On August 30, 2021, the Securities and Exchange Commission (“SEC”) announced three settled orders against several investment advisers, broker-dealers, and dual registrants for violations of Regulation S-P allegedly resulting from business email compromises that each exposed or potentially exposed the personal information of thousands of customers. These enforcement actions underscore the following lessons for broker-dealers and investment advisers of all stripes.
- Regulation S-P Remains an SEC Regulatory and Enforcement Priority. Regulation S-P is the SEC regulation that implements the privacy rule of the Gramm-Leach-Bliley Act. An important component of the regulation is the Safeguards Rule that requires all SEC-registered broker-dealers and investment advisers to adopt written policies and procedures that are reasonably designed to: (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of customer information; and (3) protect against the unauthorized access to, or use of, customer information that could result in substantial harm or inconvenience to any customer. For years now, the SEC has included Regulation S-P and the Safeguards Rule as part of its examination priorities focusing on cybersecurity and has used them as bases for enforcement actions against firms that have allegedly failed to reasonably protect customer information. In this sense, these three enforcement actions are not new or novel.
- Multi-Factor Authentication as a Key Component of a Reasonable Information Security Program. While Regulation S-P is not a prescriptive regulation and the SEC’s guidance to date has not otherwise required it, these enforcement actions appear to indicate that the SEC expects multi-factor authentication (“MFA”) to be deployed as a defensive measure against account takeovers. Authentication that relies solely upon usernames and passwords is vulnerable to phishing, password spraying and brute forcing. Put differently, firms that have not implemented MFA to access internal or external information systems containing customer information, including cloud-based email, may have a more difficult time convincing the SEC that they are satisfying their obligations under Regulation S-P. Indeed, the consent orders for all three enforcement actions allege that none of the nearly two hundred email accounts at the firms were protected by MFA when they were compromised.
- Responsibility for Independent Contractors Under Enterprise Information Security Programs. All three enforcement actions involved allegations against firms for business email compromises relating to cloud-based email accounts for both employees and independent contractors that were covered by each firm’s enterprise information security program. Given this, when conducting risk assessments and maintaining information security programs, firms should carefully consider how independent contractors receive customer information or access external or internal information systems that contain customer information and whether existing policies, procedures, and controls protect against the unauthorized access of that information.
- Policies and Procedures Are Necessary But Not Sufficient Alone. Although the SEC clearly expects information security programs to be documented, i.e., supported by written policies and procedures, such documentation may be viewed as a “paper tiger” to the extent the rules and requirements are not actually implemented. While documenting, communicating to and training users on security policies and procedures have long been considered foundational elements of a compliant enterprise security program, these “administrative controls” are not enough in and of themselves to satisfy the SEC. Policies and procedures should be developed along with plans for implementing, monitoring and enforcing them and a reasonably prompt timeframe for implementation should be adopted and followed.
- Response and Remediation Are Important Aspects of Any Information Security Program. While the SEC recognized the efforts of the firms in all three enforcement actions to remediate the business email compromises, each firm was fined by the SEC for its alleged Regulation S-P failure. Tellingly, the allegations in at least one of the orders indicate that the firm was aware of the risk for several months before the compromises occurred but did not remedy it in time. The SEC in that order also alleged that it took the firm over two years to fully implement MFA despite the recommendations by forensic firms to expedite the implementation. Given this, firms should promptly address any significant risks that are identified through risk assessments or the administration of their information security programs. Firms should also prepare in advance for likely security incidents, including having a written incident response plan and outside counsel, forensics firms, and other resources lined up to help them promptly address these quickly-moving situations and keep potentially affected customers and other constituents informed.
Because these enforcement actions demonstrate that the SEC is continuing to focus on cybersecurity and will charge firms for alleged lapses, firms should examine their information security programs to see how they stack up against these latest allegations.