Firms should take note that information security will remain an area of intense focus this year for the U.S. Securities and Exchange Commission’s (SEC) Division of Examinations (the Division or EXAMS), formerly known as the Office of Compliance Inspections and Examinations (OCIE).
On March 3, 2021, EXAMS announced its 2021 examination priorities consistent with what the SEC believes presents significant potential risks to investors and the integrity of the U.S. capital markets.
The increase in remote operations used by firms during the ongoing COVID-19 pandemic has raised added concerns from regulators on such topics as data loss, vendor management, and endpoint security. Successful cyberattacks not only can adversely affect a firm’s business but also lead to consequences that extend to retail investors and other third parties.
In the coming months, EXAMS will review whether firms have taken appropriate measures to safeguard client accounts and prevent account intrusions and manage the operational risks that could arise from employees in a work-from-home environment.
The Federal Trade Commission’s (FTC) recent case against and settlement with enterprise communication firm Zoom offers useful insight for firms seeking to remain compliant in an increasingly complicated environment for information security and operational resiliency.
Where Zoom Fell Short
In early 2020, Zoom was the biggest beneficiary of the need for remote teleconferencing created by the COVID-19 pandemic. Zoom’s client base increased from 10 million to 300 million in four months, prompting its stock to increase almost tenfold between October 2019 and October 2020.
Those who have used Zoom know the company collects a wide spectrum of data – names, email addresses, credit card numbers, chats, texts, and recordings of meetings, to name a few. To assuage potential client concern about Zoom’s level of information security, the firm claimed on its website and elsewhere that it takes “security seriously,” that it “places privacy and security as the highest priority,” and that it “is committed to protecting your privacy,” none of which proved accurate.
The Complaint by the FTC which led to the Consent Agreement alleged that Zoom misled users by falsely claiming it offered clients end-to-end, 256-bit encryption for all communications, providing immediate encryption for recorded meetings, and secretly installing software on Apple computers called a ZoomOpener which allowed Zoom to automatically launch and join a user to a meeting by bypassing an Apple Safari browser safeguard that protected users from a common type of malware.
As part of its settlement with the FTC, Zoom agreed to implement several safeguards that other firms should maintain to help avoid running afoul of regulators in terms of information security.
- Create a program with documented policies and procedures.
- Implement a vulnerability management program.
- Hold regular security training programs for employees.
- Create and implement incident response policies.
- Obtain regular assessments by an independent, third-party consultant.
Taking these proactive steps will help fortify your compliance efforts in a year the SEC has said it will review whether firms have taken appropriate measures to safeguard customer accounts, oversee vendors and service providers, respond to incidents such as ransomware attacks, and address malicious email activities.
EXAMS also will review controls surrounding online and mobile application access to investor account information, the controls surrounding the electronic storage of books and records and personally identifiable information maintained with third-party cloud service providers, and firms’ policies and procedures to protect investor records and information.
The creation, implementation, and annual review of information security policies and procedures can help your firm successfully meet its fiduciary duty to clients consistent with EXAMS’ four pillars of promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy. The SEC has many online tools available to help with planning for information security, including timely Risk Alerts, at https://www.sec.gov/spotlight/cybersecurity.
In addition, many firms have benefited from vulnerability assessments and penetration tests conducted by dedicated information security professionals. It’s important to note that if you haven’t had a professional inspect your electronic system, your firm may be at serious risk of a breach.
We recommend beginning with a one-hour consultation to define your needs and discuss possible solutions. We can customize the action plan for your firm to help you advance your controls. Contact Core Compliance & Legal Solutions today to schedule your consultation at (619) 278-0020.