After spending most of a decade offering guidance and stern warnings, regulators are ready to put enforcement muscle behind cybersecurity rules.
A flurry of activity in 2018 at federal and state levels has many legal and security experts expecting 2019 to be a watershed year for holding firms accountable for clients' digital data. Penalties are coming for advisory firms that don't do enough to prevent a data breach or don't respond to a breach effectively.
The Securities and Exchange Commission is leading the charge. The agency took several actions in 2018 that should alert every adviser that any grace period in adopting data security controls has expired.
(More: Regulators' gloves are coming off with cybersecurity. Put up your dukes with these tips)
"The honeymoon phase is over," said Askari Foy, managing director of ACA Aponix's global regulatory cybersecurity practice and a former SEC associate director. "As they identify issues, they're less likely to be friendly, for lack of a better word. They tend to roll up their sleeves and really dig into the issues, particularly if they smell blood or sense potential harm to investors."
No alarm rings louder than the SEC's Sept. 26, 2018, announcement that Voya Financial Advisors would pay $1 million to settle charges relating to a 2016 scam that compromised the personal information of thousands of customers. It was the first time the SEC enforced its "identity theft red flags rule," which has been on the books since 2013.
Even though Voya had a cybersecurity policy in place and responded to the breach within a matter of hours, it wasn't good enough for the SEC. The regulator said Voya's cybersecurity policies and procedures were out of date and failed to do enough to ensure they applied to the entire workforce of financial advisers.
This issue of scant policies or ineffective effort is common throughout the industry and it's exactly what the SEC wants to eliminate. For many advisers, cybersecurity is just another compliance procedure — put a policy in place, do some basic training, check off the box and move on to more pressing business issues.
"Firms have cybersecurity policies, they get one from an attorney or compliance firm. The policy looks great, but it doesn't actually reconcile to reality in any way," said Sid Yenamandra, CEO and co-founder of cybersecurity firm Entreda.
For example, the policy may say advisers can only access the firm's network using a secure connection such as a virtual private network, but there are no checks that the policy is actually followed, he said.
Entreda's experts, who have provided data protection software and training services to thousands of advisers, see a lot of lip service paid to cybersecurity.
"People talk about having a good cybersecurity policy, but who is actually implementing it? Our view on this entire issue is we tend to see there is a false sense of security that a lot of firms have," Mr. Yenamandra said.
These firms are more vulnerable to an attack, and this year they also could face stiff fines and censure. Regulators' gloves are off, and they are ready to crack down.
2018 warnings to heed
When the SEC first developed regulations regarding email communications, it gave firms a few years to acclimate to the new rules and get programs in place. As guidance became more detailed and rules more specific over time, that's when sanctions started coming. Regulators are following a similar pattern with cybersecurity, said Kim Peretti, co-chair of law firm Alston & Bird's national security and digital crimes practice and its cybersecurity preparedness and response team.
"Investment advisers and broker-dealers of all sizes may be under scrutiny and should expect more enforcement actions moving forward," she said. "For registered investment advisers and broker-dealers, the primary implication of this focus is that the SEC will continue to expect more mature cybersecurity programs that adapt to the changing threat environment and appropriately manage and communicate risks to investors."
The agency last year named cybersecurity as a priority in its examinations of investment advisers and brokers; asked Congress for an additional $52 million to expand personnel, including four people dedicated to cybersecurity; and issued new guidance on public companies' obligations to disclose cybersecurity risks and incidents, updating its previous guidance issued in 2011.
The SEC published a report last year detailing an investigation of nine undisclosed public companies that fell victim to cyberfraud and collectively lost nearly $100 million. Though no charges were filed, the report served as a stern warning to consider cybersecurity when implementing internal account controls and specified the exact rule — Section 13(b)(2)(B) of the Securities Exchange Act of 1934 — that holds firms accountable.
It isn't just the SEC getting tougher with cybersecurity. In August, the Financial Industry Regulatory Authority Inc. censured and fined a small broker-dealer $50,000 for having inadequate procedures for preventing hackers from transfering money from client accounts. In December, the self-regulatory organization updated its 2015 report on cybersecurity best practices for broker-dealers.
State regulators are making their own rules. Since New York issued rules requiring financial institutions to establish cybersecurity programs, the number of bills and proposals addressing cybersecurity at the state level has continued to grow. According to the National Conference of State Legislatures, 265 bills were introduced in 2018, up from 240 bills in 2017 and 104 in 2016. As of Nov. 6 (the latest data available), 52 of the bills proposed last year became law.
The increased activity provides a window into where regulators are focusing their energy and what future enforcement actions might involve.
For example, the SEC's February guidance on disclosure obligations and subsequent charges against Yahoo — $35 million for failing to disclose a cybersecurity breach — show how seriously the regulator wants firms to report data breaches. According to the New York Times, only 24 public companies (across all industries) reported breaches to the SEC in 2017, but researchers believe more than 4,000 breaches occurred.
The Voya charges reveal another common weakness, specifically for financial advisers. It's not enough to just have a cybersecurity plan in place. Regulators want to see firms continually testing, reviewing and updating cybersecurity policies and procedures to ensure they remain effective as threats evolve.
Another area of focus, as evidenced by the SEC's investigative report and Finra's updated best practices, is compromised business emails — an increasingly popular attack method in which hackers pose as corporate executives or third-party vendors and use emails to trick other employees.
"There's been an increasing focus on the nexus between cyberintrusion and cyberfraud," Ms. Peretti said.
Preventing harm due to phishing scams requires firms address human susceptibility to such scams in addition to the technology element itself, she said.
Finally, the Voya breach was caused by hackers impersonating an independent adviser and using the custodian's support line to reset passwords and gain access to the system, illustrating the vulnerability from third parties.
Regulators want advisers to have an inventory of everyone who can access their data, including both third-party technology vendors and independent contractors.
Where advisers can improve
The good news is that the financial services industry has done a pretty good job of adapting to new cybersecurity requirements, at least in comparison to other industries like retail, said Robert Cattanach, partner at law firm Dorsey & Whitney.
Where it's most often falling apart is with the smaller registered investment advisers and broker-dealers.
"Modest-sized companies lack the resources to really make good on their paper policies," Mr. Cattanach said. "Someone can gin up the right-sounding IT governance policies and procedures. But it's a whole additional step to make sure they are followed."
At smaller firms, there can be a sense of fatigue and helplessness when it comes to cybersecurity, because even the largest companies get hacked.
"There is this general feeling of, 'Holy cow, how can I, this little RIA out here, protect [against a breach] if these large institutions can't?'" said Wes Stallman, provider of cloud-based cybersecurity for advisers. "I do think that causes some frustration."
Experts said the adviser mindset should not be fixed on trying to safeguard data 100% because, with attacks always evolving, it's less of a matter of "if" and more of "when" there's a breach.
Regulators understand this, and really just want firms to have checks and balances in place to ensure they are doing the best they can to prevent breaches. More importantly, regulators want firms to have an up-to-date and battle-tested plan for an effective and timely response to a breach.
Finra's December update to its best practices includes a new appendix to help small firms adopt and implement cybersecurity controls. When used alongside Finra's previously released small firm cybersecurity checklist, it should give smaller advisers an effective guide to remaining compliant.
The bigger challenge is how to get all financial advisers to move beyond the lip service and actually realize that cybersecurity is something more important than another compliance chore. The key to that may lie in thinking of cybersecurity as a competitive advantage, Mr. Yenamandra said.
Clients are going to increasingly ask what advisers are doing to protect data, and firms that can give a satisfying answer will build trust with investors.
"Cybersecurity needs to be viewed as not only an operational risk but also a strategic function," he said.