If your firm isn't taking reasonable precautions to protect client data, you could face enforcement action. While there are not specific regulations around cybersecurity standards, the Securities and Exchange Commission and the Financial Industry Regulatory Authority are on the lookout for firms not operating under a "reasonable standard."
“There have been instances where firms have not acted reasonably, and that is the standard by which one judges,” said Vincente L. Martinez, head of the enforcement division’s office of market intelligence at the SEC.
Speaking at the SIFMA Cyber Legal Seminar on Tuesday, Martinez added that regulators are looking to see that a firm has a reasonable approach to ensure the protection of customer data, processes in place to evaluate and respond to threats and, more generally, ensure the firm is able to act in a way that “prevents loss of money or significant harm to customers.”
Recent enforcement actions in this area have generally targeted basic behavior, such as firms failing to put anti-virus software on computers, Martinez said. Firms may also face regulatory scrutiny when they’ve been put on notice about cybersecurity deficiencies, yet do nothing about it. Martinez cited a recent enforcement case against a firm who underwent an audit around a data breach, but then still neglected to implement a cybersecurity or information access program. Another case involved a firm in which several reps had left, yet still had access to the b/d’s systems and the firm had not instituted any kind of access controls.
“These are the sorts of things that are likely to be found sufficiently unreasonable to warrant an enforcement action,” Martinez said.
Usually these cases are brought as violations of supervisory procedures or controls and violations of Regulation S-P, a privacy rule that prohibits investment advisors and securities firms from disclosing non-public, personal information about their customers.
Just last week FINRA settled a case against Sterne Agee & Leach after an advisor left his unprotected laptop in an airport bathroom. The firm agreed to pay a $225,000 fine. But the reason it became an enforcement action was that the firm had been previously warned about its lack of information security processes and had not taken action.
“The action was brought because the firm was on notice that they had to safeguard information,” said Daniel Sibears, executive vice president of member regulation programs at FINRA. “When you have tools available to you and you don’t do it and the laptop gets left and then there’s a compromise, that’s what leads to an enforcement action.”
With that said, regulatory examiners are not looking to “beat firms up” that are building up their cyber program, but they will provide feedback and expect to see updates, Sibears said. “We don’t come out of the box looking to bring enforcement actions unless we see people completely ignoring it.”