Andrew Ceresney, head of the SEC’s Division of Enforcement confirmed during a panel discussion at the Investment Company Institute’s Mutual Funds and Investment Management Conference in Orlando, Fla., that the SEC has other cybersecurity enforcement actions “in the pipeline.”[i]
The pending enforcement actions are the next logical step following the SEC’s increased focus on cybersecurity. On February 3, 2015, the agency published cybersecurity guidance for broker and advisory firms, summarizing the results of its annual examination program. The examinations focused on how these firms:
- Identify cybersecurity risks
- Establish cybersecurity policies, procedures and oversight processes
- Protect their networks and information
- Identify and address risks associated with remote access to client information, funds transfer requests and third-party vendors
- Detect unauthorized activity
This followed the SEC’s first cybersecurity case against R.T. Jones Capital Equities Management on September 22, 2015, for failing to have the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.
SEC regulations require that investment advisers have in place policies and procedures to secure clients’ personal information and address the risk of cyberattacks. While cybersecurity will be the focus of increased compliance scrutiny, the SEC recognizes that many companies are striving to maintain safeguards on their customer data. “The issue is whether you’ve done enough,” Ceresney added.
Ceresney further advised firms to report any potential regulatory violations to the SEC. Ceresney said that firms have “every incentive” to self-report, noting that they may get a reduced fine as a result.
Phishing Attacks Expose Employee W2s
As the April 18 tax deadline draws closer, companies are seeing a significant increase in phishing attacks designed to obtain employee W-2 data, including Social Security numbers. A number of companies have fallen victim to this type of attack where cybercriminals purport to be company executives and request personal information from the payroll or human resources employees, often through requests for W-2s.
The Internal Revenue Service recently issued an alert warning companies to be vigilant to the “spoofed” emails. The spoofed emails will contain the actual name of the company CEO and contain some form of request for employee 2015 W-2 and earnings summary for company staff. The email may also request that the forms be sent via PDF attachment. The recent spike in these attacks caused the IRS to renew a wider consumer alert for e-mail scams. According to the IRS, there has been an approximate 400% surge in phishing and malware incidents so far this tax season.
What Can Your Organization Do? Organizations, particularly those regulated by the SEC or other government agencies, should prepare to respond to the increase in regulatory scrutiny around cybersecurity practices. For example, organizations should examine their policies and procedures around:
- Employee Training and Security Awareness. In addition to having in place written policies and procedures governing the safeguarding of personal information, firms should train their employees to be aware of threats to the security of personal information. This training should include phishing awareness training to guard against inadvertent disclosure of personal information.
- Service Provider Due Diligence. Firms that rely on service providers to process and store personal information on their behalf should ensure that they have conducted thorough due diligence to ensure that the service providers are maintaining adequate levels of security for personal information. For key service providers, it is important not only to confirm that the service provider has robust protections in place, but also test to independently verify those protections.
- Phishing Diligence. Employees should be made aware of the spike in phishing attempts and be trained to detect and spot such “spoofed” emails. For example, employees should independently verify any request for personal information that appears to be made from an executive via email. In addition, companies should consider implementing formal phishing training.
In addition to strengthening internal procedures and policies, firms that have suffered a cyberattack may wish to evaluate, with counsel, their state and federal reporting obligations, whether to report the attack to law enforcement and, if subject to regulatory oversight, whether to self-report the breach to their governing agency.
[i] Beagan Wilcoz Volz, SEC Preparing To Whack Firms With Weak Cyber Defenses, Ignites, March 17, 2016 (reporting Mr. Ceresney’ s comments).