Information Security Policy Lessons from Recent SEC Actions

Many financial services firms are currently building programs to comply with the information security requirements of the Securities and Exchange Commission (SEC). In this article we discuss some key information security policy and compliance lessons that organizations can learn and adopt for their own programs.   In 2016 the SEC has increased its focus on cyber security.  Just recently SEC Chairman Mary Jo White claimed that cybersecurity was the single biggest threat to financial systems.

SEC and Cyber Security Requirements

The initial SEC requirements were issued in 2000 as Rule 30(a) of Regulation S-P (17 C.F.R. 248.30(a))(“Safeguards Rule”) and updated in 2005.

One of the fundamental requirements of the Safeguards Rule is that any registered firm establish a “written information security plan (WSP)”  and further adopt written security policies and procedures that are “reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Like many regulatory requirements, the SEC did not specify a set of specific controls, but instead supplied a list of general categories.  However, as the SEC issues more guidance and takes more enforcement actions, more specific recommendations are revealed.

Compliance Lessons from Recent Actions

First, in early 2016 the SEC released it’s examination priorities of the Office of Compliance Inspections and Examinations (“OCIE”).  One of the primary focus areas was cyber security.  According to the report, “In 2016, we [OCIE] will advance these efforts which include testing and assessments of firms’ implementation of procedures and controls.”

Most recently, in April, the SEC charged a broker-dealer and principals with violating the Safeguards Rule as well as failure to preserve email and eFax business communications.  The overall violation was that the firm used personal emails to conduct business and failed to maintain records of these transaction.   The action resulted in a “cease-and-desist” order accompanied by fines at both the firm and individual level.

Within the Administrative Proceedings and order lies several key lessons that firms can learn, including specific controls organizations can adopt.

Key Security Controls and Policy Takeaways

During the examination the SEC found that the firm’s written security policies actually prohibited the use of personal emails for business purposes.   However, further examination revealed that the security policies were not properly enforced.  First, responsibility for information security controls was not properly assigned.   Second (not surprisingly since no one was responsible), the controls within written policies were not being monitored.   This enforcement action highlights several key areas of information security policy and program implementation that are often overlooked.

Customize your written security policies

While this seems obvious, written policies must be customized.  Many firms attempting to take shortcuts and save money purchase security policy templates.  While templates are a great starting point, they must be customized according to the specific needs of the firm.  During the examination the SEC found that the firm has used security policy templates but had failed to perform even the most basic level of customization.

Make People Responsible for Internal Controls

One of the fundamental mistakes many firms make is to develop written policies, but not assign any person or team to be responsible for implementing the policies.  This definition of proper roles and responsibilities is the key link between the written security policies and the business processes that must be adopted to enforce the controls specified in the policies.

This assignment can happen at two levels.  First, a designated security role should be defined (for example, Chief Information Security Officer) with the responsibilities documented.  Second, the role should be assigned to a specific individual.

As sited in the Order:  ” 23. During the Relevant Period, the Safeguards Rule Policy stated that customer records and information, including customer social security numbers, may only be accessed outside of  CSC’s office by employees who received approval from CSC’s “designated information officer,” and who have installed appropriate firewalls on their devices. CSC’s WSPs did not identify a “designated information officer,” and employees who accessed customer records and information remotely through personal email accounts did not install appropriate firewalls.”

Written Security Policies must be audited for Effectiveness and Compliance

For example, the Safeguard Rule Policy adopted by the firm required the encryption of Personal Financial Information (PII) on mobile devices.  The SEC determined that the firm did not encrypt such records or information according to their own policy.  Within the ruling, the SEC noted that the firm failed to keep records of customer communications in violation of Section 17(a) of the Exchange Act and Rule 17a.  Failing to keep accurate records and audit logs is a fundamental failure of the overall program.  A security program should not be considered “complete” unless controls for monitoring and audit have also been established, assigned and implemented.
To have an effective information security program, a firm must have more that just a set of written information security policies.  Controls must be in place to validate that written policies are being followed.   For example, the recent SEC order noted that the firm did have written policies to prevent the use of personal email addresses, these policies were not assigned or enforced.  Further the firm did have any effective controls in place for monitoring the effectiveness of internal security policies and controls.

Senior Management is Responsible

The SEC action affirmed that executives can be held personally liable for violations.  Within the CRC action, the SEC fined the firm $100,000 but also fined two senior executives $25,000 each.   These fines were issued even though the SEC could not determine that any customers were harmed as a result of the violations.  This action affirms that individuals can be held responsible for policy violations even if no harm to individuals was demonstrated.

The Bottom Line:  Cyber Security Due Diligence

To be effective, the written security policies must cover key elements of information security and data privacy.  But perhaps just as important as the policies themselves is the implementation of the policies through internal controls that are assigned, enforced and audited.

Firms seeking to comply with SEC safeguards (and other cyber related regulations) must consider a simple requirement:  Is our firm apply cyber security due-diligence?   In the most basis sense, this implies that (1) the firm has formally adopted a set of security best practices; (2) assigned and implemented the best practices; and (3) monitored for compliance.  If your firm needs help demonstrating cyber due-diligence, ComplianceShield can help.