CYBER SECURITY BECOMES A FOCUS FOR FINANCIAL REGULATORS:

CONTRACTS WITH VENDORS AND SERVICE PROVIDERS UNDER SCRUTINY

Frenkel Sukhman LLP

May 1, 2015

Investment funds, broker/dealers, and other financial service companies face serious cyber security threats to the safety of their confidential and proprietary information and, indirectly, even more dramatic threats to their operations, both from within their organizations and from the outside.   While preparing to combat these threats is a good business practice in itself, such companies should pay heed to the fact that regulators have begun to address their obligations in data protection, making institutional information security preparedness a discrete compliance and potentially legal issue.  Following last year’s well-publicized cyberattacks on JPMorgan and other banks, the regulatory interest in strengthening protection against cyber criminals has received a new impetus, from the U.S. Treasury Department down to state financial regulators.

The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (“Risk Alert”) on February 3, 2015, providing observations derived from the sweep examinations in 2014 of over 100 registered broker-dealers and investment advisers that were undertaken to assess their cybersecurity practices and preparedness. The Risk Alert does not provide substantive requirements in the subject of cyber security preparedness. However, it signals that cybersecurity is one of OCIE’s top 2015 exam priorities, and that all SEC registrants will want to review their preparedness for a cyber exam.  As part of its cyber sweep initiative OCIE staff tested the level of preparedness of the examined firms by reviewing certain practices and procedures. These included written information security policies and procedures, periodic audits to assess compliance, risk assessments, mapping technology resources, encryption and password techniques and cybersecurity insurance.

It is noteworthy that most registrants reported cyber attacks (majority of which arose from malware and fraudulent e-mails) directly or through one or more vendors. Although most registrants’ policies require cybersecurity risk assessments of vendors with access to their proprietary information and operations, only some have such requirements for vendors. Even fewer (24%) investment advisers do so according to the OCIE initiative’s findings.   The inclusion of certain questions in OCIE examinations regarding contracts with vendors and business partners and requests for the description of contractual information security requirements and sample copies seem to indicate that the SEC encourages its registrants to take a more active position in negotiating stronger contractual protection in dealings with IT service firms and other vendors who have access to their networks and data. The odds are that many firms will experience one or more instances of unauthorized access to their computer systems and that their data and/or operations will be compromised as a result.

Financial Industry Regulatory Authority (FINRA) published a detailed report, “Report on Cybersecurity Practices” on the same date as the SEC, identifying effective practices for dealing with cybersecurity threats by its members, a result of its own targeted examinations and initiatives.  The FINRA report focuses on third-party vendor risks as well and calls for efforts to closely research and evaluate third-party vendors, preferably before they are engaged and periodically thereafter. Member firms are requested to review due diligence procedures for selecting vendors, and procedures to approve and monitor vendor access to firm networks, customer data and other sensitive information. As part of the due diligence review, copies of the vendors’ written information security plans and certifications of compliance with applicable standards should be obtained. Vendor contracts should be reviewed for inclusion of appropriate terms on security measures, including incident response notification procedures and cyber insurance coverage.

In May 2014, the New York State Department of Financial Services (“NYSDFS”) published a report titled “Report on Cyber Security in the Banking Sector” that described the findings of its survey of more than 150 banking organizations and isolated the industry’s reliance on third-party service providers for critical banking functions as a continuing challenge. NYSDFS has announced that it will be scrutinizing cyber-security as an integral part of its bank examinations, and is asking banks to prepare responses to a specific set of questions and information-requests on their security practices and procedures for purposes of the examinations.  NYSDFS is also considering cyber security requirements for financial institutions that would specifically apply to their relationships with third-party service providers.

While the Risk Alert should not be viewed as a summary of industry norms or best practices for the SEC registrants, it is a useful document that provides a glimpse into the regulator’s mindset.  Given that cybersecurity is one of OCIE’s top 2015 exam priorities for all SEC registrants regardless of their form, investment advisers as well as broker/dealers should review their preparedness for a cyber exam and make such improvements as may be needed on the basis of the review. One of the key areas for such improvements is contractual relationships with its key vendors and third party IT service, data and other technical or content providers.  Upgrading the firms’ contractual protection may take a significant amount of time and effort as it is likely to require negotiation with several third parties whose counsel may not be aware of the new regulatory attention bestowed on cyber security and the need to assume at least some of the responsibility for the improvements.  Different types of contracts will require different amendments depending on the nature of services, the service provider’s access to the client’s data, computer systems and operations, and other factors.

Along with internal preparedness for cyber attacks, bolstering the financial institution’s legal position vis-à-vis third party service providers is one of the principal tools in fending off potential civil litigation, regulatory inquiries and administrative enforcement action and protecting against resulting financial and reputational harm.  The results of the OCIE study show that 88% of the broker-dealers and 74% of investment advisers surveyed have already been victims of some form of a cyber attack so both the risk to financial institutions’ information security and the risk of attendant legal and regulatory repercussions are very real.

********************************

Frenkel Sukhman LLP advises its fund and other clients in the financial services and other industries on cyber security issues and helps them to minimize regulatory and legal exposure from cyber security threats with its attorneys drafting, reviewing and negotiating service, outsourcing, licensing and other agreements on the regular basis.