Perhaps 2016 could be considered the year of cyber threats. This is not to say that this was a new issue in 2016, but rarely this year did more than a few news cycles pass without there being talk of a significant cybersecurity attack – be it hackers accessing customer data from a multinational corporation, state-sponsored attacks against foreign corporations, or good old fashion (adjusted to the modern age) State vs State espionage. Of course, the recent revelations regarding Russian hacking of both the Republican and Democratic National Committees in order to influence the U.S. Presidential election, and reports of similar efforts by Russia to impact upcoming European elections, is a stark reminder of just how serious cybercrime and cybersecurity is. But, in addition to being a national security issue and a business risk for large, multinational companies which hold large quantities of data, it is an everyday business risk that must be addressed and dealt with by companies of all sizes. This is not only because of the business and reputational risk that companies face should they fall victim to an attack, but because those companies’ regulators are now increasingly focusing on the internal controls that entities holding client information are putting in place.
There are multiple SEC and FINRA regulations and rules aimed at protecting confidential client information – the main one used in the context of cybersecurity protections is SEC Regulation S-P, which requires registered entities to “adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information.” Prior to 2016, FINRA more often than the SEC had brought enforcement actions for violations of Regulation S-P and similar FINRA regs. In all instances the firms entered into consent orders, in which they did not admit or deny any allegations but consented to the findings of fact contained in the order and the monetary penalty, which ranged from approximately $210,000 in customer reimbursements and fines for failure to formalize certain cybersecurity training leading to wires to an unauthorized bank account after a customer’s email account was hacked in In re VCA Securities, to a $375,000 fine for not having adequate safeguards to protect a database server that contained confidential customer information in In re D.A. Davidson & Co.
At the beginning of 2016, both the SEC and FINRA stated that one of their regulatory/enforcement priorities would be on firms’ policies, procedures and implementation of same to protect customer and firm data. And in line with its stated focus, at the very end of its 2015 year (the SEC’s fiscal year begins in the 4th quarter), the SEC brought its first disciplinary action based solely on a violation of Regulation S-P against R. T. Jones. The SEC censured and fined R. T. Jones $75,000 for the firm’s failure to adopt written policies and procedures reasonably designed to protect customer information prior to a breach that compromised personal information of thousands of firm clients. Then in June of 2016, the SEC handed out a much meatier penalty to Morgan Stanley Smith Barney after customer information which it held was hacked and sold to third parties. In the Morgan Stanley matter, the SEC did not find a wholesale failure of Morgan Stanley’s policies and procedures, rather the Commission’s Consent Order stated that that the firm’s policies and procedures with respect to two portals that allowed employees to access confidential account info were not reasonable. As a result an employee impermissibly accessed and transferred data regarding over 700,000 accounts to his personal server, which was later hacked. Morgan Stanley paid a $1 million fine (the employee involved was criminally convicted and paid a $600,000 fine in a separate matter).
FINRA’s 2016, on the other hand, was notable with regards to cybersecurity for two reasons. First, FINRA made inquiries about cybersecurity a focus in its routine member institution examinations in continuation of a program it started in 2014 with the stated goals of (1) better understanding the threats that firms face, (2) increasing understanding of firms’ risk appetite, exposure and major areas of vulnerabilities, (3) better understand firms’ approaches to managing these threats, and (4) to share observations with firms (FINRA released a report based on its findings and observations in February 2015 [http://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf]). Second, in late December, FINRA announced a series of substantial enforcement actions in which it fined 12 separate firms a total of $14.4 million for failing to protect records from alteration. While not a violation of Regulation S-P, FINRA noted that these enforcement actions were directly related to FINRA’s focus on cybersecurity.
While the number of firms fined by FINRA sticks out, what is most significant about these enforcement actions is that they were for essentially victimless crimes. There were no allegations that any records had been breached or re-written, rather, the firms were penalized for failing to have proper procedures in place to prevent that possibility. In the past all SEC and FINRA actions based on cybersecurity deficiencies followed an actual breach of customer data. If FINRA decides to move further in the direction of penalizing firms for insufficient cybersecurity policies and procedures even where there has been no breach, that could drastically impact firms of all sizes.
Cybersecurity is sure to be a major issue in 2017 from both a business and reputational risk, as well as a regulatory risk. And firms of all sizes will need to look at their own policies and procedures. Indeed in FINRA’s 2015 Report on Cybersecurity Practices it specified that no firm was off the hook – stating that “no matter the firm’s size or business model” cybersecurity risk assessments served as “foundational tools” for firms. And along these lines, FINRA has published a cybersecurity checklist for small firms’ cybersecurity programs at http://www.finra.org/industry/cybersecurity#checklist, which smaller institutions would be well heeded to review both to protect customer data and to provide the firm protection from regulatory censure.