Bates Research - 06-14-17
Cybersecurity Activity and Enforcement Kick Into High Gear Amid Uptick in Cybercrime and Fraud
For securities regulators and regulated entities, concern over cybersecurity is taking on a new urgency. Hardly a day goes by without a news item highlighting serious allegations of international hacking, fraud, data theft or some form of attempted electronic manipulation. Faced with the fact that governmental institutions, private enterprises and personal assets seem increasingly vulnerable, authorities appear to be ramping up their engagement. Federal and state officials are issuing new rules, authorities are updating guidance and enforcement agencies are organizing for a fight. Here are some recent developments:
New SEC Co-Directors of Enforcement Prioritize Cybersecurity
On June 8, 2017, the Securities and Exchange Commission announced that Stephanie Avakian and Steven Peikin were appointed Co-Directors of the Division of Enforcement. Ms. Avakian had been serving as Acting Director of the SEC’s Division of Enforcement since December 2016 after a stint as Deputy Director of the Division since June 2014. Mr. Peikin was Managing Partner of Sullivan & Cromwell’s Criminal Defense and Investigations Group, and served as an Assistant U.S. Attorney in the Southern District of New York from 1996 to 2004. He also served as Chief of the Office’s Securities and Commodities Fraud Task Force, where he supervised high profile prosecutions of accounting fraud, insider trading, market manipulation, and abuses in the foreign exchange market.
Both Ms. Avakian and Mr. Peiken have prioritized cybersecurity in their new roles. As Reuters recently reported, “the new SEC enforcement chiefs see cybercrime as the biggest market threat.” Ms. Avakian stated: “the SEC has started to see an ‘uptick’ in the number of investigations involving cybercrime, as well as an increase in reports of brokerage account intrusions…as a result, the agency has started gathering statistics about cybercrimes to spot broader market-wide issues.” The report notes that “the kinds of cybercrimes the SEC has been noticing range from stealing information for the purpose of insider trading, to breaking into accounts to either steal assets, trade against them or manipulate markets.”
Interagency Government Financial Council Updates Cybersecurity Assessment Tools
On May 31, 2017, the Federal Financial Institutions Examination Council (FFIEC) updated its Cybersecurity Assessment Tool, a resource for financial institutions to use in evaluating cybersecurity risks and preparedness. FFIEC members include the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB). It is a formal governmental interagency body “responsible for developing uniform reporting systems for federally supervised financial institutions, their holding companies, and the nonfinancial institution subsidiaries of those institutions and holding companies.” (The new Assessment Tool corresponds to the updated Information Security and Management booklets of the FFIEC IT Examination Handbook.)
SEC OCIE, FBI and Homeland Security Issue Cybersecurity Alerts
On May 12-13, 2017, several federal agencies issued cybersecurity alerts in the immediate wake of the international ransomware attack known as WannaCry. The attack exploited a vulnerability in computer networks running the Microsoft Windows operating system and appeared to be focused on the computer network of the UK National Health Service. Within 48 hours, the attack purportedly reached 99 countries including the United States, United Kingdom, Spain, Russia, Taiwan, France, and Japan.
The FBI and Homeland Security (jointly) issued an alert titled: “Indicators Associated with WannaCry Ransomware” which listed ways companies could protect their data. The SEC Office of Compliance Inspections and Examinations later issued a bulletin that provided references to both FINRA resources and SEC guidance and information.
White House Issues Executive Order to Strengthen the Cybersecurity of Federal Networks and Critical Infrastructure
On May 11, 2017, President Trump signed a long-promised Executive Order on cybersecurity. The Order focuses on modernizing cybersecurity for federal networks, critical infrastructure and national preparedness. The primary directive is for all federal agencies to adopt the 2014 Framework for Improving Critical Infrastructure Cybersecurity developed by NIST, the National Institute of Standards and Technology. (See here for more from Bates on the NIST Standards.) The 2014 NIST Framework will be updated in the near future. Changes to it are specifically incorporated by the President’s Order.
The Order makes the head of each federal agency – rather than the agency’s IT Director – accountable for managing cybersecurity risk for their enterprises. The Order also focuses on identifying the vulnerabilities of infrastructure considered “critical,” including utilities, financial and healthcare services, and telecommunications. It requires audits, reports and recommendations from the Secretary of Homeland Security and various other Cabinet Secretaries to improve data security practices for these industries, with an emphasis on supply chain, military platforms, systems, networks and capabilities. Additionally, the Order calls for better policies to protect the public from foreign and domestic online threats, supports the development of a skilled cybersecurity workforce, as well as strengthening partnerships between the government and the private technology sector.
New York and Colorado Cybersecurity Regulation: Only the Beginning?
On May 2, 2017, the Colorado Division of Securities held a hearing on “proposed rule changes that would impose new cybersecurity requirements on financial advisers and broker-dealers “to keep clients' electronic data from getting into the hands of cybercriminals.” (For full proposed rule changes in Colorado, see here.) Colorado’s proposed rules come on the heels of the finalization of the New York State Department of Financial Services (“DFS”) regulations which require financial firms to protect their networks and customer data from hackers and to disclose cyber events to state regulators. (See here for Bates news on the NYS-DFS regulations.) Though it has been suggested that the New York and Colorado rules are merely codifications in sync with FINRA and SEC requirements, there are state by-state differences that will require special consideration by market participants operating in those jurisdictions. These issues are likely to be debated in an upcoming North American Securities Administrators Association ("NASAA") cybersecurity roundtable on June 23, 2017.
Presidential Orders, assertions of state oversight authority, new institutional guidance, international malware attacks and personnel and enforcement announcements all linked to cybersecurity suggest that we might be defining a new normal. Bates will continue to track these developments.