Late September and October have seen tremendous activity at the SEC regardiing cybersecurity, starting with disclosure of a breach of the SEC's own EDGAR electronic data gathering system. The SEC announced tjhe breach on Sept. 20. A day later the press noted that the U.S. Dept. of Homeland Security testing in Jan. 2017 revealed that the SEC had critical weaknesses in its systems. The SEC's Chairman, Jay Clayton, released several press releases, one detailing some aspects of the breach and the other presenting the Commission's policy views on cybersecurity. On Sept. 25, the SEC announced the formation of a Cyber Unit and steps its taking to protect retail investors. And on Oct. 2, Chairman Clayton provided a further update on the cyber intrusion at the SEC. Political fallout was swift with many politicians and industry leaders criticizing the SEC for its slowness in releasing information about the breach. Finally, Congress has entered the fray holding hearings on the cyber intrusion and slowness of the SEC to acknowledge it.
The various releases can be found here:
The latter release focused in part on the development of a Cyber Unit of the SEC which "will focus the Enforcement Division’s substantial cyber-related expertise on targeting cyber-related misconduct, such as:
- Market manipulation schemes involving false information spread through electronic and social media
- Hacking to obtain material nonpublic information
- Violations involving distributed ledger technology and initial coin offerings
- Misconduct perpetrated using the dark web
- Intrusions into retail brokerage accounts
- Cyber-related threats to trading platforms and other critical market infrastructure"
In addition, the SEC announced the formation of a Retail Strategy Task Force which "will develop proactive, targeted initiatives to identify misconduct impacting retail investors." The SEC will use the information generated by its big data analytical work and its Enforcement units to find and root out instances of fraud on retail investors.
Chairman Clayton Provides Update on Review of 2016 Cyber Intrusion Involving EDGAR System, Oct. 2, 2017 press release. This release lays out five different streams of SEC activity regarding cyber security, including:
1) Review of the 2016 EDGAR intrusion by the Office of Inspector General.
2) Investigation by the Division of Enforcement into the potential illicit trading resulting from the 2016 EDGAR intrusion
3) A focused review of and, as necessary or appropriate, upgrading of the EDGAR system.
4) A more general assessment and upgrading of theSEC’s cybersecurity risk profile and the identification and review of all systems, current and planned (e.g., the Consolidated Audit Trail or CAT), that hold market sensitive data or personally identifiable information
5) SECs internal review of the 2016 EDGAR intrusion to determine, among other things, the procedures followed in response to the intrusion.
States are stepping into the fray more actively. Separately, NASAA, the North American Securities Administrators Association, which represents the various state securities regulators, released a report and a very handy checklist regarding cybersecurity. Recall that states generally are charged with overseeing "small" advisers, i.e., those with less than $100 million under management.
NASAA Cybersecurity Report: Reporting on over 1000 examinations of state regulated advisers in early 2017, NASAA compiled a report of the state of such advisers. The report notes that the top five cybersecurity weaknesses found by state examiners were: lack of or inadequate cybersecurity insurance; advisers failure to test for cybersecurity vulnerability; advisers lack of procedures regarding securing or limiting access to devices such as laptops, smartphones, etc.; limited or no use of technology specialists or consultants; and a lack of procedures for updating hardware and software.
Cybersecurity Checklst for Advisers: NASAA released a comprehensive 86 point checklist for advisers to use in assessing and/or developing their cybersecurity compliance programs. The checklist is useful for any size adviser.
'40Act.com's perspective: Coming shortly after the announcement that Equifax, a U.S. credit reporting company, had been breached, the breaches at the SEC serve as a stark reminder of any company's, agency's or individual's vulnerability. While commentators quickly pounced on the SEC for its slowness in releasing news of its own breach, our Members are reminded that the Commission is actively reviewing advisers', funds' and other issuers' cybersecurity preparedness. In addition state regulators have become much more active in attempting to regulate consumer privacy at the state level. Our August update discusses these aspects and the NASAA Report is informative of the weaknesses affecting many state registered advisers. Finally, the NASAA cyber checklist is a "must have!" In short, just because the SEC got hacked doesn't mean our Members (or any investment adviser) shouldn't prepare for and try to thwart hackers and cyber-crime....and groups like NASAA are providing very useful tools to help advisers of all sizes.
Posted by Karl Hartmann, Sept. 27, 2017; updated October 20, 2017.