On October 29, 2021, Commissioner Elad L. Roisman spoke to the Los Angeles County Bar Association and discussed the challenges SEC registrants face when dealing with cyber threats. In addition to articulating the current obligations of Registered Investment Advisors (“RIAs”) regarding cybersecurity, Roisman expressed his belief that further rulemaking is necessary to clarify advisors’ obligations. His speech can be reviewed at https://www.sec.gov/news/speech/roisman-cybersecurity-102921.
Specific obligations under existing rules
The SEC has adopted certain principles-based rules for RIAs and broker-dealers, which identify specific cyber vulnerabilities. In 2000, the SEC finalized Rule 30(a) of Regulation S-P, more commonly known as the Safeguards Rule. The rule requires registered broker-dealers and RIAs to adopt written policies and procedures that are intended to address administrative, technical, and physical safeguards for the protection of customer records and information. The rule also requires that these written policies and procedures be reasonably designed to:
- Ensure the security and confidentiality of customer information and records;
- Protect customer information and records against any expected threats or hazards to their security or integrity; and
- Guard against unauthorized access to records and information, which could culminate in substantial harm or inconvenience to any customer.
In 2013, the Commission joined the Commodity Futures Trading Commission (“CFTC”) in adopting the so-called Red Flags Rule. The rule requires certain SEC-regulated entities, including broker-dealers, investment companies, and some RIAs, to adopt a written identity theft program. As part of that program, regulated entities should design policies and procedures that can help firms to identify and address certain identity theft red flags.
Firms’ general obligations relating to cybersecurity
In addition, there are general rules that cover registered entities’ obligations pertaining to cybersecurity. Rule 206-4(7) under the Investment Advisers Act of 1940 requires RIAs to adopt and implement written compliance policies and procedures that are reasonably designed to prevent violations of the statute and its rules. Among their other fiduciary obligations, investment advisors and their supervised persons owe a duty to protect their clients from cyber- attacks.
Because advisors rely heavily on technology in their businesses, Roisman recommended that the SEC bring more clarity to cybersecurity issues. For example, firms may be confused about whether to notify the SEC and investors in the event of a cybersecurity breach. Roisman stated that although this obligation should be principles-based, advisors should have the flexibility to customize notification procedures to their business, as well as the facts and circumstances of the situation. Roisman stressed that there should be some framework for reporting cyber incidents to clients and to the SEC if an RIA deems them to be material. Roisman pointed to the requirements that FINRA has imposed on broker-dealers, which obligate them to alert the self-regulatory organization regarding systems-related incidents.
Roisman gave no timeline for when this framework can be expected. In the interim, however, he observed there are certain well-defined obligations governing cybersecurity preparedness and response. The SEC’s enforcement and examination programs enforce those cybersecurity obligations to prevent violations of existing rules.
For several years, the Enforcement Division has been investigating alleged failures of market participants to live up to their cybersecurity obligations. Leading this effort has been the Enforcement Division’s Cyber Unit, which was established in 2017 to investigate and prosecute technology-related violations of the federal securities laws. Among its responsibilities, the Cyber Unit investigates:
- Cybersecurity violations including cyber-related controls at regulated entities;
- Issuer disclosures of cybersecurity incidents and risks; and
- Cyber-related manipulations, such as brokerage account takeovers.
Roisman cautioned the audience that not all cybersecurity incidents and breaches will give rise to an enforcement action. The SEC’s goal is to address situations where the entity failed to fulfill its legal responsibilities, not to blame the victim.
Roisman reminded the audience of recent actions taken by the Enforcement Division. On August 30, 2021, the SEC announced the resolution of enforcement actions against three firms and their affiliates. The enforcement actions resulted from the firms’ deficient cybersecurity policies and procedures. These failures led to email account takeovers and exposed the personal information of thousands of customers and clients. When there is an email account takeover, an unauthorized third party gains access to the account and can take the same actions as a legitimate user. These enforcement actions were discussed at length in a Foreside blog post dated September 7, 2021, which can be found at https://www.foreside.com/blog/deficient-cybersecurity-procedures/.
The Commissioner also touted the role of the SEC’s Examinations Division, which has made cybersecurity a priority for a number of years. These examinations encourage compliance and help the SEC learn more about how registered entities are addressing cybersecurity.
In view of the SEC’s ongoing concerns about cybersecurity, RIAs and other registered entities should consider allocating more resources to guard against cyber threats. RIAs should conduct training sessions to ensure that all advisory personnel are aware of their responsibilities pertaining to cybersecurity.
Firms can demonstrate their prudence and diligence by identifying certain providers and experts to contact if a cyber incident occurs. Firms can also be proactive by conducting table-top exercises, which can help to mitigate harm if a cyber-attack takes place. Obviously, however, these measures will not prevent or address every conceivable cyber threat.
Every RIA can benefit by beefing up their cybersecurity policies and procedures. Firms can pay special attention to cybersecurity during their annual review of the firm’s policies and procedures.