Why you must develop a response to cyber security and financial crime threats

A recent SEC action has highlighted how concerned regulators have become about data intrusion risks in the asset management sector. Last month the Securities and Exchange Commission settled charges with an investment adviser R.T. Jones Capital Equities Management that the regulator alleged had failed in its duty to protect client data from hackers, in this case thought to be based in China.

The SEC claimed the St Louis-based firm

1. did not conduct regular security assessments,
2. failed to encrypt sensitive data and
3. did not install a firewall.

Consequently, the hackers were able to access details of more than 100,000 clients.

According to Marshall Sprung, co-chief of the SEC Enforcement Division’s Asset Management Unit,

“Firms must adopt written policies to protect their clients’ private information and they need to anticipate potential cybersecurity events and have clear procedures in place rather than waiting to react once a breach occurs.”

http://www.sec.gov/news/pressrelease/2015-202.html

This marks the first enforcement action of its kind for the SEC. Although no actual direct financial loss seems to have been caused, the fund manager settled charges with a fine of US$75,000. If any loss of money had been inflicted on the firm or its clients by hackers, the fine could have been far higher.

In addition, on 15 September, the SEC issued an alert which outlined the steps it would be taking in its examinations to assess cyber security risks and preparedness in its security industries inspections. It includes a governance and risk assessment, and indicates that the SEC will now be focusing on proper implementation and operation of cyber security policies and procedures. It has made it clear that this will be one of its key inspection priorities.

Details

1. the SEC investigation found that R.T. Jones Capital Equities Management violated this “safeguards rule” during a nearly four-year period when it failed to adopt any written policies and procedures to ensure the security and confidentiality of PII and protect it from anticipated threats or unauthorized access.
2. According to the SEC’s order instituting a settled administrative proceeding:
   1. R.T. Jones stored sensitive PII of clients and others on its third party-hosted web server from September 2009 to July 2013.
   2. The firm’s web server was attacked in July 2013 by an unknown hacker who gained access and copy rights to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft.
   3. The firm failed entirely to adopt written policies and procedures reasonably designed to safeguard customer information.  For example, R.T. Jones failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.
   4. After R.T. Jones discovered the breach, the firm promptly retained more than one cybersecurity consulting firm to confirm the attack, which was traced to China, and determine the scope.
   5. Shortly after the incident, R.T. Jones provided notice of the breach to every individual whose PII may have been compromised and offered free identity theft monitoring through a third-party provider.
   6. To date, the firm has not received any indications of a client suffering financial harm as a result of the cyber-attack.

Guidance

1. The Hedge Fund Standards Board has recently published added a cyber security memo http://www.hfsb.org/sites/10377/files/hfsb_publishes_cyber_security_memo.pdf to its Toolbox for fund managers, which highlights some of the quick win solutions that will enable asset management firms to speedily implement solid security solutions.
2. In addition, AIMA has published practical guidance for hedge fund firms, setting out practical steps for defending member firms against cyber security threats. It emphasises that boards have an important role to play as stakeholders in this process, including ensuring that cyber security risk management is tabled for discussion as a board agenda item.

Regulatory scrutiny

1. Regulators are increasingly focusing on the readiness of asset management firms to resist cyber security threats. The SEC’s Office of Compliance Inspections and Examinations published its own guidance for asset managers https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf in this area this month.
2. Other regulators are also developing their own requirements for cyber security. For example,
   1. the Central Bank of Ireland
   2. has stressed that fund boards should have proper oversight of cyber security readiness and that this should not be left to the purview of the IT department.
   3. Effective corporate governance, it argues, has a role to play in the development of robust cyber security procedures.
   4. The Central Bank has also said that where there is non-compliance with regulatory requirements, it will have regard to its cyber security recommendations when exercising its regulatory and enforcement powers.
   5. In the Cayman Islands,
   6. the Information & Communications Industry Technology Authority has been working with other Cayman Islands government agencies on a threat and infrastructure assessment that has been extended to a series of reviews, in which representatives of the financial sector have been involved and which will likely result in action items to be published next year.

The role of fund boards

1. Fund boards and their directors should be aware of the current cyber security and financial crime risks they currently face, and their own responsibilities in the eyes of regulators.
2. Directors can play a proactive role in helping funds to not only meet minimum regulatory requirements, but also build an enhanced security oversight function, with a better risk management and assessment regime in place. This will require regular updating as cyber security risks will evolve on a continuous basis.
3. Boards should consider including a policy document that lays out what the fund’s board, service providers and investment manager should be seeking to achieve in terms of expected security standards. A proportionate response may be needed for managers with smaller funds, but all boards should be visiting this issue as a matter of urgency.
4. It is important that fund directors remain properly informed about the levels of security pertaining to the fund delegate level, including the investment manager, and that this is revisited on a regular basis as an agenda item.

http://1.usa.gov/1Kzbqzo