2015 Top 10 Cybersecurity Resolutions for the New Year
Transcription
2015 Top 10 Cybersecurity Resolutions for the New Year
NSCP CURRENTS 2015 Top 10 Cybersecurity Resolutions for the New Year By Brian Rubin, Sam Casey, and Charlie Kruly E very January 1, countless individuals make New Year’s resolutions, most of which, we’re willing to bet, do not involve cybersecurity. However, with cybersecurity on the hit parades of both the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA),1 chief compliance officers (CCOs) of broker-dealers and investment advisers might want to add cybersecurity issues to their New Year’s resolutions for 2015. 1. Get Organized. After finishing your New Year’s resolution to organize your desk (at least enough to see its top), consider organizing your firm’s policies and procedures to address cybersecurity-related issues. (Of course, if you’ve already addressed such issues, you may want to review them anyway to make sure they are keeping up with the changing landscape—or cyberscape, if you prefer—as discussed below.) These steps might include writing and enforcing reasonable policies and procedures to detect, address, and remediate breaches. FINRA and the SEC have brought cases against firms for falling short in this regard. For example: • The SEC has brought several cases against firms that failed to follow up on cybersecurity shortcomings that the firms learned of through breaches or regular audits.2 1 As every reader of this periodical likely knows, over the past year, the SEC and FINRA have been conducting sweep exams on cybersecurity issues. See National Exam Program Risk Alert: OCIE Cybersecurity Initiative, at 3 (Apr. 15, 2014) [hereinafter SEC Cybersecurity Sweep], available at http://www.sec.gov/ocie/announcement/ Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf (SEC’s cyberexam sweep);.FINRA, Targeted Exam Letters: Re: Cybersecurity (Jan. 2014), available at http://www.finra.org/industry/regulation/guidance/ targetedexaminationletters/p443219. In addition, reports indicate that FINRA intends to ring in the New Year by “intensify[ing] its scrutiny of cybersecurity practices at brokerage firms in 2015.” See Suzanne Barlyn, Wall St watchdog to bolster reviews of brokerage cybersecurity, Reuters (Oct. 29, 2014), available at http://www.reuters.com/article/2014/10/29/finra-cybersecurityexaminations-idUSL1N0SO2AO20141029. 2 See, e.g., Exchange Act Release No. 64220, Admin. Proc. File No. 3-14328, at 3 (Apr. 7, 2011) (finding that a former CCO aided and abetted a firm’s violation of Regulation S-P), available at http://www.sec. gov/litigation/admin/2011/34-64220.pdf; Exchange Act Release No. 60733, Admin. Proc. File No. 3-13631, at 2, 4 (Sept. 29, 2009) (finding that the firm violated Regulation S-P), available at http://www.sec.gov/litigation/ ABOUT THE AUTHORS Brian Rubin is a partner at Sutherland. http://www.sutherland.com/People/ Brian-L-Rubin. He can be reached at brian.rubin@sutherland.com. Sam Casey is an associate at Sutherland. http://www.sutherland.com/People/ Samuel-J-Casey. He can be reached at sam.casey@sutherland.com. Charlie Kruly is an associate at Sutherland. http://www.sutherland.com/ People/Charles-M-Kruly. He can be reached at charlie.kruly@sutherland.com. The authors would like to thank former Sutherland associate Amanda Powell for her assistance with drafting this article. • The SEC fined a firm $100,000 for, among other violations, not auditing the computer security measures employed by registered representatives at the firm’s branch offices.3 • FINRA fined a firm $375,000 for, among other things, failing to review server logs to detect unauthorized network access or intrusions.4 CCOs may also want to help ensure that their firms’ cybersecurity policies and procedures address administrative and physical steps to help prevent a data breach, as required under SEC Regulation S-P (the Safeguards Rule).5 Cyberpolicies that go beyond purely technical safeguards may help firms comply with the Safeguards Rule and may help decrease the likelihood of cyber-attacks from a wider variety of sources. While malicious or criminal attacks cause the plurality of data breaches (42 percent), the majority of breaches are non-nefarious: 30 percent of breaches are caused by human error and 29 percent of breaches are caused by system glitches.6 In addition, CCOs may want to create a cyber-incident response plan so that their firms are prepared if a breach occurs. Once the response plan is created, a CCO may want to regularly test it (just like your New Year’s resolution to regularly check the batteries in your smoke detectors). (Oops—do you need to add “check smoke detector batteries” to your New Year’s resolutions?) 2. Learn Something New by Doing Crossword Puzzles Performing Risk Assessments. Consider conducting adequate self-assessments of your cybersecurity readiness. FINRA has recommended that firms “should consider . . . at a minimum . . . whether the [firm] is conducting, or should conduct, periodic audits to detect potential vulnerabilities in its systems and to ensure that its systems are, in practice, protecting customer records and information from unauthorized access.”7 FINRA’s point is important because cybersecurity compliance is not static; what may have been stateof-the-art at one time (like 8 track tapes) (or, for the younger generation, cell phones that only made phone calls), could well be out of date by the time an attack hits. The SEC recognized as much in 2008 when it proposed amending Regulation S-P to “set admin/2009/34-60733.pdf. 3 Exchange Act Release No. 60733, Admin. Proc. File No. 3-13631, at 2 (Sept. 29, 2009), available at http://www.sec.gov/litigation/ admin/2009/34-60733.pdf. 4 FINRA Letter of Acceptance, Waiver and Consent No. 2008015299801, at 2-3 (Apr. 9, 2010) (finding that the firm violated Regulation S-P and NASD Rules 3010(a) and (b)), available at http:// disciplinaryactions.finra.org/. 5 Regulation S-P requires, among other things, that firms establish and enforce written policies and procedures reasonably designed to keep customer records and information confidential and to secure and protect such information from unauthorized access. See 17 C.F.R. § 248.30(a). 6 2014 Cost of Data Breach Study: Global Analysis, The Ponemon Institute, Sponsored by IBM (May 2014) [Ponemon Study] at 8, available at http://www-935.ibm.com/services/multimedia/SEL03027USEN_ Poneman_2014_Cost_of_Data_Breach_Study.pdf. 7 NASD Notice to Members 05-49 at 4 (July 2005), available at http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/ notices/p014772.pdf. DECEMBER 2014 3 NSCP CURRENTS forth more specific requirements for safeguarding information and responding to information security breaches.”8 As the SEC noted at the time, “some firms do not regularly reevaluate and update their safeguarding programs to deal with . . . increasingly sophisticated methods of attack.”9 3. Read more. Once you’ve finished your New Year’s resolution of expanding your mind by reading War and Peace (and other classics you just haven’t had time to get around to like Graham and Dodd’s Security Analysis), consider reading more about cybersecurity issues. You and your friends such as the Chief Technology Officer, the Chief Information Officer, and in-house counsel may want to set your news alerts beyond your favorite football team and celebrities (like Warren Buffett), by adding terms like “cybersecurity,” “data breach,” and “S-P.” If you’re really looking to read more (and impress your friends at the office New Year’s party) take a crack at reading the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity,10 which the SEC relied on when it conducted its recent cybersecurity sweep exam.11 (SIFMA) recently issued its Small Firms Cybersecurity Guidance, which provides an “action item checklist” that identifies several steps that small firms can take to protect against data breaches.15 Despite the name of the guidance, its lessons can apply to firms of all sizes.16 SIFMA has suggested that, at a minimum, firms consider the following: • 4. Save Money. To save money in the long term, think about dealing with cybersecurity issues before a breach or regulatory investigation occurs. While cybersecurity issues will likely cost you one way or another, the costs will probably be less if they’re invested on the front-end rather than in cleaning up a breach. Post-breach costs could include multiple high-cost items such as a regulatory penalty, a forensic examination, notification of and follow-up with third parties, credit or identity monitoring, public relations, and legal defense.12 Applying strict and robust password security items.17 Certain firms that failed to heed this advice have been sanctioned, including in the following actions: • The SEC ordered a firm to pay a $275,000 penalty for, among other things, failing to take corrective measures in response to an internal audit finding that the firm’s password protection for its proprietary trading system did not meet industry standards for “strong” password protection because, for example, the firm did not require (a) a minimum password length; (b) a complex password involving an alphanumeric/special character combination; (c) expiration of passwords after a specified period of time; and (d) automatic lockout after failed login attempts.18 • FINRA fined a firm $175,000 for, among other things, failing to protect a firm database containing non-public information by allowing the use of a generic user name (“Administrator”) and password (“password”).19 • Ensuring that only authorized individuals have access to a firm’s systems and data.20 The SEC has also indicated it is interested in what protection, if any, firms have in place to prevent unauthorized access to customers’ online accounts and how firms monitor for unauthorized activity on their systems.21 These costs can add up: in 2014, the average total cost of a U.S. company’s data breach was more than $5.85 million.13 However, a “strong security posture” may lessen a firm’s financial exposure. For example, one study suggests that “[c]ompanies that had a strong security posture at the time of the data breach could reduce the average cost-per-record by $14.14 to $131.86” and that “[c]ompanies that had an incident response plan in place also reduced the average cost per record by $12.77.”14 • Using an application “whitelist” to help ensure that only “trusted software” is executed on firm operating systems.22 • Securing standard operating systems so the firm is not operating on “unsupported or outdated operating systems.”23 • Making software updates automatic and “spot-check[ing] that updates are applied frequently.”24 5. Stay Fit and Healthy. • Creating a back-up of data in the event a cyber-attack causes the loss or destruction of data. To do so, SIMFA suggests that firms use “cloud or physical external hard-drive backup systems.”25 Take steps to keep your cyberspace healthy and protect against data breaches. There are a number of sources you can look to for guidance to try to be healthy (and we’re not talking about Chuck Norris and Christie Brinkley) (well, not just them, anyway). For example, the Securities Industry and Financial Markets Association 8 See Proposed Amendment to Regulation S-P, Release No. 34-57427; IC-2712; File No. S7-06-08 (Mar. 4, 2008) at 1, available at https://www.sec.gov/rules/proposed/2008/34- 57427.pdf. The Commission ultimately did not enact its proposed Regulation S-P amendment. 9 Id. at 11. 10 National Institute of Standards and Technology, Framework for Improving Critical Infrastructure Cybersecurity, (Feb. 12, 2014), available at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework021214-final.pdf. 11 See SEC Cyersecurity Sweep, at 3. 12 Tim Stapleton, Zurich General Insurance, Data Breach Cost: Risk, Costs, and Mitigation Strategies for Data Breaches, at 2-6, (2012), available at http://www.zurichna.com/internet/zna/sitecollectiondocuments/ en/products/securityandprivacy/data%20breach%20costs%20wp%20 part%201%20(risks,%20costs%20and%20mitigation%20strategies).pdf. 13 Ponemon Study, supra note 2, at 6. 14 Robert P. Hartwig & Claire Wilkinson, Insurance Information Institute, Cyber Risks: The Growing Threat at 15 (June 2014), available at http://www.iii.org/sites/default/files/docs/pdf/paper_cyberrisk_2014.pdf., (citing Ponemon Study). 4 DECEMBER 2014 15 SIFMA, Small Firms Cybersecurity Guidance: How Small Firms Can Better Protect Their Businesses (July 2014), available at http://www. sifma.org/issues/operations-andtechnology/cybersecurity/guidance-for-smallfirms [hereinafter SIFMA Cybersecurity Guidance]. 16 See Brian Rubin, Shanyn Gillespie & Charlie Kruly, Eight Days a Week and Eight Ways to Reboot Your Cybersecurity Program; How All Firms Can Benefit from SIFMA’s New Cybersecurity Guidance, Bloomberg BNA – Securities Regulation & Law Report (September 26, 2014), available at http://www.sutherland.com/portalresource/lookup/poid/ Z1tOl9NPluKPtDNIqLMRV56Pab6TfzcRXncKbDtRr9tObDdEnC3DmW3!/ fileUpload.name=/PDFArtic.pdf. 17 Id. at 6. 18 Exchange Act Release No. 58515, Admin. Proc. File No. 3-13181, at 4-5 (Sept. 11, 2008), available at http://www.sec.gov/litigation/admin/2008/34-58515.pdf. 19 FINRA Letter of Acceptance, Waiver and Consent No. 2007009780901, at 2-3, 7 (Apr. 28, 2009), available at http://disciplinaryactions.finra.org/. 20 SIFMA Cybersecurity Guidance at 3. 21 See SEC Cybersecurity Sweep, supra note 1 at 4-6. 22 SIFMA Cybersecurity Guidance at 3. 23 Id. 24 Id. 25 Id. NSCP CURRENTS 6. Keep harmful things out of your system by installing antivirus, email, and website filters. Year after year, one of the most common New Year’s resolutions is to quit smoking. While a nicotine addict may have trouble keeping the harmful substance out of her body, a firm has tools at its disposal to help protect against invasions into its cyberspace: antivirus software and web security software. One of SIMFA’s action items is to maintain “[u]pdated anti-virus software, in addition to web security software,” and to train personnel to exercise “personal vigilance against suspicious emails and attachments.” This resolution should (hopefully) come as no surprise; many firms already maintain current antivirus software as a standard protective measure. (Indeed, in a recent cybersecurity survey, the North American Securities Administrators Association found that 97 percent of small, state-registered investment advisers used antivirus software, while 87 percent took the additional step of having antivirus software “installed on all computers, tablets, smartphones, or other electronic devices used to access client information.”26 Firms should be aware that FINRA and the SEC have brought enforcement actions against firms that failed to carry out these steps. For example: • • The SEC ordered a firm to pay a $100,000 penalty because, among other things, its procedures recommended—but did not require—that antivirus software be installed on registered representatives’ computers.27 FINRA fined a firm $450,000 based, in part, on its failure to (a) require that field representatives install anti-virus software on their computers; and (b) review such computers to verify the installation of the antivirus software.28 7. Control Your Mobile Device. While the typical resolution may be to limit one’s use of mobiledevice screen time, firms may want to resolve to tackle mobile device security. Indeed, SIMFA’s final action item is for firms to “[e]nsure that mobile devices are secure with passwords and [that] data is encrypted in the event of a loss.” Consistent with that analysis, in 2011, FINRA fined a firm $300,000 for, among other things, not requiring that information stored in a laptop be encrypted.29 8. Maintain Healthy Relationships. One overriding theme from past New Years is that it’s good to make new friends (and keep the old ones). Nowadays, that could mean maintaining healthy relationships with vendors that have access to your firm’s sensitive information. Indeed, as part of its cybersecurity exam, the SEC asked firms how they manage cyberrisk from their vendors—for example, whether firms audit their vendors’ cybersecurity practices and use contractual provisions allocating cybersecurity-related risk.30 States have expressed similar 26 North Am. Sec. Admin. Assoc., Compilation of Results of a Pilot Survey of Cybersecurity Practices of Small and Mid-Sized Investment Adviser Firms (Sept. 2014)at 15, available at http://www.nasaa.org/wp-content/uploads/2014/09/ Cybersecurity-Report.pdf [hereinafter NASAA Cybersecurity Survey]. Surveyed firms “average three employees and two investment adviser representatives.” Id. 27 Exchange Act Release No. 60733, Admin. Proc. File No. 3-13681, at 2, 4 (Sept. 29, 2009), available at http://www.sec.gov/litigation/ admin/2009/34-60733.pdf. 28 FINRA Letter of Acceptance, Waiver and Consent No. 2009018720501, at 4-5 (Feb. 16, 2011), available at http://disciplinaryactions.finra.org/. 29 Letter of Acceptance, Waiver and Consent No. 2009019893801, at 10 (Nov. 21, 2011) (finding that the firm violated the Safeguard Rule and NASD Rule 3010), available at http://disciplinaryactions.finra.org/. 30 See SEC Cybersecurity Sweep, supra note 1 at 4-5. concerns and some have enacted regulations to address them. Massachusetts, for example, requires entities that “own or license” personal information about Massachusetts residents to: (a) take “reasonable steps to select and retain” vendors “that are capable of maintaining appropriate security measures” and (b) incorporate data security requirements in vendor contracts. In light of these issues, firms may want to consider getting to know their vendors’ cybersecurity practices and possibly adding cybersecurity risk allocation provisions to their vendor contracts. 9. Get Involved In The Community. So, maybe you didn’t get invited to SEC Chair Mary Jo White’s New Year’s Eve party. (Don’t feel bad—we’re still waiting for our invitation. Hmmm . . . maybe our cyberdog deleted our e-vite.) Don’t let this stop you from getting more involved in the (cyber) community. Consider participating in industry-wide initiatives to combat cybersecurity threats. For example, the Federal Financial Institutions Examination Council (FFIEC) recommends that financial institutions participate in its Financial Services Information Sharing and Analysis Center (FS-ISAC) to help its efforts to identify, respond to and mitigate cybersecurity threats and vulnerabilities.31 Also, think about getting involved in securities-related industry groups that address cybersecurity issues, such as the NSCP. 10. Be Less Stressed. Your resolution to relax by jetting away to the Bahamas is all well and good, but for an easier way of lessening your anxiety, consider obtaining specialized insurance to put you and your firm at ease about the costs of a potential data breach. Traditional insurance plans may not cover much of the costs associated with a data breach, and surveys indicate there is a growing trend of companies purchasing cyber-liability insurance.32 The following types of insurance coverage may be available: • • • • • • • • • • • Loss/Corruption of Data; Business Interruption; Liability (breach of privacy due to theft of data, virus or computer attack causing financial loss to third parties, failure of security causing network system to be unavailable to third parties, etc.); D&O/Management Liability; Cyber-Extortion; Crisis Management; Criminal Rewards; Data Breach; Identity Theft; Social Media/Networking; and Cloud Computing.33 When you pop the champagne and begin a rousing rendition of Auld Lang Syne at the office’s New Year’s party, you don’t want your staff singing “should cybersecurity be forgot and never brought to mind.” Following these 10 resolutions in the coming year may help ensure that your non-public information stays non-public information and that your firm stays off the SEC’s and FINRA’s “naughty lists.”34 31 Federal Financial Institutions Examination Council, FFIEC Releases Cybersecurity Assessment Observations, Recommends Participation in Financial Services Information Sharing and Analysis Center (Nov. 3, 2014). “The FS-ISAC is a non-profit, information-sharing forum established by financial services industry participants to facilitate the public and private sectors’ sharing of physical and cybersecurity threat and vulnerability information.” Id. 32 Insurance Information Institute, Cyber Risks: The Growing Threat (June 2014), available at http://www.iii.org/sites/default/files/docs/pdf/paper_ cyberrisk_2014.pdf. 33 Id. 34 While this is really more of a Christmas thing than a New Year’s thing, you get the idea. DECEMBER 2014 5