Cyber Attack Coming? Watch Out for SEC Proposed Rulemaking
Securities Enforcement Defense attorneys Jessica Magee and Scott Mascianica welcome Allworth General Counsel Barry Greenberg to this episode of Coffee & Conversation. Their chat focuses on cybersecurity and proposed rulemaking by the U.S. Securities and Exchange Commission (SEC). The attorneys and special guest discuss priorities and concerns that businesses should be wary of when it comes to data privacy.
Ms. Magee focuses her practice on SEC, U.S. Department of Justice and other federal and state governmental investigations and enforcement actions. She is a former SEC Enforcement Senior Officer, former financial services general counsel, and experienced trial lawyer with extensive experience leading trials, investigations, enforcement actions and private litigation.
Currently, Mr. Mascianica is an investigative and litigation attorney and a member of Holland & Knight's White Collar Defense and Investigations Team and the Securities Enforcement Defense Team. He previously served as an Assistant Regional Director in the SEC's Division of Enforcement where he supervised numerous cyber investigations.
Apart from being a general counsel for Allworth financial and independent wealth management firm, Mr. Greenberg is also a SEC registered investment advisor. Mr. Greenberg also served as a SEC Branch Chief, where he was responsible for supervising regulatory enforcement investigations.
Jessica Magee: Good morning, everybody. I'm Jessica Magee, a partner at Holland & Knight in our Dallas office. I'm so glad to be back with you all for Coffee & Conversation. I've got my mug. I'm going to try not to spill coffee all over myself. It's been some time since we've been together. The world has changed and changed again. Maybe most notably for me and for you is that the last time we were together in Coffee & Conversation, I was a partner with the law firm of Thompson & Knight. And today I'm joining you, along with my partner, Scott Mascianica, and our esteemed guest, Barry Greenberg from Holland & Knight. We've gone through a merger and it would take another Coffee & Conversation to say why that's been such a wonderful and exciting journey for us, but we are glad to be back with you this morning. We're going to be talking about cybersecurity, the Securities and Exchange Commission (SEC) proposed rulemaking, possible enforcement, and just get as many good expert insights as we can from Scott and Barry. Scott, before I introduce Barry Greenberg our esteemed guest and friend, why don't you say hello to everybody and reintroduce yourself?
Scott Mascianica: I'm happy to be here. I can actually say that even though I've only been at Holland & Knight for four months, this is actually my second Coffee & Conversations with Jessica. Most recently, I was an assistant director in the Division of Enforcement at the SEC and had the opportunity to participate in one of these while at the agency. So I'm really excited to be here today. Excited to be joined by Barry as I know that this is a topic where he has a great deal of expertise and it's one where I have swum in the deep waters of cybersecurity for a pretty long time. So happy to be here.
Jessica Magee: It's really my honor and privilege, and I'm just excited to introduce our friend and very important lawyer and human Barry Greenberg, who's the general counsel at Allworth financial an independent wealth management firm and SEC registered investment advisor. Before joining Allworth, Barry was a general counsel with another firm, he has been a private practice partner and also ran the gantlet at the SEC in a prior day, as did Scott and I. And Barry, Scott and I like to get together and talk about a matter of things. One of my favorite topics is parenting well while lawyering well, so I can't underscore enough just what a great human Barry really is. Barry, we are so glad to have you here this morning.
Barry Greenberg: Like they say on the radio shows: Longtime listener, first time caller. I guess. I've been a fan of your program for a while. This series, I think you really do a great job of providing helpful insight to folks in the community. So I'm happy to be a part of today's conversation and look forward to it.
Jessica Magee: Scott as the person that has read and reread every page of proposed cybersecurity rules that the SEC has put out and who oversaw these kinds of investigations on the staff, I think really, nobody wants me to kick us off in terms of the substantive conversation. So why don't you take us in and lead us through today's conversation?
Scott Mascianica: Before we do, I just want to say Barry I've watched a lot of Coffee & Conversations at this point, and I don't know that there's ever been an intro quite like the one that you got. So, it's really a high bar here that you got to start in.
Barry Greenberg: A lot of pressure.
SEC's Main Priorities in Cybersecurity and Data Privacy
Scott Mascianica: Absolutely. Let's start at the top of the funnel. Just given your position as a general counsel and a registered investment adviser, when it comes to the topic of cybersecurity and data privacy, what are some of the priorities that you're thinking about?
Barry Greenberg: And I should add, in addition to being an RA, we're also a registered broker dealer as well. So we do have those set of rules to deal with. But, you know, I think the approach to cybersecurity, if I look back at how it's evolved, I think in business, despite when we'll talk about what the regulators are doing, I think it's hard to be in business nowadays and not think about cybersecurity. And so it has evolved from when regulators were first trying to encourage businesses to pay attention to the topic, to now when I'm discussing with senior management that the attention we need to spend on cybersecurity, there's no pushback. Everybody agrees that it is a big problem. And it's something that we need to make sure we're doing the right things to be prepared for, you know, what might happen. And so I think that's probably the approach. Certainly people are willing to join the conversation around the table. And then the question is just when you talk to if you have internal IT expertise or external IT expertise, which will depend probably upon the size of the firm that you have, then the question becomes, how much do we devote to this? How many resources do we devote to it? Because inevitably it becomes a matter of choices and a matter of decisions to make. And different people will have different opinions about the likelihood of a cyber attack impacting your firm and how you should be prepared for it. And that will often determine the direction that you go. I think of the various IT professionals that I've spoken with about this topic. The answer is you will be attacked. It's just a question of when.
And different people will have different opinions about the likelihood of a cyber attack impacting your firm and how you should be prepared for it. And that will often determine the direction that you go. I think of the various IT professionals that I've spoken with about this topic. The answer is you will be attacked. It's just a question of when.
Scott Mascianica: There's a statistic that i read recently that said that a ransomware attack happens every 14 seconds. So when we're talking about the question of if or when, it really is a question of when and I wholeheartedly agree with your sentiments in terms of "the discussion has changed over time" and from, you know, call it maybe the early to mid teens, you know, 2010, 2011, 2012, ultimately to now to 2022. Let's talk a little bit about the risk perspective, the analytics that that you engage in, certainly not in a very specific level, but just from a general perspective, those types of conversations that you're having at a dual registrant for how to address risks and what an incident response plan or a business continuity plan looks like. Some of that insight, I think, would be really helpful.
There's a statistic that i read recently that said that a ransomware attack happens every 14 seconds. So when we're talking about the question of if or when, it really is a question of when.
Assessment of Risk and Compliance Rule for Cybersecurity
Barry Greenberg: Sure. And as you know, no one size fits all to this approach. So I can share with you what my current firm does and also some insight at other places I've worked, sort of how we've addressed it. But you know, you touched on the assessment of risk, which is not a new topic for registrants, as you know, since the compliance rule was put in place way back in 2004, along with that was the requirement to do an annual compliance review and risk assessment. And so, folks, it should not be a new thing. And the new rule proposal for cybersecurity that, oh, now we need to look at cybersecurity. If you're doing an honest look at your risk, that should have already been on the list before now and different firms handle risk assessment differently. So at my prior firm, you know, it was a very small group of people that would get together occasionally and look at risks and then sort of prepare a formal risk assessment or risk matrix of various risks, including cyber. At my current firm, we have a risk committee that is comprised of senior executives and representatives from different business units, and we meet on a quarterly basis and put together a formal risk register and rank various risks depending upon our assessment of the likelihood of that risk. And how is it a high likelihood or relatively low likelihood? What controls do we have in place to address that risk? And then sort of additional action steps we should take to try and mitigate those risks as we see them. And it's a living, breathing process. We meet quarterly and priorities, change our things, move up and down on that list depending upon sort of what the current needs of the business are. But I will tell you that information security, including cyber data privacy, those things are at the top of our list. And I don't expect them to go away anytime soon, because I think they are, you know, as you read in the news and now we've seen a continued focus by the regulators on making sure that we are doing our part to protect the data that we have access to.
Jessica Magee: To me, you said choices earlier. You're always having to make choices within a company when you're leading a company about where we're going to focus our time and our resources, neither of which is limitless, but also making sure you have the right people in the conversation around cybersecurity and data privacy and protection. You know, to me, it's not just a conversation about compliance. You touched on it earlier, I think it's also the folks in operations. What can you say? Or Scott, maybe your thoughts as well on making sure you've got the right people on the right chairs around the right table to have that living conversation that you talk about, because especially with cybersecurity and the speed at which innovation in wrongdoing is happening, the importance of being aware and organizationally aware from a sort of grassroots level, I think is paramount.
You know, to me, it's not just a conversation about compliance. You touched on it earlier, I think it's also the folks in operations.
Barry Greenberg: You focused on the right issue, which it's not just an IT issue. I think some people, when they start talking about cyber, it's like, okay, well, let me talk to IT folks and they should figure out what we need to do to protect ourselves. And as an operating business, we have our various operating divisions that every day are dealing with various aspects of how we conduct business with our clients and with prospects. And so operations very much needs to be a part of this, as well as our marketing team in terms of how we are using the Internet, our website, other ways that we connect with clients where there might be potential opportunities for breach. And in addition to that compliance as well. So, it's not just legal but also compliance and making sure that other procedures that may impact cyber are addressing those potential weaknesses as well. The other piece of this that I didn't touch on earlier is there are internal resources that can be used. And it's also very helpful, I think, to have an external resource as well. It's often difficult to assess your own weakness and having a third party, whether it's a an accounting firm, a consulting firm or a law firm, even do an assessment or assist with an assessment of your cyber preparedness is, I think, a very worthwhile exercise. We went through that in our firm recently and got a report that identified some areas where we could continue to focus on and also at the same time, some areas where we're doing well. And it allowed us to shift our focus.
And it's also very helpful, I think, to have an external resource as well. It's often difficult to assess your own weakness and having a third party, whether it's a an accounting firm, a consulting firm or a law firm, even do an assessment or assist with an assessment of your cyber preparedness is, I think, a very worthwhile exercise.
Jessica Magee: That's not an invitation for you to engage in a third party assessment of my weaknesses and vulnerabilities. But, you know, sometimes registrants find that that third party assessing their strengths, weaknesses, risks and opportunities is a regulator, which is not necessarily the position anybody wants to be in. But Scott you've most recently been in public service at the Securities and Exchange Commission. And I know you spent a lot of your time thinking about these issues, working on these issues. You don't have to give the standard government disclaimer anymore, and I won't ask you to dip your toe in to confidential information. But help me, help Barry, help everyone watching, think about how the SEC is thinking about these issues. And we'll talk about rulemaking. I know you and I spent a lot of time saying, why does the SEC care? Why is the SEC proposing this rule or acting in this way? For cybersecurity, I think it's a pretty straightforward answer. Companies exist digitally, people work remotely, information is shared through the air. At least that's how I understand it works. So I understand the why it matters. But how is the regulator thinking about it?
Why is the SEC Proposing this Rule?
Scott Mascianica: The simplest way to summarize that is that cybersecurity now is directly tied to financial security. In an increasingly digital world, that's something that the primary securities regulator in our country is naturally going to care about. And so when we're talking about the SEC and how they approach that, we really need to look at two buckets. We need to look at what the Division of Examinations does and how they look at it, and then what the Division of Enforcement does and how they look at it, because there are two very different approaches and two very different aims. So we have first the Division of Examinations (Exam) or what used to be OCD, you have the Division that's responsible for inspections and exams of regulated entities, entities like Barry's that are broker dealers, investment advisers. And they are approaching this from the perspective of certain rules that are on the books right now. We'll talk about the proposed rules in a second. But they're looking at the proposed rules right now around certain policies and procedures that entities need to have in place for the protection and safeguard of customer data and the identification and detection and potential remediation of red flags called the Safeguards Rule and the Identity Theft Rule. Barry is very familiar with both of those, but exam is looking at this from the perspective of how are the registrants engaging in these activities proactively? How are they complying with the rules as they're written on the books? And in my perspective, Barry may not agree, but my perspective from being at the agency is that I think the Exam has done a pretty good job of being collaborative in this space over the years. They've issued a number of risk alerts, highlighted a number of areas where there are potential vulnerabilities, threats. They've published a number of results from cybersecurity sweeps. And tying back to your point, Jessica, about why the SEC cares about this in one of those publications, Exam highlighted that 88 percent of broker dealers and 74 percent of investment advisors that they examined were the victims of a cyber attack, either directly or through one of their vendors. So naturally, that's something that exam is going to care about. So that's sort of the first bucket for for the SEC. We then look at the Division of Enforcement, which is more of the blunt end of the SEC instrument. And when we're thinking about the SEC enforcement activity in the cybersecurity space, it's actually been relatively marginal when you compare it to the broader enforcement program. Now, the way I've typically characterized it over the years is if you look at SEC enforcement tied to data privacy and cybersecurity, you can break it into three buckets. You can break it into activity related to public companies.
You can have it enforcement related to hacking and market manipulation and insider trading. That's more cyber peripheral but there's a cyber component to it. And then you have the enforcement activity involving regulated entities. Those first two buckets we're not going to spend a lot of time on today because we've got a distinguished guest to fall squarely in that third bucket with regulated entities. But that's generally how the Division of Enforcement has approached cybersecurity, and they have typically been involved when there is a more egregious type of a violation. That's how it has been historically, and I think we can actually draw on the comment that people made in the SEC's press release for Yahoo! Or Altaba cybersecurity action, which is a public company action course where he talked about we're not going to second guess good faith, business judgment. However, there could be certain instances where it's just so deficient that an enforcement action is necessary. That has been how the Division of enforcement has typically approached cybersecurity. But I think we're seeing a change, and I think that that change ties back to something that Barry mentioned at the very start, which is that the discussions now internally at firms are not whether cybersecurity is important. Here the discussion is no longer whether the SEC cares about cybersecurity. I think they've banged that drum long enough and highlighted the importance of it. So now I think as we're seeing that this has been a more established priority for both Exam and Enforcement. I think we're going to continue to see more and more enforcement actions in this space and not the least of which from like a tea leaf reading perspective is certainly the SEC's rule , which I know we're going to talk about here in a little bit.
Here the discussion is no longer whether the SEC cares about cybersecurity. I think they've banged that drum long enough and highlighted the importance of it. So now I think as we're seeing that this has been a more established priority for both Exam and Enforcement. I think we're going to continue to see more and more enforcement actions in this space...
Barry Greenberg: I hate to, you know, poke at your theories there, Scott, but you're sounding like a former regulator. So, you know, it's always interesting when I hear the SEC say, we're going to give people the benefit of the doubt. We're only going to go after those that are truly cases where we feel that they have fallen far off the mark. But I'm guessing that if you were to talk to the firms that are on the receiving end of some of those enforcement actions, they might disagree. And so when you see the orders and the SEC is pointing out what they see as major deficiencies, there may be another side of the story that unfortunately you don't get to see. But I think the broader point I agree with is that I do think that that firms that are trying to do the right thing and mostly succeeding at it will probably be, you know, treated differently. And I do think that I agree that it's very helpful that I've seen a trend over the past few years of issuing a division of examinations, issuing findings, or here are the things that we are seeing, and that's a great signal to firms to make sure that you're addressing these issues rather than using the enforcement mechanism to make those points. So I hope that that process will continue and that we don't see an increase in enforcement actions against firms that are, for the most part, taking reasonable steps and trying to address this. And the frustrating part is that, you know, we're dealing with technology changing quickly. The process by which we do things is changing quickly. And there are vulnerabilities that we're having to discover as we go about things that weren't there, you know, a brief time ago. And that's a challenge for firms to stay on top of. And it would certainly be unfortunate if there's a breakdown and as a result of that, a firm has to pay a penalty in addition to the reputational harm that they suffer and that business loss that they suffer through clients also having to deal with. On top of that, a regulatory action would be pretty unfortunate as well.
And there are vulnerabilities that we're having to discover as we go about things that weren't there, you know, a brief time ago. And that's a challenge for firms to stay on top of. And it would certainly be unfortunate if there's a breakdown and as a result of that, a firm has to pay a penalty in addition to the reputational harm that they suffer and that business loss that they suffer through clients also having to deal with.
Jessica Magee: And not even just the action itself, which I agree with everything you said, but this is the point where I get on my soapbox and say what people are probably sick of me saying, which is, enforcement does, I think, a very thorough job at the end of every fiscal year reporting out all of the matters it brought and reporting that out graphically, numerically, substantively, based on type of case. But as far as I still know, they do not report out on the number of investigations that they closed in the fiscal year. And that's a great, great, great many touches on companies, registrants, individuals. And I appreciate this differently and maybe even better now than I did before, which is the mere fact of being a recipient of a subpoena or a voluntary request, whether you're a registrant or not, it's expensive. It's distracting. It's very time consuming, and it can have reputational implications regardless of whether an actual enforcement action's brought. So I really want to underscore that point, my hope is, my expectation is, that the good faith that's expected and encouraged on the registrant side also will be reflected on the staff side to be judicious in how they investigate, what they investigate and I'm really trying to lean into the messaging around good faith matters and reasonableness matters. And I recognize that a lot of that really rests on my shoulders, Scott's shoulders, the shoulders of lawyers like us to make sure we're framing conversations correctly with the staff to demonstrate what firms are doing to get it right, to exercise good faith on the firm side, I think and I'm curious about your thoughts on this, Barry, the thing that firms can be doing now for a possible future touch whether it's exam or enforcement really is documentation. Right? Some way of being able to recall and reflect all of the good thought and effort and grappling really that goes into understanding the risks, how they percolate and manifest for a particular kind of firm, which is not one size fits all. And letting that really shine later if that conversation needs to be had because right now we're in a time of just absolutely so many priorities coming out of the SEC. And again, I don't think companies are necessarily equipped to make every single thing a priority or spend all of their money on every priority, especially when they don't exist just to be responding to regulation, but they exist to be responding to their clients and their shareholders. So I know I'm throwing a lot at you, but can you say a couple of things on the documentation effort, the good preparedness now to show and demonstrate later, "hey, we're the kind of firm that's doing it right we're what you want to see in the registrant community, we're the role model, perfection is not the standard and when things happen, it's addressed appropriately."
So I really want to underscore that point, my hope is, my expectation is, that the good faith that's expected and encouraged on the registrant side also will be reflected on the staff side to be judicious in how they investigate, what they investigate and I'm really trying to lean into the messaging around good faith matters and reasonableness matters.
Firms' Cybersecurity Policies and Procedures
Barry Greenberg: Most firms by now have some sort of suite of cybersecurity policies and procedures in place, hopefully written. And the level of detail may vary depending upon the size of the firm or the nature of your business. But you can't stop there and that's really the challenge. If you look at a lot of the incidents that are reported, it's oftentimes not the hacker from a foreign country whose name you can't spell or pronounce correctly. It's oftentimes someone internally, someone who clicked on an email that they shouldn't have and that took them to a place where they ended up compromising network information and/or there were password issues, things like that. And so what really becomes the challenge is to take those written policies and procedures and make them part of the culture of the company and living and breathing on a daily basis. And, you know, I cite an example at a prior firm where I worked where, you know, on the one hand, it was distressing that despite all of our training to not click on suspicious emails or when someone says you've been hacked and call this phone number to address it,and the phone number was not our IT department, and that executive did that. While that was distressing, the positive of it was that they immediately let someone else know, like, well, I've clicked on this link and maybe I shouldn't have. And so we were able to quickly come in and limit the scope of any potential harm there. And so the takeaway from that is knowing what to do when something happens and taking action in response to that. And so that I think is the continuing challenge. My firm, like many others, we do routinely phishing, internal phishing. We send out messages to see if people will click on them. And then if you do, you get an immediate response and a reminder to pay more attention next time. And they actually give you a congratulations if you click on one and say, yes, I think this is phishing, they give you a pat on the back that you did the right thing and reported it as suspicious. So I think, you know, highlighting those examples in the group settings of the company so that people on a daily basis are reminded of the dangers of doing things quickly and perhaps not paying attention and what the consequences of that might be. I think it's always been helpful to share examples when there are big breaches announced and what the scenario in that particular company was and how could that have happened to us and what should we do to be more vigilant to make sure that it doesn't happen to us. I think it's a matter of getting those things in the back of people's minds as they go about their day-to-day business. So that hopefully the internal potential weakness can be addressed that way.
If you look at a lot of the incidents that are reported, it's oftentimes not the hacker from a foreign country whose name you can't spell or pronounce correctly. It's oftentimes someone internally, someone who clicked on an email that they shouldn't have and that took them to a place where they ended up compromising network information and/or there were password issues, things like that.
Jessica Magee: A common theme for everything we talk about when it comes to SEC exam or enforcement, at least where it touches compliance with regulatory expectations, is getting it into your culture, right? It's exactly what the terms you're using, it's a living organization. The company is just a group of people showing up to work every day, doing their best while they've got laundry they didn't get folded and kids they need to get to soccer practice and what have you. So it's really, you know, making sure that the company bloodstream is thinking about, the risks and how we as a company deal with them and who do I call if I think I have an issue come up. Scott, what would you add to that?
Scott Mascianica: The thing that I'm curious about for Barry, just to kick it back to you on this point, when it comes to documentation and we're thinking about incidents and incident response and just creating a culture of compliance is: what's the thought process on the inside when you have you mentioned phishing, for example, or someone clicking on an email, a spoofed email perhaps, or making a phone call that they shouldn't. What's the calculus that goes into thinking whether you need to bring in an outside forensic consultant to investigate, as opposed to this being an incident that's just handled internally and used as a teaching moment for the rest of the staff.
Barry Greenberg: It really depends upon what type of feedback you're getting from the sources that you're using. So for in the case of phishing, we have an external resource that we use to send out, you know, those routine emails to our employees. And based on the feedback of how many positive clicks we're getting, that will determine the next course of action. And my sense is that whether it's our really good training or people are being just more vigilant in general, the level of activity there has been relatively low, at least in my firm and the prior firm. There weren't a whole lot of people that were clicking on those emails. There are enough red flags now that I think people are becoming more aware and being more careful in clicking on them. So the trickier ones are the ones where if you're someone who is dealing in operations and you get requests in the wire somewhere and they're routine to processing, they're used to processing those. And, you know, you can create pretty easily a scenario that's very plausible to someone on the receiving end that, oh, I'm filling in for the person that normally sends you these instructions or I've changed my bank information send me a wire here. Having good internal controls where there is a second level of check or an additional level of review before those out of scope or unusual requests are processed are things that firms that are constantly trying to be vigilant against potential breaches for.
Scott Mascianica: The belt suspenders and cummerbund approach really to making sure that there are second and third layers of protection to ensure that money's not going out the door for these types of scams. And that makes total sense.
Jessica Magee: That's just a good look too, Scott. I mean, I love when you come to work in belt suspenders and cummerbund on casual Friday. It's a strong look and it's a good fashion journey for you. Let's go sort of back in time just for a minute because when we were all settling in to what turned out to be extremely prolonged telework or remote work at the beginning of the pandemic, I think there was some grace given, especially from SEC and other regulators and law enforcement, about the all of a sudden remote workforce. And maybe the internal infrastructure was not ready to immediately adapt to that. New controls, new policies being developed to make sure that the person that you know is in your treasury group that's working from home may not be in the office to do a certain thing she or he physically did before. But I think over time companies and firms were expected to adapt. They did adapt. I think when it comes to cybersecurity issues, there is not a lot of grace given anymore to remote workforce, even as companies have adjusted to new hybrid schedules. Maybe we're going to allow people to work from home because we saw that it worked. I don't think there is much leeway or certainly any paths to be given for, "Oh, we don't have that two or three step control in place to check and recheck," or "Oh, you know, the fact that this person was home meant that the multifactor or the two step, you know, may be our policy, but it wasn't our practice here." I don't think there would be a lot of tolerance for something like that these days at the SEC. Am I wrong?
Scott Mascianica: I don't think you're wrong at all. And frankly, I think you could expand it beyond just the concept of remote work environments. I just think from a you know, what we talked about earlier, just broader cybersecurity issues and data privacy issues are at large. I think we are past the grace period, so to speak. And I think that that is part of my point earlier, just the idea that I think that the commission has banged the drum on this point for a number of years now, not just for regulated entities, but for public companies as well. And I think the point now, from the U.S.'s perspective, companies need to have these issues addressed. Now, whether the SEC is being appropriate and thoughtful and judicious in that approach. You know, I guess reasonable minds can differ. I think we are moving, though, I think, to a space where it is becoming far more aggressive.
Now, whether the SEC is being appropriate and thoughtful and judicious in that approach. You know, I guess reasonable minds can differ. I think we are moving, though, I think, to a space where it is becoming far more aggressive.
Barry Greenberg: I would agree. And I think that there are, and we'll talk about this in terms of what the standards are or should be. I do think that the change that's occurred over the years and whether it's attributed to the pandemic or even before that was how do you allow access into your network? And if you allow people to work from home, is it done only through a secure connection? The person who may be accessing your network through their sitting in a Starbucks, is that done through a VPN or can they just get in the easiest way possible? I do think that because there has been a pretty well-established set of guidelines, whether it's NEST or other state guidelines that firms are looking to. If you're not in that camp, I think that it's going to be hard and something does happen. I think that's going to be a harder position to defend that you're doing everything you should be doing to make sure that your network is secure. And that's an issue. And as most firms now, even though we are somewhere on the other side of the height of the pandemic, we're all in the hybrid mode so that there are people in the office or people at home. And I think that my sense is that the protections that people put in place that maybe they didn't have in place as or as robust when the pandemic began, people aren't rolling those back. They're continuing to plan to use those going forward, because there will continue to be those that are working remotely and those that are working in the office and the issues remain.
Scott Mascianica: You know, one of the things that I know the SEC has highlighted a couple of times as a remedial measure is multi-factor authentication. And as we're moving to this more bifurcated hybrid work environment, my sense is that this is now going to be more of just the expectation as one example, from a data privacy and cybersecurity perspective, as opposed to something that the Commission maybe would have previously viewed as something that was, you know, remedial in nature.
Who is in Charge of Data Security?
Jessica Magee: You read a lot, at least about chief information security officers (CISCOs), is that maybe I don't want to necessarily jump into proposed rulemaking or what maybe are firms going to need to think about doing. But is that something, Scott, that you were seeing pretty frequently? Like management is sort of a titular person, whose job this is and who this really rolled up to. My view is it touches pretty much every organization and every leadership group. But were you seeing that job function on the rise? And what about at the board level sort of recent periods in today?
Scott Mascianica: I really think it just depends. I mean, when I was on staff, if you're talking about from a macro trend, I think certainly over time that position was something that we saw more and more. But ultimately, it's going to come down to organizational structure, size of the organization, you know, technical complexities at the organization. All of those factors need to be taken into account as to whether or not an entity is going to have that position. Now that's looking backward, I think you know very well, you know, we'll talk about this here in a minute. But I think if we're talking about looking forward and we're talking about proposed rules, not just for advisors and funds, but also for public companies and board expertise and specific cybersecurity and data privacy expertise that the SEC is now expecting. I think that will just accelerate what has been a trend and maybe make it more broad based across markets as opposed to some of those factors that I mentioned earlier; size, complexity, those things that may have dictated it earlier and now may become just more of the norm.
But ultimately, it's going to come down to organizational structure, size of the organization, you know, technical complexities at the organization. All of those factors need to be taken into account as to whether or not an entity is going to have that position.
Barry Greenberg: You raised one interesting party that we haven't talked about yet as much as part of this conversation, which is an external board, whether if you manage public funds and mutual funds, you've got the investment company board. If you are obviously a public company, you have the public company board. And in our case, if you're a private company but still have an external board, that's a party that, you know, they're being hammered by the various organizations that they're a part of and things that they hear from regulators that they're supposed to be and getting the management to pay attention to cybersecurity and record out to them on the steps being taken on cybersecurity. And one of the recommendations that I've seen those boards can ask management to consider is a CISO role or someone like that in an information security manager role, whose job is primarily to address these issues and make sure they are spread throughout the organization, not just from a policy standpoint, but also for training as well. And so I think you're coming at this issue from a lot of different directions, and that's definitely going to continue. Oftentimes as boards we'll use external sources to provide input and data to them that might come through a law firm or through a consultant who comes in and does an analysis, provides a report that is provided to the board and then shared with management. Management's given an opportunity to respond to it. And that's, again, another helpful source of input to management to make sure that the steps that are being taken are appropriate for the size of the business. And I think that's the key, very large organizations, very large raise and deal registrants have very different risks and needs than smaller organizations do.
And one of the recommendations that I've seen those boards can ask management to consider is a CISO role or someone like that in an information security manager role, whose job is primarily to address these issues and make sure they are spread throughout the organization, not just from a policy standpoint, but also for training as well.
Recent SEC Proposed Rules
Jessica Magee: Scott, should we jump into roles or do you want to talk about anything else before we go into the belly of the beast?
Scott Mascianica: Why wait for the fun? So just to maybe level set sort of where we are for those who aren't familiar, in February of this year, the SEC proposed rules around cybersecurity programs and policies and other cybersecurity aspects for advisors and funds. The role, like most of the SEC rules that have come out this year, was meaty, to put it mildly, very detailed, very involved. As Jessica likes to say, I poured for myself a glass of wine and curl up on the couch and enjoy some nice nighttime reading in it. But the rule is significant, to just put it mildly, and having Barry here I think it'd be great to just get his thoughts on certain aspects of the rule. For anybody that's watching, if you want to really nerd out and get into some of the granular details, we have a post on our SECond Opinions blog that goes into significant detail of the rules and some of the key takeaways. But while we have an expert here like Barry, I figure we can pepper him with some questions and get his thoughts. So Barry, one of the things that jumped out to me about the rule is just the really broad definitions within the rules. And again, it's a proposed rule. It's not finalized. This can be subject to amendment. But as proposed when it comes to cyber security, incident advisor information systems, these are definitions that, as proposed, would seemingly expand what an advisor or fund would need to look at or consider as part of its cybersecurity program. And the one aspect of that that jumps out to me is the impact on potential relationships with vendors. Because the proposed rule talks about information systems used by an advisor, and that necessarily will include third party vendors, and there are significant potential implications from that. Not the least of which is the SEC seemingly expecting that registrants would document that their service providers have implemented and maintained certain policies and procedures to safeguard information.
SEC proposed rules around cybersecurity programs and policies and other cybersecurity aspects for advisors and funds. The role, like most of the SEC rules that have come out this year, was meaty, to put it mildly, very detailed, very involved.
Barry Greenberg: I think that you've touched on two areas that are potentially problematic and the rule and areas that the commentators have zeroed in on. The first is the broad definition of adviser security areas that could be covered as opposed to I think most firms now look at, where are the material potential areas of weakness of our firm where if there is a breach, there is going to be a serious problem that we're going to have to deal with? And focusing primarily on those vs. every single vendor we have the potential risk of data loss dealing with, even if the consequence probably would not be that significant to either clients or customers or the firm's continued operations itself. So I think the scope of that and the suggestions in some of the comments of narrowing that to focus on sort of key vendors and key areas, that if there was a breach, there would be a significant potential harm vs. having to devote the resources to now do a risk assessment on every vendor that you use potentially. That's one area. And the other is sort of the required oversight of each of the vendors that you identify. And without recognition of the oftentimes very limited ability that the registrant may have to force change or request change from that vendor depending upon your relative negotiating power with them. You know, it is a person sitting in my shoes advising my company on contractual provisions that we should have in our agreements with vendors. I have great suggested language that I can try to insert in our contracts with vendors, but the response you get varies widely depending upon how large the relationship is, what your relative clout is, and whether the vendor is even willing to consider what you're asking for. And that the intersection of that and the rule proposal has very specific timeframes on when you're required to notify, potentially notify the SEC, where I may not have that same timeframe in my contract with the vendor. As much as I would like them to agree to it, they oftentimes will say, we'll get back to you "reasonably promptly." And it may not be when they first identify the issue, it may be when they have their arms around it and can tell you exactly what's going on and that most likely would take longer than 48 hours. So then what happens if this is a new rule and my vendor refuses to put that into their agreement? How am I supposed to comply with it? So that's definitely a concern that I have and others have expressed as well.
So I think the scope of that and the suggestions in some of the comments of narrowing that to focus on sort of key vendors and key areas, that if there was a breach, there would be a significant potential harm vs. having to devote the resources to now do a risk assessment on every vendor that you use potentially. That's one area. And the other is sort of the required oversight of each of the vendors that you identify.
Scott Mascianica: You touched on another explosive part of the rule, which is the 48 hour, you know, near real time notification requirement. Which the time frame in and of itself is notable. And you talk about the challenges of having to provide notification within a 48 hour window, certainly a number of all 50 states have a breach notification rule and some of those timeframes are pretty narrow. But here's the thing to me that jumps out, what's the trigger? The trigger isn't that an advisor has definitively determined that a cyber security incident has occurred. Rather, it is if they have a reasonable basis to believe that a cyber security incident has occurred or is occurring. And in the rule, the SEC specifically says that this standard is not one where this has definitively occurred, meaning that it is something less than an actual definitive determination of an event that would trigger notification.
The trigger isn't that an advisor has definitively determined that a cyber security incident has occurred. Rather, it is if they have a reasonable basis to believe that a cyber security incident has occurred or is occurring.
Barry Greenberg: I think there were something like 56 or 57 comments that I saw posted on the SEC's website. Most of them tended to touch on this general issue, the notification requirement and somewhat into highlighted potential concerns ranging from not knowing exactly what you're dealing with in that quick of a timeframe to, okay, we haven't noticed that there was an email account that was hacked for what was the extent of it, how much information was compromised, and where did that information go? And as you often do the forensics around this, more information comes to light over time. It doesn't happen instantaneously and often if you're dealing with a third party vendor, as I alluded to earlier, you may not be getting much information from them. They're giving you the pushback saying we're still investigating, yet we're doing everything we can and we'll get back to you. And so what are you supposed to do? So you then send a somewhat vague notice to the SEC saying that we're dealing with an issue. But then as more information comes in, presumably you would need to continue to update that notification as additional information becomes available, potentially even contradicting what you might have initially notified them of. And how is that protecting investors if at the end of the day, let's say it's a week later, you determined that it wasn't as material as we thought it was, but we still have to go through this expensive and time consuming exercise? Going back to Jessica's point, that if this occurs and the rule is adopted as proposed, speaking for myself, any time I'm going to notify a regulator, I'm going to make sure that I have good counsel advising me on how to do that. That's an additional expense. And dealing in a very uncertain time with lots of other things that are going on, both internally with managing the business and not just the SEC, but other regulators. Especially if this is a data breach issue where you're now having to potentially notify other regulators as well. It's not something to be taken lightly to have this additional responsibility.
It doesn't happen instantaneously and often if you're dealing with a third party vendor, as I alluded to earlier, you may not be getting much information from them. They're giving you the pushback saying we're still investigating, yet we're doing everything we can and we'll get back to you.
Jessica Magee: The practical reality of having to stick that kind of landing on that kind of timeframe, I think for all the reasons you've identified is creating risk and is creating distraction. In a time when presumably everybody agrees, the best possible thing that can be happening is for the firm to have its attention focused on figuring out the newspaper facts of what happened. Is it happening and then stop it from happening, rather than sort of the modern exercise of trying to describe what we know and provide it to other third parties. It just seems to invite the risk of taking the eye off the prize of what really needs to be happening. And also, if you're communicating information, you know, that's likely subject to change into a regulator, you should expect they're going to do something with that information. It's not just going to sit on a shelf or sit on someone's desk where they're thinking "Great, thanks, Barry, for sending that in. Let me know if you need me to do anything." I don't think that's the purpose behind it. I don't quite know what the purpose is, but you know, my litigator mind immediately goes to when registrants are sending information in, supplementing or modifying that information, what are the uses? What are the potential uses? What are the expected uses? Are things going to be handed off to enforcement? Are they going to be handed off for risk based examination? And maybe smarter people than me have said, no, no, that's not going to happen and here's why. But I think it's at least a reasonable conversation topic.
Is it happening and then stop it from happening, rather than sort of the modern exercise of trying to describe what we know and provide it to other third parties. It just seems to invite the risk of taking the eye off the prize of what really needs to be happening.
Barry Greenberg: I was going to say one other thing. Not only is the question what are the regulators going to do with it, but one of the commentators raised a really good point, to the extent that you're providing disclosure about how this happened, are you providing unwanted information to hackers to potentially use against someone else? So the SEC is saying that they're doing this so that they can do their oversight responsibility. And as you know, use the information to perform their duty. But if it's public information, that means everybody has access to it, including people that may not want to use it in such a highbrow manner.
Scott Mascianica: To me, the ongoing reporting obligation here, at least as it's proposed, I feel like it's going to put advisors on just the reporting treadmill because at least as it's drafted, any time that there is material new information about a prior incident, there is an expectation about a disclosure within 48 hours after learning that new material information. And I think particularly as you're in the early stages of incident response, there is material information that is coming at you extremely frequently. And so just practically speaking, I'm having a hard time seeing what that could look like in practice in a way that just wouldn't be extremely burdensome for advisers. And at some point, Barry to your point, potentially this information would ultimately lose its utility because you're ultimately needing to push out such a constant stream of information about your incident response in near real time. And to Barry's point, I also agree that as you're pushing out this information, to the extent that it's publicly available, that is ultimately going to add another layer of cybersecurity risk.
Implications and Causes for Concern
Jessica Magee: For the layperson, what are the things to know and where do you think there's, you know, if not cause for concern, hover over and think about what the real implications might be.
Scott Mascianica: If I'm thinking about this from the layperson's perspective and putting myself in their shoes and as an investor and thinking about that, I'm wanting to know what's the benefit for me? How does this help me? And I think those in favor of the proposal would argue that this type of proposal is going to incentivize a more robust, comprehensive cybersecurity program for advisors and funds. Those who are critical of the rule and who are highlighting some of the issues and potential deficiencies with the rule, I think would really question whether or not this is information that's ultimately going to add utility to the very people that these rules, I think, are meant to protect; the actual advisory clients. Those who are actually having their money invested with advisors and in these funds. And in fact, Commissioner Lee even pointed out in her statement on the SEC advisor rule proposal a question about whether the requirements on notification, which are to the SEC, whether there's not some specific core area as it relates to similar disclosure, as it relates to the clients. And that is not me at all saying that that should be something that the SEC should include or should pile on top of this. But I think it really shows a disconnect here in terms of how this will ultimately benefit or could theoretically benefit the end client whose information that the SEC is seeking to protect ultimately, at least based on the way that they have advertised the proposal. So I understand, I think everybody can agree that cybersecurity is important, it is necessary. Having comprehensive policies that address risks from a risk based perspective are important and tied to a company's financial security. I'm just not sure that this rule ultimately accomplishes that.
And I think those in favor of the proposal would argue that this type of proposal is going to incentivize a more robust, comprehensive cybersecurity program for advisors and funds.
Barry Greenberg: I don't know that a prescriptive rule like this is necessary and I think I do see that the proper role that the regulator sees in making sure that the firms that I regulate are taking cyber seriously. But my sense is that most firms are already doing that. And those that aren't, there's already an enforcement mechanism in place for the SEC to go after that as well and undoubtedly when likely it's adopted add additional costs and burden to registrars to make sure that they comply with it. And the other interesting point to make, I think, is the approach. So when you look at privacy, the SEC largely has taken the position that you need to assess what your privacy areas of risk are and then adopt policies and procedures to address those specific to your firm. And that's really where things stand today, whereas they're proposing a different approach here instead of allowing firms to make that internal decision on how to put in place a program for themselves, they're prescribing a set of rules that you will have to follow. And that's a different approach. And I'm not sure that it's necessarily warranted here. And that has been a point that a couple of the commentators have made. So I guess we'll see what happens.
Jessica Magee: When you step back and look at both rules on the public company side, on the RIA and fund side and you just read any number of the public statements, the drumbeat is, investors want this, they need it. We're making or proposing these rules for consistency, clarity, conformity, all of which are laudable principles. I don't know that there would be reasonable disagreement with that, but the devil is always in the details. And I think a fair read of these roles, particularly the role we're covering today, you can't help but wonder what level of trust exists to your point that firms are getting it right, that they're doing it right, and they're best positioned to know thyself, to tailor policies and procedures to implement them, to bake them into the culture and reinforce them over time. If you don't trust that's happening, as you say, or you see that it is not, there certainly are mechanisms to enforce the law. So my view is we're going to see something very, very similar when it's all said and done to what was proposed. And I'm going to be so curious to see how that comes through. And the Division of Enforcement, I mean, it's not for nothing. If every rule that's been proposed or may still yet be proposed goes into effect, I don't know how much or how quickly we'll see needles moving on the enforcement side. I know there'll be a lot of writing about it. You can expect we'll be contributing to that. But it's not like you've got people who are all of a sudden going to be cloned and enforcement's going to double in size and capacity, much less necessary appetite to enforce a brand new rule and brand new ways. Scott?
If every rule that's been proposed or may still yet be proposed goes into effect, I don't know how much or how quickly we'll see needles moving on the enforcement side.
Scott Mascianica: If you look just going back to how the Division of Enforcement has approached enforcement activity and the regulating space, you can count on two hands the number of enforcement actions that they filed. But to the discussion earlier, there have been countless cybersecurity investigations to date that we don't know about. And I know I supervise a number of them, which we ultimately closed, and those all take a toll. I think here as we look at trends and we're following breadcrumbs from enforcement activity, as the SEC Division of Enforcement continues to utilize more controls based or policy and procedures base type charges, I think that suggests that as you see these rules that are very heavy on policies and procedures, and to Barry's point earlier, where they are not providing a great deal of flexibility to the parties to ultimately decide what they need from a principles and a risk space perspective. But saying this is something that you specifically need that is going to provide a more significant hook for the Division of Enforcement to be able to bring enforcement actions in this space and engage in some Monday morning quarterbacking, when cyber attacks are going to happen, breaches are going to happen. That's just a statistical fact. And I'll be interested to see what that looks like. I don't know that it will happen right away just because of the lifecycle of an investigation at the Division of Enforcement, because of the time period for these rules being implemented and how the Division of Enforcement responds in that regard. But I think we are going to see it. To me, the question isn't if, it's just more a question of when.
I don't know that it will happen right away just because of the lifecycle of an investigation at the Division of Enforcement, because of the time period for these rules being implemented and how the Division of Enforcement responds in that regard. But I think we are going to see it. To me, the question isn't if, it's just more a question of when.
Jessica Magee: On that rosy note, Barry any other aspects of the proposed rule, I know you read it carefully, I know you're thinking about it differently than Scott and I are because you're having to really plan for implementation. I know you guys already live and breathe these things every day. This is something that you, like Scott, think about on your free time at night when you're curled up by the fire. But before we start to wrap up, what more do you think people need to know about or what perspectives do you think they ought to consider when thinking about this proposed rule?
Implementation of SEC Proposed Rules
Barry Greenberg: The challenge is going to that next level of saying, "let's look at exactly what would be required and what's different than what we already have in place." And so I think that in this period of time where we're between, you know, the comments have been received, the SEC is taking a look at those comments and will likely may make some changes, hopefully make some changes to the proposed rule when it comes out. I do think that it seems the consensus was that there will likely be a pretty lengthy implementation period to give firms time to get ready for the new rule. But now's a good time to sort of say, "okay, if the rule was adopted, as is, what would we need to change? And what processes would we need to change?" And one of the things, the not more glamorous parts of the rule is the recordkeeping requirement. And if you look carefully at the things that would be required under the rule, there are records that firms may have, but they may not be being deliberate about maintaining them in a way that they would need to be potentially produced to the regulators. And so I would encourage folks, if you haven't looked at the recordkeeping aspects, that's something that we're looking at and an area that shouldn't be overlooked as you're considering how you're going to have to potentially comply with this new rule.
I do think that it seems the consensus was that there will likely be a pretty lengthy implementation period to give firms time to get ready for the new rule.
Jessica Magee: Scott, what else do you think people should really be focusing in on or maybe thinking about a little differently or more carefully?
Scott Mascianica: We don't know what the final rule is going to look like, and we don't know what the final rules will look like for public companies. We don't know what they're going to look like for advisors, but the rules are going to result in significant changes. And those changes, whether there's a firm like Barry's who have their eyes dotted and T's crossed and feel like we're good, or firms that read the rule and maybe let out an expletive or two, there is going to need to be a change in how companies respond, just, if nothing else, from an incident response reporting perspective, because that's something that's going to be new. And I think that the costs associated with that, whether that be the financial cost of having to implement these policies, the needing to deal with exams, focusing on record keeping requirements that Barry mentioned, new policies and procedures that maybe need to be more formalized and documented than before or from a litigation or enforcement perspective. There are going to be collateral implications from a rule that's imposed and what exactly those will be will depend on the final version of the rule. I personally expect that it's going to be substantially similar to the proposal, just based on the composition of the Commission and the amount of time that they have to ultimately bring the rule to proposal form.
There are going to be collateral implications from a rule that's imposed and what exactly those will be will depend on the final version of the rule.
Closing Thoughts: We're Not Walking Around in the Dark
Jessica Magee: We're not walking around entirely in the dark. Barry made a great point earlier about guidance that's been issued over time. There is information you can read. It's not perfect, it's not entirely complete, but there are lots and lots of data points that have happened since the passage of time that bring us to today. The SEC, while it has issued very lengthy rules and it's important to read them, also released fact sheets that are capsule summaries of the role. Talk to good leaders like Barry, who have been thinking about these things for a long time from a lot of different perspectives. Reach out to Scott, reach out to me. You are not alone, I guess is the message. It takes a village not only to ensure good cybersecurity compliance and planning, but also to understand what new rules mean in terms of implementation and potential examination and enforcement. And with that, I just want to say, Barry, thank you so much for taking time out of your busy schedule to sit down and talk with us. I wish only that it were over breakfast, but we'll do that again soon. But I'm so glad you joined us for coffee. Thank you for coming to sit down with us today.
Barry Greenberg: Thank you so much for inviting me, Jessica. It's really been fun and I look forward to future Coffees & Conversations.
Jessica Magee: Absolutely. Scott, thank you as well. I'll come down the hall and shake your hand officially and congratulate you on not screwing up your first Coffee & Conversation as a Holland & Knight partner. You knocked it out of the park. We never doubted.
Scott Mascianica: That wasn't what you said before we started.
Jessica Magee: Thank you, Scott. Thank you, Barry. Thank you to everybody watching. Feel free to reach out to us any time and we will be back with you soon with another episode of Coffee & Conversation.