Many financial services firms are currently building programs to comply with the information security requirements of the Securities and Exchange Commission (SEC). In this article we discuss some key information security policy and compliance lessons that organizations can learn and adopt for their own programs. In 2016 the SEC has increased its focus on cyber security. Just recently SEC Chairman Mary Jo White claimed that cybersecurity was the single biggest threat to financial systems.
SEC and Cyber Security Requirements
The initial SEC requirements were issued in 2000 as Rule 30(a) of Regulation S-P (17 C.F.R. 248.30(a))(“Safeguards Rule”) and updated in 2005.
One of the fundamental requirements of the Safeguards Rule is that any registered firm establish a “written information security plan (WSP)” and further adopt written security policies and procedures that are “reasonably designed to: (1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Like many regulatory requirements, the SEC did not specify a set of specific controls, but instead supplied a list of general categories. However, as the SEC issues more guidance and takes more enforcement actions, more specific recommendations are revealed.
Compliance Lessons from Recent Actions
First, in early 2016 the SEC released it’s examination priorities of the Office of Compliance Inspections and Examinations (“OCIE”). One of the primary focus areas was cyber security. According to the report, “In 2016, we [OCIE] will advance these efforts which include testing and assessments of firms’ implementation of procedures and controls.”
Most recently, in April, the SEC charged a broker-dealer and principals with violating the Safeguards Rule as well as failure to preserve email and eFax business communications. The overall violation was that the firm used personal emails to conduct business and failed to maintain records of these transaction. The action resulted in a “cease-and-desist” order accompanied by fines at both the firm and individual level.
Within the Administrative Proceedings and order lies several key lessons that firms can learn, including specific controls organizations can adopt.
Key Security Controls and Policy Takeaways
During the examination the SEC found that the firm’s written security policies actually prohibited the use of personal emails for business purposes. However, further examination revealed that the security policies were not properly enforced. First, responsibility for information security controls was not properly assigned. Second (not surprisingly since no one was responsible), the controls within written policies were not being monitored. This enforcement action highlights several key areas of information security policy and program implementation that are often overlooked.
Customize your written security policies
While this seems obvious, written policies must be customized. Many firms attempting to take shortcuts and save money purchase security policy templates. While templates are a great starting point, they must be customized according to the specific needs of the firm. During the examination the SEC found that the firm has used security policy templates but had failed to perform even the most basic level of customization.
Make People Responsible for Internal Controls
One of the fundamental mistakes many firms make is to develop written policies, but not assign any person or team to be responsible for implementing the policies. This definition of proper roles and responsibilities is the key link between the written security policies and the business processes that must be adopted to enforce the controls specified in the policies.
This assignment can happen at two levels. First, a designated security role should be defined (for example, Chief Information Security Officer) with the responsibilities documented. Second, the role should be assigned to a specific individual.
Written Security Policies must be audited for Effectiveness and Compliance
Senior Management is Responsible
The SEC action affirmed that executives can be held personally liable for violations. Within the CRC action, the SEC fined the firm $100,000 but also fined two senior executives $25,000 each. These fines were issued even though the SEC could not determine that any customers were harmed as a result of the violations. This action affirms that individuals can be held responsible for policy violations even if no harm to individuals was demonstrated.
The Bottom Line: Cyber Security Due Diligence
To be effective, the written security policies must cover key elements of information security and data privacy. But perhaps just as important as the policies themselves is the implementation of the policies through internal controls that are assigned, enforced and audited.
Firms seeking to comply with SEC safeguards (and other cyber related regulations) must consider a simple requirement: Is our firm apply cyber security due-diligence? In the most basis sense, this implies that (1) the firm has formally adopted a set of security best practices; (2) assigned and implemented the best practices; and (3) monitored for compliance. If your firm needs help demonstrating cyber due-diligence, ComplianceShield can help.