Why Care About Privacy & Cybersecurity: Tips for Broker-Dealers & Investment Advisers
The SEC and FINRA have identified Privacy and Cybersecurity as very important issues facing broker-dealers and investment advisers. The federal securities laws require registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information. Recent Enforcement Actions have held that broker-dealers and investment advisers must not only have adequately documented Privacy and Cybersecurity policies, but they also must have processes and procedures in place that are consistent with those policies. Consequently, broker-dealers and investment advisers must not only have a comprehensive documented Privacy and Cybersecurity policies and procedures but must ensure that the policies and procedures are also being adequately implemented and utilized. Moreover, the SEC has noted that firms must review and update the procedures regularly to respond to changes in the risks they face.
SEC Examination Priorities for 2021
On March 3, 2021, the SEC released its annual list of examination priorities for 2021 (the “SEC Report”). The SEC Report notes that it will review whether firms have taken appropriate measures to: (1) safeguard customer accounts and prevent account intrusions, including verifying an investor’s identity to prevent unauthorized account access; (2) oversee vendors and service providers; (3) address malicious email activities, such as phishing or account intrusions; (4) respond to incidents, including those related to ransomware attacks; and (5) manage operational risk as a result of dispersed employees in a work-from-home environment. In particular, SEC will also focus on controls surrounding online and mobile application access to investor account information, the controls surrounding the electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers, and firms’ policies and procedures to protect investor records and information
FINRA Priorities for 2021
On February 1, 2021, FINRA issued its 2021 Report on FINRA’s Examination and Risk Monitoring Program (“FINRA Report“). The FINRA Report notes that a firm’s cybersecurity program should be reasonably designed and tailored to the firm’s risk profile, business model and scale of operations. FINRA reminds firms that we review cybersecurity programs for compliance with business continuity plan requirements, as well as the SEC’s Regulation S-P Rule 30, which requires member firms to have policies and procedures addressing the protection of customer records and information. The FINRA Report also reminds firms of their regulatory obligations in regard to Regulation S-P Rule 30 which requires firms to have written policies and procedures that are reasonably designed to safeguard customer records and information.
FINRA Rule 4370 (Business Continuity Plans and Emergency Contact Information) also applies to denials of service and other interruptions to members’ operations. In addition to firms’ compliance with SEC regulations, FINRA reminds firms that cybersecurity remains one of the principal operational risks facing broker-dealers, and expects firms to develop reasonably designed cybersecurity programs and controls that are consistent with their risk profile, business model and scale of operations. Technology-related problems, such as problems in firms’ change- and problem-management practices, can expose firms to operational failures that may compromise firms’ ability to comply with a range of rules and regulations, including FINRA Rules 4370 (Business Continuity Plans and Emergency Contact Information), 3110 (Supervision) and 4511 (General Requirements), as well as Securities Exchange Act of 1934 (Exchange Act) Rules 17a-3 and 17a-4.
Applicable Rules and Regulations
Regulation S-P (17 C.F.R. § 248.30) requires, among other things, that firms adopt written policies and procedures to secure the confidentiality of customer records and information, and to protect those records against anticipated threats and unauthorized access. Regulation S-P also demands immediate and annual disclosure to customers of a firm’s privacy policies and practices. In addition, the regulation governs the disclosure of nonpublic personal information and account number information that is permitted to unaffiliated third parties. Regulation S-P also generally requires firms to:
- Provide an “Initial Privacy Notice” to customers regarding the firm’s privacy policies and practices, no later than when it begins a customer relationship.
- Provide an “Annual Privacy Notice” to customers reflecting the firm’s privacy policies and practices.
- Provide an “Opt-Out Notice” to customers enabling them to opt-out of some disclosures of non-public personal information to nonaffiliated third parties
Regulation S-ID (17 C.F.R. § 248.201-202) requires that securities firms implement a written program to detect, prevent, and mitigate identity theft in connection with certain customer accounts. Those accounts include retail brokerage accounts or any other personal accounts with a reasonably foreseeable risk to customers from identity theft.
While there are no FINRA rules that specifically require broker-dealers to implement cybersecurity supervisory and compliance practices, FINRA rules relating to supervision likely will require a firm to implement such policies and procedures to comply with other federal cybersecurity laws and regulations applicable to broker-dealers, and FINRA’s reporting rule· might require a firm to report a data breach. FINRA Rule 3110 requires a broker-dealer to establish, maintain, and enforce a system to supervise its activities and the activities of its associated persons that is reasonably designed to achieve compliance with federal securities laws and regulations, as well as FINRA rules. The rule requires a firm to have reasonably designed written supervisory procedures to supervise the activities of its associated persons and the types of businesses in which it engages. FINRA Rule 3120 requires a firm to have a system of supervisory control policies and procedures that tests and verifies a firm’s supervisory procedures. FINRA expects a firm’s written supervisory procedures and supervisory controls to address cybersecurity.
Enforcement Actions
In the Matter of Voya Financial Advisors, Inc., SEC Exchange Act of 1934 Release No. 84288, September 26, 2018.
The SEC found that Voya Financial Advisors, Inc (“Voya”) failed to adopt procedures to protect customer records and address weaknesses in its cybersecurity policy after cyber intruders gained access to the personal information of several thousand customers. The SEC imposed a $1 million penalty on Voya in settlement of charges.
The SEC’s order stemmed from a cyber intrusion that occurred over a six-day period in 2016 where VFA contractors were impersonated and convinced VFA’s support line to change passwords which allowed them to access the personal information of 5,600 VFA customers. The order also found that weakness in VFA’s cybersecurity policies and procedures led to VFA’s failure to terminate the intrusion in a timely fashion. According to the SEC, “This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models. Firms also must review and update the procedures regularly to respond to changes in the risks they face.”
In the Matter of Morgan Stanley Smith Barney LLC, SEC Exchange Act of 1934 Release No. 78021, June 8, 2016.
The SEC found that Morgan Stanley Smith Barney LLC (“Morgan Stanley”) violated Regulation S-P due to its failure to implement sufficient safeguards to protect customer information. The SEC imposed a $1 million penalty on Morgan Stanley in settlement of charges related to failures to protect customer information, some of which was hacked and offered for sale online. Morgan Stanley failed to adopt written policies and procedures reasonably designed to protect consumer data. An employee impermissibly accessed and transferred data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties. This enforcement action illustrates the importance of extending cybersecurity measures to portable media devices like laptops that employees can access remotely.
According to the SEC’s order instituting a settled administrative proceeding:
- The federal securities laws require registered broker-dealers and investment advisers to adopt written policies and procedures reasonably designed to protect customer records and information.
- Morgan Stanley’s policies and procedures were not reasonable, however, for two internal web applications or “portals” that allowed its employees to access customers’ confidential account information.
- For these portals, Morgan Stanley did not have effective authorization modules for more than 10 years to restrict employees’ access to customer data based on each employee’s legitimate business need.
- Morgan Stanley also did not audit or test the relevant authorization modules, nor did it monitor or analyze employees’ access to and use of the portals.
Key Takeaways
The following are best practices for firms to ensure their Privacy and Cybersecurity programs are meeting regulatory requirements and expectations. Firms should review these key takeaways and, where gaps are identified, implement changes to their Privacy and/or Cybersecurity program to address these areas:
- Conduct a comprehensive risk assessment that is designed to assess the Privacy and Cybersecurity risks related to its services, products, customers, locations, transactions, etc.
- Tailor its Privacy and Cybersecurity programs, including policies and procedures, to the firm’s business and customer mix
- Periodically assess whether its Privacy and Cybersecurity programs is keeping pace with changes in its business
- Have adequate resources for its Privacy and Cybersecurity programs
- Have qualified and trained staff to perform the required Privacy and Cybersecurity duties and responsibilities
- Perform independent testing/auditing of the Privacy and Cybersecurity compliance program
Practus Privacy & Cybersecurity Services
Practus provides firms comprehensive and diverse services relating to all aspects of Privacy and Cybersecurity rules and regulations.
Who should you talk to if you have further questions?
If you would like further information concerning the matters discussed in this Legal Insights, please contact Robert Moreiro.