Cybersecurity Developments: SEC, FINRA, NIST, DOJ/FTC

SEC Launches Cybersecurity Examination Initiative – Promoting Cyber Preparedness

On April 15, 2014 the Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert announcing that the agency will be examining 50 registered broker-dealers and investment advisers in order to assess cybersecurity preparedness in the securities industry.¹ The announcement was accompanied by a sample request for information and documents. According to OCIE, the examinations will focus on “cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”

The sample letter contains 28 requests for documents or information, including:

• A copy of the firm’s information security policy, as well as policies and procedures concerning how software and network resources are inventoried and updated;
• A description of the firm’s cybersecurity risk assessment process and any findings from recent assessments;
• A description of assigned roles and responsibilities for cybersecurity, if any;
• Identifying the published cybersecurity standards used by the firm to model its information security architecture and processes;
• Confirming whether the firm maintains certain cybersecurity controls, including access restrictions, limitations on removable media, and incident response policies;
• Information regarding the security of customers’ online accounts;
• Procedures for assessing cybersecurity risks posed by third-party contractors; and
• Practices utilized by the firm to detect unauthorized activity on its networks.

This is not the first time financial regulatory agencies have expressed concern about financial institutions’ cybersecurity practices. Recent data breaches at large companies like Target have spurred agencies to examine potential vulnerabilities affecting the industry. On March 26, 2014 the SEC held a public roundtable in Washington, D.C. to discuss the cybersecurity challenges facing market participants and public companies.

FINRA – Cybersecurity Sweep

Earlier this year, the Financial Industry Regulatory Authority (FINRA) also sent sweep letters to broker-dealers questioning them on their approaches to managing cybersecurity risks.²

NIST – Cybersecurity Framework

Of application both to the financial sector and more generally, the National Institute of Standards and Technology (NIST) has been leading the effort to encourage private sector “critical infrastructure” organizations to improve their cybersecurity practices. In February 2014, NIST issued its final Cybersecurity Framework, a set of voluntary standards designed for critical infrastructure companies to use in developing a comprehensive cybersecurity program.³

DOJ/FTC Statement on Antitrust Liability for Cybersecurity Information Sharing

Firms should feel more comfortable sharing information about cybersecurity threats with other private-sector entities following recent government guidance. While companies have long shared cybersecurity information with government agencies, fear of antitrust liability has discouraged some such sharing with other companies.

The DOJ and FTC recently eased these concerns by issuing a joint statement affirming that “properly designed sharing of cyber threat information should not raise antitrust concerns.”⁴ The agencies recognized that “cyber threats are becoming increasingly more common, more sophisticated, and more dangerous,” and that private entities can guard against cyber risks by sharing “technical cyber threat information – such as threat signatures, indicators, and alerts – with each other.”⁵ Such sharing, the agencies reasoned, can be helpful to all private entities because it “can improve efficiency and help secure our nation’s networks of information and resources.”⁶

Although the agencies stopped short of granting immunity to companies that share cyber threat information, the statement outlined the factors they will consider in determining whether information sharing violates antitrust laws: 1) whether the purpose of the sharing is to harm competition or to protect networks; 2) whether information is technical in nature (i.e., the kind that would “enable the recipient to take action to prevent, detect, or contain and attack”) or is competitively sensitive; and 3) whether the exchange is likely to harm competition.⁷ If these factors tend to show that the exchange is “unlikely in the abstract to increase the ability or incentive of participants to raise price or reduce output, quality, service, or innovation,” the sharing will not implicate antitrust liability.⁸ Accordingly, firms should not, in general, fear – on antitrust grounds – sharing cyber threat information to protect their networks and strengthen their cyber infrastructure.

Of course, companies will also need to consider privilege and privacy issues in sharing information with third parties, including other companies and the government. As the FTC/DOJ noted, however, “[t]he nature of the information being shared is very important to the analysis”:

Cyber threat information typically is very technical in nature. For example, one of the most common methods of identifying malware (e.g., a virus, worm, etc.) is through signature detection. A threat signature is like a digital fingerprint; it is a unique string of bits or data that uniquely identifies a specific threat. Signature-based detection involves searching for known patterns of data. Sharing a signature for a previously unknown threat will enable the recipient to take action to prevent, detect, or contain an attack. Similarly, knowing the source IP address or target port of a Denial of Service (DOS) attack may enable one to take protective measures against such an attack by blocking illegitimate traffic. The sharing of this type of information is very different from the sharing of competitively sensitive information such as current or future prices and output or business plans which can raise antitrust concerns.¹⁰

Just as antitrust concerns are attenuated by the technical nature of the information shared, privilege and privacy concerns should also be abated for the same reason.
It is also worth noting that safeguards based on even up-to-date technical information will not, of course, always be effective. Some of the recent, well publicized “point of sale” cyber-attacks evaded signature-based detection techniques. Accordingly, companies should integrate information on attack signatures into a multi-layered defensive strategy based on the company’s overall risk exposure and threat environment.

Cybersecurity Practices Recommended for All Sectors

Although the SEC’s latest examination letter focuses more on the existence of cybersecurity controls, rather than their quality, financial and other firms should ensure their cybersecurity programs are appropriately tailored to the risks that they face. Evaluating and improving cybersecurity protocols should be a top priority for financial and other data intensive companies, whether or not they have received an inquiry from a regulatory agency. We recommend that firms use the new NIST Framework to:

1. Identify and assess applicable legal and regulatory obligations/standards
   1. FISMA, ISO, COBIT, FFIEC, GLBA, HIPAA, SEC, CFTC, PCI, Massachusetts, etc.
   2. NIST framework
2. Manage Information Governance controls
   1. Set clear internal responsibilities for managing cybersecurity risks and implementing safeguards (set priorities depending on cyber resources and information assets)
   2. Establish reporting protocols to senior management and board
   3. Determine SEC reporting obligations
   4. Consider insurance
3. Conduct a risk assessment
   1. Prioritize assets and systems, and analyze corresponding threats and vulnerabilities
   2. Evaluate effectiveness of controls
   3. Revise procedures to address areas of greatest risk
4. Evaluate safeguards for vendor access
   1. Review due diligence procedures for selecting vendors, and monitor access
   2. Ensure that contracts with vendors require appropriate security measures
5. Identify Consulting Resources
   1. Computer forensic resources for prevention, detection and remediation
   2. Legal and public relations
6. Establish written policies and procedures and training programs
   1. Define cybersecurity responsibilities for users, administrators and managers
   2. Maintain accountability standards for violations of policies
   3. Ensure that employees and contractors are trained on legal obligations
7. Implement secure technology design
   1. Ensure system is capable of effective network-level monitoring
   2. Select and implement appropriate encryption standard
   3. Conduct regular testing and system updates
8. Establish access controls and network monitoring plans
   1. Create authentication process to enroll and verify authorized users
   2. Employ physical and technical authentication mechanisms
   3. Continuously monitor network intrusion detection system
9. Design and implement comprehensive incident response plan
   1. Determine circumstances that trigger intrusion response
   2. Designate chain of authority and formal procedures for incident reporting
   3. Define circumstances warranting involvement of outside experts and notification of regulators, customers and law enforcement
10. Test and update all assessments, safeguards and protocols

If you have any questions regarding this update, please contact the Sidley lawyer with whom you usually work or

¹ OCIE, OCIE Cybersecurity Initiative, National Exam Program Risk Alert Vol. 4 Issue 2, p. 1 (April 15, 2014).
² See https://www.sidley.com/en/insights/newsupdates/2014/02/brokerdealers-need-to-respond-to-recent-focus-on-cybersecurity-threats.
³ See https://www.sidley.com/en/insights/newsupdates/2014/02/white-house-releases-nist-cybersecurity-framework.
⁴ See http://www.ftc.gov/system/files/documents/public_statements/297681/140410ftcdojcyberthreatstmt.pdf at 9.
⁵ Id. at 1. The agencies noted that valuable indicators may include “file hashes, computer code, malicious URLs, source email addresses, and technical characteristics of malware.” Id. at 3.
⁶ Id. at 6.
⁷ Id. at 6-7.
⁸ Id.
⁹ Id. at 7.
¹⁰ Id. (noted omitted).

Sidley Austin provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. 

Attorney Advertising – For purposes of compliance with New York State Bar rules, our headquarters are Sidley Austin LLP, 787 Seventh Avenue, New York, NY 10019, 212.839.5300; One South Dearborn, Chicago, IL 60603, 312.853.7000; and 1501 K Street, N.W., Washington, D.C. 20005, 202.736.8000.