In September of this year, the Securities and Exchange Commission (“SEC”) charged Voya Financial Advisors, Inc. (“VFA”) with violating Rule 30(a) of Regulation S-P (“Privacy Safeguards Rule”) and Rule 201 of Regulation S-ID (“Identity Theft Rule”) due to VFA’s failure to take appropriate steps to protect the personally identifiable information (“PII”) of 5,600 clients during a cyberattack perpetrated by rogue actors posing as VFA independent contractor representatives.[1] The SEC cited the fact that VFA’s cybersecurity policies and procedures were not reasonably designed to prevent such attacks, especially as applied to the Firm’s independent contractor representatives.
This SEC enforcement action brings to light the importance of a firm’s responsibility for ensuring that their cybersecurity policies and procedures appropriately address cybersecurity risks applicable to the firm and are reasonably designed to prevent attacks. Furthermore, a firm’s cybersecurity policies and procedures should be tailored to provide protection guidelines for firm employees, including vendors and independent contractors with access to a firm’s electronic systems in order to mitigate the risk of a cyber-attack.
In this month’s Risk Management Update, we take a look at a couple of the lessons learned from the VFA case and provide guidance on what advisory firms should consider when designing customized cybersecurity policies and procedures. We also provide tips and suggestions on how to enhance cybersecurity controls.
Lessons Learned From VFA Case
Lesson #1: Policies and procedures must be reasonably tailored to an investment advisory firm.
There is no one-size-fits-all solution for advisory firms, and a firm’s policies and procedures need to be tailored to the firm’s business practices and specific risks. For VFA, their policies and procedures were not reasonably tailored to address the systems used by their independent contractor representatives who were working remotely.
Risk Management Tips
- Review cybersecurity policies and procedures annually and anytime there is a change to business practices and/or applicable regulations to make sure they continue to be customized and appropriate;
- Review and test your Incident Response Plan (“IRP”) to confirm it remains up-to-date and appropriately designed to identify, contain, eradicate, and remediate any cybersecurity incidents that could affect your business;
- Create a checklist or inventory of all cybersecurity controls including, but not limited to: (1) password managers and steps for resetting passwords after lockouts; (2) multi-factor authentications; (3) time-out settings; (4) vendor and service provider inventories, access, and security; (5) client portal security; (6) data encryption for email, documents and applications that contain non-public information; and, (7) red flag steps to ensure adequacy.
Lesson #2: Risk assessments should be performed at least annually on your cybersecurity program to help determine whether policies, procedures, and controls appropriately address applicable risks and potential vulnerabilities.
In the case of VFA, management did not provide oversight or administer the firm’s Identity Theft Prevention Program (“ITPP”), a requirement under Regulation S-ID, despite significant changes in the external cybersecurity threats, and had they been performing regular risk assessments of their cybersecurity program and policies, they could have been able to identify and mitigate this risk area.
Risk Management Tips
- When performing a risk assessment consider the following: (1) what steps are in place to protect client non-public information; (2) the extent and results of penetration and vulnerability testing being performed; (3) controls surrounding employee access rights based on job responsibilities; (4) process for reviewing vendor access rights; (5) potential gaps in data governance and loss prevention steps; (7) adequacy of employee training and continuing education; and, (8) robustness of incident response procedures;
- Rank each area assessed to assist with determining what areas need to be addressed first; and
- Implement a plan to assign tasks to appropriate personnel to address the identified risk areas and provide confirmation and documentation that the risks have been mitigated.
Lesson #3: Cybersecurity starts with your employees, and training and continuing education are essential to addressing new and existing cybersecurity threats.
As mentioned in our August 2018 Risk Management Update titled “Staying Ahead of the Cybersecurity Curve”, a firm’ policies and procedures can only work as well as the employees who are trained to use them. Without proper training, a firm’s policies and procedures will be ineffective when it comes to creating the first line of defense against cyber threats. In the VFA case, it appeared the firm had not provided adequate training to their call service representatives to take steps that would help identify an impostor. Without proper training, the firm’s policies and procedures will be ineffective when it comes to creating the first line of defense against cyber threats.
Risk Management Tips
- Mandate that all employees, including independent contractors, participate in annual cybersecurity training, which should cover at a minimum: (1) cybersecurity threats and identity-theft red flags; (2) protection controls in place, including encryption protocols and strong passwords; (3) device management policies; (4) understanding allowed user access based on job responsibilities; and (5) the firm’s incident response procedures;
- Make sure to send out firm-wide updates on any changes to the policies and procedures that impact cybersecurity and threats;
- Mandate continuing education for employees on identifying various types of cybercrimes, which can include webinars, required reading, training by third parties, penetration testing (e.g. determining the firm’s ability to detect and respond to a simulated cyber-attack); and
- Distribute articles and regulatory updates regarding cybersecurity to employees to help keep them abreast of current issues.
Conclusion
Having robust cybersecurity policies, procedures, and controls that are appropriate to a firm’s business practices requires the knowledge and expertise of both Compliance and IT personnel, along with making sure that employees remain aware and well trained. Performing reviews, risk assessments, and training should be a dynamic and continuing process to ensure that consideration is given to new types of cybercrimes, along with changes to the business and regulatory environment.
For more information on, or assistance with drafting and implementing cybersecurity policies, incident response plans, and/or mentorship and training, please contact us at (619) 278- 0020, or visit us at www.corecls.com.
Author: Core Compliance & Legal Services; Editor: Tina Mitchell, Lead Sr. Compliance Consultant Core Compliance & Legal Services (“Core Compliance”). Core Compliance works extensively with investment advisers, broker-dealers, investment companies, hedge funds, private equity firms and banks on regulatory compliance issues.
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.
[1] See https://www.sec.gov/ocie/Article/risk-alert-5-most-frequent-ia-compliance-topics.pdf
[2] See https://www.sec.gov/rules/final/ia-2204.htm
[3] See https://www.sec.gov/enforce/ia-5047-s
[4] See https://www.corecls.com/news-events/core-steps-for-performing-and-documenting-a-risk-assessment
This article is for information purposes and does not contain or convey legal or tax advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer and/or tax professional.