The Securities and Exchange Commission argued this week that a number of large firms had faulty cybersecurity policies and procedures in place, resulting in the breach of clients’ personal information. But a number of industry legal observers say the commission should be clearer about what it requires in the first place.
The commissions’ actions emphasized the implementation of multifactor authentication (MFA) for email communications for employees and contractors. MFA is the “second step” required to log in to emails or accounts, often requiring a code sent to a mobile phone or other device. According to some securities attorneys, while Regulation S-P, the commission’s data privacy rules, may not specifically require MFA, it turns out firms should nevertheless ensure they have it and that employees comply with it or risk being slapped with similar sanctions and monetary fines by the commission.
“Obviously, past SEC enforcement actions in this area have emphasized the importance of cybersecurity policies needing to be implemented and followed,” A. Valerie Mirko, a partner with Baker McKenzie, said in an interview with WealthManagement.com. “The SEC did not specifically say that Reg S-P mandates MFA in all cases, but it’s making it really clear with these orders that firms should have MFA in place, particularly once a firm is on notice that there may have been email account takeovers.”
The SEC’s actions targeted a number of advisory and brokerage firms under Cetera, Cambridge Investment Research and KMS Financial Services, a former Ladenburg Thalmann firm that was eventually folded into Securities America, a b/d under Advisor Group.
According to the commission, the eight firms failed to have proper cyber policies and procedures in place (and in many cases, failed to implement those they did have), which left them vulnerable to attacks from unauthorized third parties in which company emails were taken over, exposing thousands of clients’ personally identifiable information.
The complaint stated, in many cases, employees did not have MFA turned on for their email accounts, even though MFA was spelled out in the firms’ written cyber policies.
Would these firms have escaped the commission's judgment and monetary fines if they simply had not had MFA policies spelled out in their own documents in the first place? It's not clear. Regulation S-P requires firms have policies and procedures “reasonably designed” to protect client information.
The ambiguity of that phrase leaves a wide window open for interpretation. Max Schatzow, an attorney at the law firm Stark & Stark, said the commission’s cyber orders this week were frustrating, arguing that the SEC hasn’t supplied adequate guidance on what is reasonable (he also believed the SEC was “throwing a rock at a glass house,” as it’s previously been the victim of its own breaches of data).
“Data security is just a really difficult subject area; it’s really hard to be perfect and advisors across the country and world struggle with it,” Schatzow said. “I think everyone has good intentions and is trying to do their best, but there should be a more collaborative effort to protect Americans’ public data. I don’t think investment advisors should be the scapegoat for that.”
Even if security measures like multifactor authentication are properly implemented, the industry’s main challenge is contending against risks many aren't aware of yet, given the evolving tactics of hackers and cybercriminals, according to Susan Schroeder, a partner and vice chair of the Securities and Financial Services Department at the law firm WilmerHale (and a former head of enforcement for FINRA). Firm policies have to continuously evolve, because no matter how vigilant the firm may be, there will always be innovation from “bad actors” seeking to exploit weaknesses.
“We’re always going to look in the rearview mirror (and say) that people should have known that could have happened,” Schroeder said. “The industry’s trying to manage risk it can’t name right now.”
To Schatzow, the SEC's actions show that if firms and independent contractors are using email containing nonpublic information with clients, multifactor authentication remains the easiest and most cost-efficient measure for protection. While he didn’t expect the SEC to pursue similar cyber-related enforcement actions against smaller firms immediately, he hopes commission staff release guidance on what they deemed to be “reasonable,” including appropriate funding expenditures for IT work and best practices.
“Just tell us what you want and we’ll try to deliver. If we can’t, then at least we’re making informed decisions,” he said. “But until then, it’s kind of a guessing game.”