By Paul Ferrillo, McDermott, Will & Emery
This post originally appeared in The D&O Diary. It is republished here with permission.
The D&O Diary has done an exemplary job noting that there have generally been two fast ways that cause “event-driven” litigation for a company and its directors (through a derivative action) to be filed: 1) to either ignore published regulatory warnings, disclosure guidance or direction, and have those warnings come back and bite you following a disastrous event (like a big cyberattack), or 2) to ignore warnings and “red-flags” evidencing potentially ‘poor conduct’ or “red flags” not in conformance with such regulatory advice, and have those warnings eventually come back and be the cause of the event. Both 1 and 2 can be equally painful for a company. Associated stock drops coupled with regulatory actions, orders or proceedings will likely cause both securities and derivative litigation (and potentially other forms of breach or privacy-related litigation).
While some regulatory bodies have not been prolific with their guidance to companies, firms, directors and officers as to “what to do to avoid” or “how to handle” the big cybersecurity “ugly mess,” the Securities and Exchange Commission (SEC), for example has been a lot more helpful and direct to registered entities.
On January 27, 2020 the US SEC Office of Compliance, Inspections and Examinations (OCIE) issued a helpful summary of the findings it has made in targeted cybersecurity examinations of registered investment advisers and broker dealers (hereinafter referred to as the “cyber observation memo”).
The cyber observation memo follows yearly examination memorandums and advisories on the points of emphasis that it wants its registered firms to both identify, remediate and otherwise control for. It’s no secret that the practices the SEC identified as “important” in prior years – 2016-2019 – are approximately the same practices that it highlights in the cyber observation memo where firms have done a “good job.”
The cyber observation memo is helpful for another reason – to clarify the ground rules for the registered entities and their directors and officers. If you do not follow what the SEC has “suggested,” and you subsequently have a major data breach or other cyber incident that affects customer data, do not be surprised if the SEC assesses a fine or penalty. Regulated firms and their directors and officers would do well to avoid enforcement actions and fines, especially since there may be related public disclosure obligations as well. So “RIA emptor” or “Registered Investment Adviser Beware!”
What Registered Investment Advisors (RAI) should be thinking about when it comes to cyber
Here are the key factors the SEC has identified that each RIA or broker-dealer should be considering:
The cyber observation memo offers a list of good practices and procedures to help guard against data loss:
This is older piece of advice, but one that is often overlooked in the heat of business or the economy: make sure that you have a practiced and tested cyber incident response, business continuity and crisis communications plan.
These are the first documents that a regulator will ask for during an examination. And these are probably the first documents that the firm’s directors and officers will ask for when reviewing the cybersecurity posture of the firm. If you are not practicing what to do when you get attacked, then you are not being realistic of your chances of effectively responding to a devastating cybersecurity attack.
The Internet has created so many efficiencies for business. Nearly everything can be outsourced – from manufacturing to HR to payroll to cybersecurity itself – by using a managed service provider. But what really do you know about your vendor? What program do you have in place to both identify and monitor the cybersecurity of your critical vendors? And maybe your less critical vendors too? The SEC OCIE recommends a fulsome vendor management program. We do too.
Finally, none of the above is any good (most of the time) unless your board and senior executives buy into both your regulatory cybersecurity compliance strategy and your data loss prevention strategies. Update to date network servers and operating systems are critical in today’s environment; so are machine-learning solutions for network security and things like good IAM programs. And both cost money.
“Buy in” by the board and senior management is important. Some boards are very focused on cybersecurity. Many are not. To avoid event-driven disasters, they really need to focus upon the fact that ANY company or firm is a target in today’s threat filled environment.
Many states and regulatory schemes require board signoff of cybersecurity initiatives and compliance. The SEC has always considered good cybersecurity and good cyber governance to be essential. Good cybersecurity is not just an IT responsibility; it’s everyone’s responsibility at the firm. Chief Information Security Officers and IT executives should make it standard to meet with boards and senior executives once a quarter to talk about cybersecurity. Having your outside forensic advisor available to board members helps too and adds a sense of comfort to discussions. Having directors who actually understand digital transformation and cybersecurity issues would be bonus additions to any board of directors.
The SEC OCIE cyber observation memo is good guidance from many perspectives. Clients, customers and investors like stability and appreciate good cybersecurity, but they do not like data breaches or ransomware attacks. Regulated entities and their directors – beware! The world — and the SEC — are watching.