Insights & News

Adviser Alert, No. 2
Takeaways From the Recent SEC Cybersecurity Roundtable

April 07, 2014
Client Alert
In our first cybersecurity alert, we discussed the focus for 2014 on cybersecurity by the Securities and Exchange Commission’s National Exam Program and how investment advisers and investment companies can prepare for that regulatory focus. In this cybersecurity update, we discuss some interesting points that were made at the cybersecurity roundtable hosted by the SEC on March 26.

The cybersecurity roundtable’s agenda consisted of four topics: cybersecurity landscape; public company disclosure; market systems; and broker-dealers, investment advisers and transfer agents.

The roundtable focused on three broad themes: data protection, market integrity and disclosure of risks, and in that regard the SEC noted some of its recent activities regarding each of these themes. With regard to data protection, last year the SEC adopted Regulation S-ID: Identity Theft Red Flags,1 which built upon existing regulations for protecting customer data. With regard to market integrity, the SEC in 2013 proposed Regulation SCI, which would require certain self-regulatory organizations (including registered clearing agencies), alternative trading systems, plan processors and exempt clearing agencies subject to the SEC’s automation review policy to establish written policies and procedures reasonably designed to ensure that their systems have levels of capacity, integrity, resiliency, availability and security adequate to maintain their operational capability and promote the maintenance of fair and orderly markets, and that they operate in the manner intended.2 With regard to disclosure of risks, in October 2011, the SEC’s Division of Corporation Finance published guidance regarding disclosure obligations relating to cybersecurity risks and incidents.3 The SEC commissioners and staff were particularly interested in gaining input regarding the SEC’s role in combating cybersecurity threats.

The following are some of the more interesting discussion points of the cybersecurity roundtable:

Cybersecurity Threats to Financial Services Companies:
  • Compared to other industries, financial services companies are relatively advanced in addressing cybersecurity issues and have sophisticated defenses. Unfortunately, they are also prime targets of cybersecurity bad actors because, as bank robber Willie Sutton used to say, “That’s where the money is.”
  • Threat vectors of financial services companies include (1) nation-states or terrorists seeking ways to disrupt the United States market system (e.g., denial-of-service attacks or destruction of data); (2) espionage by state or nonstate actors seeking ways to steal proprietary information; (3) organized crime seeking ways to steal financial information in order to steal money from an account holder through identity theft or account takeover; (4) hacktivists seeking to promote an ideological agenda by disrupting computer systems; and (5) insiders – rogue employees who steal information for personal benefit or careless employees who leave security systems vulnerable (e.g., due to weak passwords or lost laptops).
  • Cybersecurity threats include the following:
    • Malware/Spyware – Installation of malicious code using removable media (e.g., USB flash drive) or email.
    • Ransomware – Installation of malicious code that encrypts data and is used to extort money from a company that needs to have such data returned unencrypted.
    • Hacking – Exploitation of weak computer security systems, especially weak passwords.
    • Spoofing – Masquerading a malicious website as a legitimate website in an attempt to steal private information that can be used for identity theft.
    • Phishing – Sending an email that falsely claims to be from a legitimate enterprise in an attempt to steal private information that can be used for identity theft.
    • Denial-of-Service Attacks – Flooding a computer network with useless traffic to disrupt website operations.
    • Loss/Theft – The loss or theft of mobile computer devices, such as laptops and smartphones, or compact disks or flash drives that contain personally identifiable information of customers or company proprietary data.
    • Cybersecurity threats are constantly changing, which makes it difficult to monitor potential patterns of threats.
  • Bad actors are constantly looking for computer system vulnerabilities. Some attacks are opportunistic, “drive by” attacks where a firm may not have been specifically targeted, but a vulnerability was discovered and immediately exploited by theft of information. Other attacks involve a firm being specifically targeted and subject to a patient and persistent attack. In some cases, a system may be breached but not immediately exploited by data theft. An in-depth forensic computer investigation may be needed to discover what the hacker is doing in a company’s computer system.
Cybersecurity Challenges for Financial Services Companies:
  • Determining what information needs to be protected.
  • Understanding how information travels and the risks related to that travel, particularly if information leaves your company.
  • Managing access to information, including access by both employees and third-party vendors.
  • Figuring out what needs to be monitored.
  • Sharing information – There is no clear guidance as to what can be shared between companies and between companies and government.
  • Dealing with multiple regulators and government agencies. There is a tension between the regulatory desire to notify various parties (e.g., regulators, clients, service providers) and the need to keep information secret to assist law enforcement.
  • Timing of investigation versus notification. Investigating a data security breach can be a time-consuming process, but there is pressure to quickly notify victims. Balancing the investigative needs for law enforcement and the need for notifying victims so that they can protect themselves is a challenge.
  • Receiving timely and actionable information of potential cyberthreats.
  • Improving communication between IT staff and senior management.
  • Ensuring that sufficient resources and personnel are devoted to cybersecurity (especially for small and medium-sized companies).
Corporate Governance and Cybersecurity:
  • Firms should have a culture of cybersecurity. Cybersecurity is not just a technology issue for IT staff to deal with but starts at every employee’s keyboard and ends with senior management and the board.
  • Increasingly, boards of directors have also become involved and often consider cybersecurity issues through their audit committee or risk committee. However, it is not well-established what, when and how cybersecurity issues should be reported.
  • Cybersecurity involves risk management. There is no magic software purchase that will solve all problems. Cybersecurity involves constant monitoring and risk mitigation (e.g., discovering security gaps and closing them). Technology moves faster than security countermeasures.
Disclosure Issues Involving Cybersecurity:
  • A tension exists in the Division of Corporation Finance’s Cybersecurity Guidance regarding the need to avoid generic boilerplate disclosure and to provide risk disclosure that is meaningful to shareholders and that is tailored to a particular company. Disclosure tends to be more generic, because companies want to avoid providing details that may compromise their own cybersecurity.
  • While the Division of Corporation Finance’s Cybersecurity Guidance requests disclosure of material cybersecurity incidents, one participant suggested that disclosure was driven more by the requirements of state data breach notification laws and that actual disclosure of incidents relate primarily to those in which state law required disclosure. Other cybersecurity incidents that did not trigger state data breach notification laws because they did not involve personally identifiable information (e.g., proprietary data) may ultimately be considered to be immaterial and therefore require no disclosure.
Best Practices:
  • Computer security policies and procedures need to be in place, constantly reviewed for gaps and updated to reflect new developments. Firms need a defense in depth.
  • Firms must develop and implement a data breach security response policy and consider holding a data breach exercise.
  • Cybersecurity is an enterprisewide concern involving all employees and senior management.
Possible Recommendations Regarding the Role of the SEC:
  • Provide clarification about what information can be shared among companies and among regulators and law enforcement agencies and who should receive such information.
  • Provide legal protection for information sharing.
  • Provide information about cybersecurity best practices.
  • Coordination among regulators in developing uniform approaches to cybersecurity regulations and review of cybersecurity policies and procedures.
  • Provide principle-based guidance instead of prescriptive regulations that may become quickly outdated.
Public Input on Cybersecurity:
Members of the public are welcome to submit comments on the topics that were addressed at the roundtable. Comments may be submitted either electronically or on paper. Any comments submitted will become part of the public record of the roundtable and posted on the SEC’s website.

  • Electronic submissions: Use the SEC’s Internet submissions form or send an email to
  • Paper submissions: Send paper submissions in triplicate to the Office of the Secretary, Securities and Exchange Commission, 100 F Street N.E., Washington, D.C. 20549-1090.
All submissions should refer to File Number 4-673, and the file number should be included on the subject line if email is used.

1 Identity Theft Red Flags Rules, Release Nos. 34-69359, IA-3582, IC-30456, (April 10, 2013).
2 Regulation Systems Compliance and Integrity, Release No. 34-69077, (March 8, 2013).
3 CF Disclosure Guidance: Topic No. 2: Cybersecurity, SEC Division of Corporation Finance, (Oct. 13, 2011).

The posting of information on this website, or the receipt of information by viewers of this website, is not intended to – and does not – create an attorney-client relationship. This website is not intended to provide legal advice, and visitors to this website should refrain from acting on information posted here without seeking specific legal advice from individually qualified counsel.

Related Services

Related Resources

back to top