Ride the Lightning

SEC May Target CCOs on Cybersecurity

October 26, 2015

Legaltech News (sub. req.) reported that two recent speeches by Securities and Exchange Commission (SEC) officials probably got the attention of every chief compliance officer (CCO).

In the first, SEC Chief of Staff Andrew J. Donohue indicated that the SEC will continue to bring enforcement actions against CCOs for not addressing compliance issues, including cybersecurity. Donohue tempered his remarks by reiterating SEC Chair Mary Jo White’s position that the SEC does “not bring cases based on second guessing compliance officers’ good faith judgments.” However, Donohue challenged compliance professionals to be “pro-active” in their work and pointed to three recent SEC enforcement actions against CCOs on the ground that they failed to implement compliance programs reasonably tailored to the specific needs of their firms.

Two days after Donohue's speech, White announced: “While cybersecurity attacks cannot be entirely eliminated, it is incumbent upon private fund advisers to employ robust, state-of-the-art plans to prevent, detect, and respond to such intrusions.”

The most recent SEC cybersecurity guidance is its settled enforcement action against investment advisor R.T. Jones Capital Equities Management for allegedly failing to establish cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals. As a result of these alleged violations, R.T. Jones agreed to pay a $75,000 penalty and undertake remedial efforts, including:

• Retaining multiple cybersecurity firms to assess the scope of the breach;
• Removing all PII from its webserver and encrypting all PII on its internal network;
• Installing a new firewall and logging system;
• Appointing an information security manager and implementing a written information security policy; and
• Notifying the affected individuals (both advisory clients and third parties) of the breach and providing them with free identity monitoring.

Because this was the first officially titled SEC "cybersecurity" enforcement action, it appears to be the SEC’s long-awaited "message case" on this issue. In the release announcing the settlement with R.T. Jones, co-chief of the SEC Enforcement Division’s Asset Management Unit Marshall S. Sprung stated: “Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

Commentators believe the SEC will levy harsher sanctions on future violators who fail to implement similar protections where appropriate.

It is recommended that CCOs incorporate into their firms’ compliance programs the SEC’s cybersecurity guidance released earlier this year, which recommended the following measures:

• Periodically assess their firms’ (i) information and processes, (ii) internal and external cybersecurity threats and vulnerabilities, (iii) security controls and processes, (iv) impact of cyber-related events, and (v) governance structures;
• Devise cybersecurity strategy to (i) control access to systems and data, (ii) encrypt data, (iii) restrict use of removable media, (iv) deploy monitoring software, (v) employ data backup and retrieval, and (vi) develop an incident response plan;
• Implement written police and procedures and training to provide appropriate guidance; and
• Assess cybersecurity measures of vendors and business partners.

Yet another federal agency is staking its claim as a marshal in the wild, wild west world of cybersecurity. I don't think there are many corporate officers left who are not struggling to improve their information security policies and practices. But I suspect there are lot more "message cases" yet to come.

E-mail:    Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
http://www.senseient.com
http://twitter.com/sharonnelsonesq
www.linkedin.com/in/sharondnelson