SEC's Cybersecurity Risk Alert Reflects Advisory Firms are Gambling with Your Data

In August 2017, the SEC's Office of Compliance Inspections and Examinations issued a Cybersecurity risk alert directed at financial advisory firms. As part of the SEC's 2014 Cybersecurity Initiative, seventy-five firms, including broker-dealers, financial advisors, and funds, were audited between September 2015 and June 2016 in order to assess their Cybersecurity preparedness.

The assessment focused on six pillars of Cybersecurity: (1) company policies and procedures; (2) access rights and controls; (3) data loss prevention; (4) vendor / third party management; (5) training; and (6) incident response. The results were astonishing.

While most firms had Cybersecurity-specific policies and incident response plans, many did not enforce their policies, procedures, and practices. For example, most firms had policies which required annual protection reviews and ongoing supplemental security protocol reviews. Many firms, however, administered reviews once and did not conduct annual or routine reviews as required by their governance.

Similarly, most firms had policies that required employee Cybersecurity training; however many employees did not complete mandatory training once (much less complete ongoing training). This reflects a fundamental problem with how Cybersecurity prevention is viewed-it is not one-time box that must be checked. This is akin to having a policy of counting the money out of the till every day at closing but only doing it once (and telling your employees the day that you are counting). Data should be viewed as money in a cash drawer, and then perhaps robust Cybersecurity prevention and response policies will be executed.

Diligent Cybersecurity prevention requires ongoing review and training. In many jurisdictions, the standard for breach liability is whether the business implemented "reasonable data security practices" or used "best efforts." See, e.g., FTC v. Wyndham Hotels, 799 F.3d 236 (3d Cir. 2015) (requiring "reasonable and appropriate data security" for consumer data); Patco Constr. Co. Inc. v. People's United Bank, 684 F.3d 197 (1st Cir. July 2012) (requiring "commercially reasonable" security practices). Most of the firms that participated in the SEC's Cybersecurity assessment likely failed the test.

Jump to Page
Arrow icon Top

Contact Us

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.