Last week the SEC released this: SEC Announces Three Actions Charging Deficient Cybersecurity Procedures. From the first sentence in the press release:
The Securities and Exchange Commission today sanctioned eight firms in three actions for failures in their cybersecurity policies and procedures that resulted in email account takeovers exposing the personal information of thousands of customers and clients at each firm.
Put another way: eight firms had a bunch of email accounts get hacked because of failures in their cybersecurity programs, which exposed thousands of customers' personal information, so the SEC disciplined them.
Most of us who deal with SEC regulation (myself included) do not enjoy the work of ensuring we are compliant with SEC regulations, but the truth is that there are good reasons for those regulations. As stewards of our client's personal information, we are morally obligated to protect this data - hence the SEC's creation of Rule 30(a) in Regulation S-P, which adds a regulatory obligation to protect this data.
According to the SEC, what specifically did these firms do wrong?
Lack of MFA
The SEC notes that the Cetera and Cambridge firms neglected to enforce MFA (multi-factor authentication). MFA is not a silver bullet, but it is a common-sense protection that should be enabled everywhere possible. Most (but not all) of the actual email-based phishing attacks we see at SEM would fail if an account has MFA enabled, even if the victim does give away their username and password.
On that note, CISA (the U.S. Cybersecurity and Infrastructure Security Agency) recently updated its list of bad practices to include single-factor authentication (i.e. not using MFA).
It seems that Cetera understood this on paper, because their policies said that MFA was required "everywhere possible". This leads us to the next point:
Not doing what you say you're doing
It's not enough to just create good cybersecurity policies - you have to actually enforce those policies, too. Good policies help instill confidence if someone is doing due diligence on your firm, and they may even survive a high-level audit on their own - but unless you actually follow the policies, they are useless for protecting client data. The whole point of this is to actually protect client data.
Also, the SEC really does not like when firms don't do what they say they're doing. If the SEC does an audit and sees that you have a policy but don't actually follow it, that's bad news. It's even worse news if you've had a bunch of email accounts get breached because you didn't follow that policy.
Not fixing holes in your policies and procedures
The truth is that you will discover holes in your cybersecurity program. You might even discover them because an attacker successfully got into one of your mailboxes. While that's not great, the best thing you can do is immediately move to take care of the breach and then implement policies and procedures to make sure it doesn't happen again. Here's what the SEC said about KMS' response:
Although KMS discovered the first email account compromise in November 2018, it failed to adopt written policies and procedures requiring additional firm-wide security measures for all KMS email users until May 2020, and did not fully implement those measures until August 2020.
Almost two years is too long.
When the SEC releases reports like this, it's a good opportunity for us to check how our firm is doing. If your firm has any of the same deficiencies that the SEC identified in this press release, now is a good time to fix them.