Advisor Perspectives welcomes guest contributions. The views presented here do not necessarily represent those of Advisor Perspectives.
Cyberattacks have become so common that it is no longer a question of if a broker dealer, investment advisory firm or financial institution (collectively, “financial firms”) will suffer an attack, but when an attack will occur. In my 19 years as a trial attorney focused on securities and business disputes, I can confidently say that there’s always room for proactive strategies that anticipate negative events. As financial firms rely more on online and out-of-office platforms and services, especially during the COVID-19 pandemic, the likelihood increases that proprietary and confidential, nonpublic customer information (“NPI”) is stolen, deleted or ransomed. Financial firms need to understand the different cyber threats and the defensive measures to protect against attacks.
Covid-19 and cyberattacks
As financial firms rely on work-from-home environments during the pandemic, cyberspace vulnerabilities are heightened. The Financial Crime Enforcement Network (FinCEN) recently encouraged financial institutions to, “remain alert about malicious and fraudulent transactions similar to those that occur in the wake of natural disasters.” According to a VMware Carbon Black report, “[f]rom the beginning of February to the end of April 2020, attacks targeting the financial sector have grown by 238%” and “80% of surveyed financial institutions reported an increase in cyberattacks over the past 12 months, a 13% increase over 2019.”
Regulatory responses to cyberattacks
The emergent threat is precisely why the U.S. Securities & Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”) regularly remind financial firms to strengthen and stress test their cybersecurity procedures to guard against cyberattacks. Further, the SEC Office of Investor Education and Advocacy published a 2020 “Investor Alert” warning the public of fraudulent online promotion of COVID-19 cures. The SEC urged the public to be cautious of claims that a company’s products or services can help stop the coronavirus, especially claims that involve micro-cap stocks.
Regulatory guidance does not, however, detail the cybersecurity measures that financial firms are expected to implement. Alex Stamos, a former chief security officer for Yahoo! and Facebook, told the audience at February 2020’s “Securing the Future of the Internet” conference that the current legal guidelines for dealing with cyber threats were insufficient. Stamos noted that Yahoo’s $117.5 million class action settlement in July 2019 (resolving its 2014 data breach) came at a high price for cybersecurity efforts. Courts have sealed, or as he put it “locked up,” breach information, and he lamented this makes it impossible for the industry to learn from cyber attacks.
SEC and FINRA enforcement actions offer essential insight into the vulnerabilities for financial firms. The following examples resulted in regulatory disciplines:
- failing to activate computer antivirus software;
- failing to have sufficient privacy policy opt-out disclosures;
- failing to have adequate security measure implementations;
- failing to have firm laptops protected by encryption and other technological safeguards;
- failing to outline responses to network intrusions;
- failing to implement policy changes resulting from audits and examinations; and
- failing to properly train personnel to protect customer information.
Like the attacks themselves, regulators’ responses continue to evolve. In February 2020, the SEC settled insider trading charges against an employee of Cisco Systems, Inc. The employee worked in its supply chain and used confidential information about an impending acquisition to unlawfully trade securities.i In May 2020, Ares Management LLC, a Los Angeles-based private equity firm settled a case, paying $1 million related to charges it failed to implement and enforce policies and procedures designed to prevent the misuse of material non-public information.ii
Developing a prevention and survival plan
The key to a successful cybersecurity system is having a comprehensive detection and response protocol for the evolving nature of cyberattacks. Each financial firm should have a chain of command organizational chart for reporting and interfacing with regulators to mitigate the risk, and to self-report failings in order to meet regulatory and disclosure duties. Financial firms must also invest in talented personnel to vigilantly manage and oversee the systems and should fortify their security defense networks, and tailor their defenses to protect their most valuable assets. The COVID-19 pandemic’s at-home work environment has elevated the importance of cybersecurity defense networks.
FINRA created a “Small Firm Cybersecurity Checklist” that provides a good starting point for firms and their IT security teams. The SEC also published “best practices” guidance in its “IM Guidance Update.” The guidance includes conducting a periodic assessment of the nature of information a financial firm collects; creation of a strategy that prevents, detects and responds to threats with data encryption; and the implementation of written policies and procedures, and training, that provide guidance concerning relevant threats. The SEC guidance emphasizes that “funds and advisers should identify their respective compliance obligations under the federal securities laws” and should assess “their ability to prevent, detect and respond to cyber-attacks.”
Financial firms should also evaluate the cybersecurity plans, senior personnel and insurance policies of their third-party vendors. Firms should restrict vendor access to ‘need to know’ areas of their computer networks, track vendor database usage, and require vendors to comply with in-house cybersecurity policies.
While there is no one-size-fits-all solution to cybersecurity threats, the best practice guidance and disciplinary enforcement actions are valuable tools to vigilantly stay connected to new types of threats and guidance in the public domain.
Brandon S. Reif is managing partner at Reif Law Group, P.C. As one of the leading attorneys in the securities and financial services industries, Reif has a track record of delivering successful trial verdicts and arbitration awards.
i In the Matter of Charles F. Kerwin, Administrative Proceeding File No. 3-19708, Release No. 88274, 2020 SEC LEXIS 519 (Feb. 24, 2020).
ii In the Matter of Ares Management LLC, Administrative Proceeding File No. 3-19812, Release No. 5510, 2020 SEC LEXIS 1432 (May 26, 2020).