Cybersecurity has quickly come to the forefront of the regulatory landscape. Both the Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) have recently issued fines to commodity pool operators and investment advisors(ers) (collectively, along with commodity trading advisors, “Advisors”) as well as a futures commission merchant relating to cybersecurity. Additionally, the CFTC has indicated that Advisors who rely upon third-party service providers to address their cyber security needs cannot take a hands-off approach to cybersecurity; they must diligently monitor and supervise their own systems and accounts, the provision of such third-party services and such third-parties’ own defenses and vulnerabilities.
Regulators have relied upon various rules to allow them to regulate cybersecurity and related threats to investors. The SEC’s Safeguards Rule (Rule 30(a) of Regulation S-P) and the Identity Theft Red Flags Rule (Rule 201 of Regulation S-ID), require Advisors to adopt written policies and procedures (including a written identity theft prevention program to detect, prevent and mitigate identity theft) and protect personally identifiable information (PII) from threats or hazards and unauthorized access to PII that could harm their customers. CFTC Regulation 160.3 provides similar requirements.
Additionally, National Futures Association Compliance Rules 2–9, 2-36 and 2-49, CFTC Regulation 166.3, Section 203(e)(6) of the Investment Advisers Act of 1940 and Section 15(b)(4)(e) of the Securities Exchange Act of 1934 provide that Advisors must diligently supervise all activities relating to their business as an Advisor that are handled by their partners, officers, employees and agents, including cybersecurity. Three recently settled enforcement actions illustrate how the SEC’s and CFTC’s enforcement of these rules should change the way Advisors approach their cybersecurity programs.
The SEC recently settled its first enforcement action alleging a breach of the Theft Red Flag Rules relating to cybersecurity. As alleged by the SEC in its enforcement action, the Advisor outsourced cybersecurity to its parent, who relied heavily upon independent contractors to perform these functions. These contractors had access to the Advisor’s web portal containing its customers’ PII. Over six days, attackers impersonating the contractors called the Advisor asking that portal passwords be reset. In two instances, the passwords were reset and the contractors’ usernames were provided, granting the attackers access to the PII of at least 5,600 customers.
Following the incident, the Advisor failed to quickly and adequately remedy the situation. The SEC alleged that this constituted a violation of the SEC’s rules designed to protect customer PII and respond to cybersecurity incidents, as well as detect, prevent and mitigate identity theft. As part of the settlement, the Advisor agreed to pay a fine of $1 million.
In two other actions, the CFTC charged a CPO and an FCM with a failure to supervise the activities of a third-party service provider.
In the first action, the CFTC alleged that the CPO engaged an administrator to manage its bank accounts and provide other services. Over 21 days, an attacker who “spoofed” the email accounts of the CPO sent seven requests to the administrator to wire money out of Advisor’s accounts. As a result, the administrator transferred $5.9 million or 64% of the CPO’s capital pool, to the attackers. The CFTC claimed the CPO’s failure to monitor its banking accounts and the administrator’s activities constituted a failure to supervise. As part of the settlement, the CPO agreed to pay a fine of $150,000.
In the second action, the CFTC alleged that an FCM retained a third-party to implement “critical” provisions of its information system security program (ISSP). The third-party installed a network attached storage device (NASD) on the FCM’s network to function as a backup. However, it failed to identify the NASD had an unencrypted, open port which could be accessed via the internet. As a result, an open route through the FCM’s firewalls and into its network was created. Eventually, an attacker accessed the network and copied around 97,000 files from the NASD, including files containing customer PII. The attacker informed the FCM and the CFTC of the breach and surrendered the files to federal authorities. Again, the CFTC claimed the FCM’s failure to monitor the activities of the third-party constituted a failure to supervise. As part of the settlement, the FCM agreed to pay a fine of $100,000.
These actions illustrate the SEC’s and CFTC’s recent focus on cybersecurity, protection of PII and prevention of identity theft and, as a result, Advisors must ensure they have proper plans and training in place. Advisors should maintain robust ISSPs to minimize the risk of cyber-attacks and policies and procedures designed to detect, prevent and mitigate identity theft in connection with opening and maintaining covered accounts. The program must be appropriate based upon the Advisor’s size and complexity and the nature and scope of its activities. A covered account includes an account for personal, family or household purposes that is intended to permit multiple payments or transactions. This includes a brokerage account, an account at an investment company and any account at a financial institution “where there is a reasonable or foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation or litigation risks.”
Further, all cybersecurity policies and procedures should be regularly reviewed, updated and approved (by the board, appropriate committee or relevant executive officer, as applicable), as appropriate, and at least annual firm-wide training and ongoing evaluations of critical systems should be implemented. Advisors should consider in advance how to respond to different types and degrees of cyber-attacks. Periodic drills involving mock phishing episodes and cyber-attacks should also be conducted to heighten employee readiness.
Additionally, now that regulators are holding Advisors and other registrants responsible for the actions (or inactions) of their third-party service providers, Advisors need to take a more active role in managing cybersecurity risks. Ideally, Advisors would handle cybersecurity and related risks in-house; however, this may not be practical for all Advisors. If an Advisor utilizes a third-party to provide cybersecurity and related services, the Advisor must still have or acquire expertise to identify possible shortfalls in their plan and monitor and supervise its own systems and accounts, such third-party activities and the defenses and vulnerabilities of such third-party.
Finally, Advisors must also monitor the risks to its business created by its other service providers; it is not enough for an Advisor to have its own cybersecurity plans and defenses, it must also appropriately monitor and supervise the actions and defenses of all third-parties acting on its behalf.
The days of Advisors solely managing their investments are over, now they must manage all aspects and risks related to their business, including cybersecurity.
About the Authors
Gary DeWaal is Special Counsel at Katten Muchin Rosenman LLP in New York. Mr DeWaal focuses his practice on financial services regulatory matters. He counsels clients on the application of evolving regulatory requirements to existing businesses and structuring more effective compliance programs, as well as assists in defending and resolving regulatory disciplinary actions and enforcement matters. Mr DeWaal also advises buy-side and sell-side clients, as well as trading facilities and clearing houses, on the developing laws and regulations related to cryptocurrencies and digital tokens.
Timothy Nolan is Associate at Katten Muchin Rosenman LLP in Chicago. Mr Nolan concentrates his practice on transactional, corporate and regulatory aspects of financial services matters. Timothy is able to provide legal services to a wide variety of clients, including proprietary trading firms, hedge funds, broker-dealers, registered investment advisers, commodity trading advisers, financial institutions and general corporate clients.
The views expressed above are not necessarily the views of Thalēs Trading Solutions or any of its affiliates (collectively, “Thalēs”). The information presented above is only for informational and educational purposes and is not an offer to sell or the solicitation of an offer to buy any securities or other instruments. Additionally, the above information is not intended to provide, and should not be relied upon for investment, accounting, legal or tax advice. Thalēs makes no representations, express or implied, regarding the accuracy or completeness of this information, and the reader accepts all risks in relying on the above information for any purpose whatsoever.