for third parties with network access. Clearly, there remains some low hanging fruit with regard to simple prevention efforts. 

At the same time, it makes good business sense to also consider and devise robust plans for responding to and recovering from a data breach. As the many high-profile data breaches of late illustrate, responding, managing and recovering from a data breach carries as much risk to your business as the breach itself.

As you consider the various types of cyber threats and data at issue, carrying out the “what-if” analysis a few steps further, given your particular business and operations, will be a worthwhile exercise to engage in.

Who needs to be on the response team, including technical and legal advisors? What kind of breach was it? What was lost? Should you suspend certain business activities or try to lock down some or all of your data? What are the consequences of that? Should you report the breach to regulators? Anyone else? Then what?

Of course, you can’t answer--or even know--every question before a breach happens--and I agree, having one is probably inevitable--but you’ll have a lot more time to be thoughtful about the answers to these questions before a breach occurs and be a lot more prepared for dealing with its consequences.

There is clearly a trend in the information security field from a prevention mentality to a focus on rapid detection, where organizations can more quickly identify and mitigate threats. While it doesn’t mean abandoning prevention, it suggests companies devote more resources to detection and remediation than they have in the past, with the understanding that breaches are going to happen. So maybe the simplest way to answer your question is just to say that, in many ways, rapid detection and efficient, effective response is the new prevention.
Bloomberg BNA: The SEC investor bulletin seems to be pretty basic in the data security measures it recommends, such as picking a strong password and using different passwords for different accounts. Should we be worried that individuals with online brokerage accounts are really that unsophisticated about data security?

Johnson: Worried, no. But I would be conscious of that possibility when designing, adopting and implementing a cybersecurity system. Crafting cybersecurity practices based on an employee or customer that can easily identify a phishing scam e-mail, always hovers over a link in an e-mail to verify the URL before clicking on it, or would never enter personal information into an unknown Web address wouldn’t be realistic and would leave your business open to many common threats. The key is to conduct a cybersecurity assessment based on reasonable judgments about the world you operate in.

Also, it’s not necessarily customer sophistication at issue. It’s convenience. Customers will set up weak passwords and use the same passwords on multiple accounts, if they can, because it’s easier to remember one simple password. I think the investor bulletin serves as a good reminder that you have to think about these types of natural tendencies, as well as the likelihood of human error, when designing a cybersecurity system.
Bloomberg BNA: Do you think the report undermines the long-standing sense that financial institutions were the leading edge of data security and had a handle on the issue? For example, the state data breach notification statutes often specifically exempt a company that is covered by the Gramm-Leach-Bliley Act privacy and security provisions (as embodied in the SEC’s Regulation S-P). Is that deference misplaced?

Boggs: After witnessing the string of high-profile data breaches in the last several months, I think everyone understands that just about any organization--financial institutions included--can fall prey to a cyber-attack. No matter how sophisticated or leading-edge you may be in this area, the threats are evolving rapidly and any advantages you may have had at one time are fleeting at best.

Having dedicated more than 25 years to the financial services policy space as counsel to the Senate Banking Committee and otherwise, I think the fact that the financial industry has been deemed as a leader in data security predated GLB and may be better attributed to other factors. 

First and foremost, financial institutions have long recognized that financial information is one of their most important assets. Protection of that information is necessary to establish and maintain the all-important trust between the financial institution and its customers. 

Not surprisingly, financial institutions are a natural target of cybercrime because of the vast amount of proprietary information they have about their customers, not to mention that is “where the money is.” It is because of this advanced recognition that financial institutions and regulators got together fairly early on in the process, primarily through the Federal Financial Institutions Examination Council, to come up with best practices to protect customer information.

Through that collaboration, and the fact that financial institutions have generally been early adopters of new technology, they have earned their leading-edge reputation. That said, one significant data breach can easily wipe out that reputation, not only of a single institution, but of the industry as a whole.

So, to the extent there is a general sense that financial firms were better positioned than other organizations, I think the report shows that to continue to deserve this reputation it’s critical to stay vigilant about protecting customer data, as well as Material Non-Public Information (MNPI), from cyber threats and stay focused on devising response and recovery plans in case of a breach.
Bloomberg BNA: The Financial Industry Regulatory Authority issued a Report on Cybersecurity Practices and an Investor Alert the same day as the SEC release of its sweep report and investor bulletin. Is there anything in the FINRA documents that raise different issues from the SEC report to which financial institutions and investors should pay particular attention?

FINRA makes clear that it will assess the adequacy of a firm’s cybersecurity program based on the particular risks it faces.

Dixie Johnson, King & Spalding

Johnson: The FINRA Report on Cybersecurity provides a far more detailed and in-depth analysis of cybersecurity issues than the SEC sweep report. It outlines cybersecurity-specific principles and practices for risk assessments, technical controls, incident response planning, vendor management and cyber insurance, to name a few of the areas covered. It definitely deserves a careful read. Our Data, Privacy, & Security Practice is in the process of drafting a series of client alerts summarizing and analyzing the FINRA report, and discussing steps that member firms can take to protect themselves.

Also, despite the FINRA report’s disclaimers, similar to those in the SEC report, that FINRA isn’t expressing a legal position and the report doesn’t have the force of law, FINRA does expect firms to consider the principles and effective practices outlined in its report when designing their cybersecurity programs. Yet, for good reason, the FINRA report recognizes over and over again that there is no one-size-fits-all approach to cybersecurity. FINRA makes clear that it will assess the adequacy of a firm’s cybersecurity program based on the particular risks it faces.
Bloomberg BNA: What might the financial services sector expect to see in terms of further federal rulemaking or laws aimed at protecting investor privacy and the security of financial data?

Boggs: Not surprisingly, both Congress and the Obama Administration have identified cybersecurity as a top national policy priority, and financial institutions can look forward to increased regulatory attention from federal, state and non-governmental regulators in 2015.

During an unusually productive lame-duck legislative session at the end of 2014, Congress passed important cybersecurity measures focused on improving how the federal government protects its own networks, including the Federal Information Security Modernization Act of 2014, the National Cybersecurity Protection Act of 2014, the Cybersecurity Enhancement Act of 2014 and the Cybersecurity Workforce Assessment Act of 2014 .

 In the 114th Congress, cybersecurity remains one of the few bipartisan issues in which both parties have expressed substantial agreement, and we expect that the House and Senate will continue to build upon the momentum developed last year to pass legislation designed to increase information sharing with the government and standardize the requirements for when companies must notify customers of data breaches.

 Already, Rep. Dutch Ruppersberger (D-Md.) has reintroduced the Cyber Intelligence Sharing and Protection Act (H.R. 234) and Sen. Tom Carper (D-Del.) has introduced the Cyber Threat Sharing Act (S. 456. Additional legislation relating to cybersecurity and data breaches is expected to be introduced in the coming months.

 Moreover, at Congress’s urging, the SEC is looking into modernizing the required cybersecurity disclosures for public companies (see related report). New disclosure requirements would directly impact publicly-owned financial firms, of course, and you could expect those requirements to have indirect impacts on privately-held financial firms’ disclosures and practices as well. At some point, FINRA may also issue proposed rules based on its latest report.

And we’ve already seen announcements by the Consumer Financial Protection Bureau, along with other federal financial regulators, including the Fed and the Office of Comptroller of the Currency , that leave no doubt that they are all focused on cybersecurity. 

As a result, financial institutions should expect to see plenty of legislative and regulatory activity pertaining to cybersecurity in the coming year. Given the rapidly evolving legal and public policy landscape, we recommend that financial firms keep a close eye on developments for the foreseeable future.