An SEC risk alert for compliance issues revolving around cybersecurity and data privacy last week may have been a “regulatory warning shot” and enforcement actions could follow soon, says Todd Cipperman, Philadelphia-based founding principal of Cipperman Compliance Services.
“Generally, these risk alerts precede a sweep and enforcement actions. So, my guess is because of this, in the next six to 12 months, you’re going to see a series of enforcement actions alleging the same sorts of wrongdoing that are highlighted in the risk alert,” says Cipperman, who was surprised by the extent of the issues found by the SEC.
“The fact that they do this sweep, and they find such widespread non-compliance, I think that’s a surprise. Firms just are not taking this seriously,” Cipperman added.
The SEC had undertaken its first enforcement action last year under the Identity Theft Red Flags Rule, which resulted in a $1 million settlement with Voya Financial Services. The SEC charged that deficient cybersecurity procedures at Voya failed to protect the private information of 5,600 clients in a breach in 2016.
As reported previously, the SEC’s Office of Compliance Inspections and Examinations found many deficiencies and gaps in implementation related to Regulation S-P.
Regulation S-P is the SEC rule regarding the privacy of consumer financial information that was promulgated under the Gramm-Leach-Bliley Act.
The current SEC alert pointed out the lack of policies and procedures relating to the Safeguards Rule and some cases where the flaw was the implementation or the very design of the policies, but compliance experts talk about a lack of understanding of how to tackle this issue effectively within advisory firms.
“I think the big challenge in this area particularly is just a lack of knowledge,” says Cipperman. “Technology, and cybersecurity — these are not skill sets that most investment management professionals have in their toolbox.”
Askari J. Foy, managing director overseeing ACA Aponix’s global regulatory cybersecurity practice, talks about the need for CTOs and chief information officers to leverage their respective expertise to “communicate and collaborate to oversee the cybersecurity function, because there is accountability and responsibility for both.”
But designing effective policies goes well beyond the C-suites at head offices — especially for a broker-dealer industry that works with affiliated advisors across the country.
Foy, who previously worked within the SEC’s Office of Compliance Inspections and Examinations in the area of cybersecurity, says when information security is centralized at the corporate level, there is a gap where what’s important to the advisor or broker-dealer in terms of data security or systems may not be included in the corporate approach.
“That lack of input from the affiliated broker-dealers and advisors is not being communicated upward or downward to make sure that there is a comprehensive enterprise risk management function,” says Foy. “We see a lot of firms that may not have branch-level supervisory procedures; [procedures] may not be documented because they rely on the big corporate policies and procedures.”
Foy says branch-level controls over hardware and software are critical. An equally important aspect is approval for the use of external applications and vendors. Such approval can become especially tricky in the independent broker-dealer model.
“Do they know what type of vendors the branch offices are using? The type of data sets that are being maintained? What systems this information is being located on? Particularly with the independent broker-dealer model, they’re able to purchase their different networks, their software — they set up their own shop. So how does the home office get a good handle of what these independent contractors are using?” asks Foy.
Cipperman agrees that supervision becomes more difficult in the independent-broker dealer model but argues that doesn’t absolve the firms from their compliance obligations.
As identified by the SEC in its alert, outside vendors are another vulnerability for broker-dealers and investment advisors.
Foy says that while it’s a critical area that regulators focus on, third-party vendors are also targets for hackers, especially since vendors could have personally identifiable information or material non-public information.
“How are you really overseeing that particular vendor or your portfolio of vendors, and do you have a good classification scheme to identify which vendors are more critical than others?” asks Foy. “A lot of firms are outsourcing that function. You can outsource the function but the responsibility and accountability still remains at the firm.”