Ropes & Gray is all over CyberSecurity! Note the l
Post# of 82672
(Total Views: 419)
Posted On: 03/27/2018 9:12:30 AM
Ropes & Gray is all over CyberSecurity! Note the last paragraph.
March 23, 2018
Cybersecurity Oversight
by Ropes & Gray LLP
THIS IS THE FIRST UPDATE from a working group of
investment management and cybersecurity attorneys.
We look forward to sharing more insights on cybersecurity
trends and developments of concern to the
investment management industry.
CYBERSECURITY OVERSIGHT
FINANCIAL REGULATORS continue to expand their reach in the cybersecurity
space, and funds, fund sponsors, and advisers should
take note. Most recently, on February 12, the CFTC fi led a simultaneous
Order and Settlement against AMP Global Clearing
LLC (AMP), a registered futures commission merchant, related
to a breach of its networks in April 2017 by a third party who
obtained approximately 97,000 AMP fi les, including customers’
personal information. Notably, the CFTC did not charge AMP
under its regulation requiring that registrants have in place policies
and procedures to safeguard customer records and information;
rather, the CFTC proceeded under a separate regulation
requiring that registrants diligently supervise any delegated entity
tasked with performing any aspect of the registrant’s business
activities. The Order and Settlement highlight the importance
for funds, fund sponsors, and advisers of adequately supervising
their service providers’ cybersecurity measures.
BACKGROUND ON THE AMP ORDER AND SETTLEMENT
AMP had adopted a written information systems security
program (ISSP) that delegated to an IT provider the implementation
of certain provisions, including (1) identifying and
performing risk assessments of network access routes, and (2)
performing quarterly network risk assessments to identify and
report vulnerabilities to AMP. In June 2016, the IT provider
installed a back-up data storage device, but failed to identify a
default feature that allowed third parties to access AMP’s backup
fi les from the Internet without permissions. In April 2017,
a third party detected this vulnerability on AMP’s network
and successfully copied approximately 97,000 fi les from the
installed back-up data storage device, unbeknownst to AMP.
The CFTC therefore concluded that the IT provider violated
the ISSP, fi rst by failing to identify or run a risk assessment of
the problematic feature in its initial installation, and second
by failing to report any network abnormalities or concerns
in each of three quarterly network risk assessments between
the time of installation and when the third party accessed the
AMP network.
The CFTC proceeded, however, not against the service provider
(which was outside of its jurisdiction, in any event), but against
AMP for failure to supervise the vendor. As evidence of its failure
to diligently supervise its IT provider, the CFTC pointed
to the 10-month period during which AMP was unaware that
thousands of customer records were unprotected, and the fact
that AMP only learned of the subsequent breach when notifi ed
by the third party. Notably, the CFTC did not identify any specifi
c action (or lack thereof) by AMP in determining that AMP
had failed to adequately supervise its service provider, instead
pointing to circumstantial factors such as the length of time the
vulnerability remained unremediated as the bases for its charge.
CFTC AND SEC CYBERSECURITY REGULATIONS
Regulations and interpretive notices published by the CFTC and
the National Futures Association (NFA), the self-regulatory
organization for the U.S. derivatives industry, put in place a
framework for registrants’ obligations for cybersecurity. CFTC
registered entities are required, for example, to “adopt policies
and procedures that address administrative, technical and physical
safeguards for the protection of customer records and information”
under Regulation 160.30. The CFTC has issued a staff
advisory clarifying that the policies and procedures should be in
writing and should identify reasonably foreseeable security risks
and the controls for assessing and mitigating such risks. The
NFA’s Interpretive Notice 9070 similarly requires NFA Members
to “adopt and enforce a written ISSP reasonably designed
to provide safeguards appropriate to the Member’s size, complexity
of operations, type of customers and counterparties, the
sensitivity of the data accessible within its systems, and its electronic
interconnectivity with outer entities, to protect against
security threats or hazards to their technology systems.”
The SEC has issued similar rules, compliance with which will
also satisfy obligations under CFTC Regulation 160.30. Regulation
S-P requires registered broker-dealers, investment companies,
and investment advisers to “adopt written policies and
procedures that address administrative, technical, and physical
safeguards for the protection of customer records and information.”
The regulation goes further to specify that policies and
procedures must be “reasonably designed” to protect customer
information, protect against anticipated threats to the security
of customer information, and prevent any unauthorized “access to or use of” any customer information that could result in
“substantial harm or inconvenience to any customer.”
Interestingly, however, in its recent action against AMP, the
CFTC did not rely on Regulation 160.30 and related notices.
Instead, the CFTC brought charges under Regulation 166.3,
which broadly imposes supervisory obligations on CFTC-registered
fund sponsors and commodity trading advisers. In
doing so, the CFTC expanded its enforcement reach beyond
failures to maintain policies and procedures to the supervisory
obligations of registrants in the cybersecurity space. AMP had
adopted an ISSP pursuant to NFA Interpretive Notice 9070—
but its cybersecurity obligations did not end there.
DUTY TO SUPERVISE
Both the CFTC and SEC have in place regulations imposing
supervisory obligations on registered fund sponsors and commodity
trading advisers, and registered investment companies,
advisers, and broker-dealers, respectively. CFTC registrants,
for example, are required to “diligently supervise the handling
by its partners, officers, employees and agents” of all
of the registrant’s business activities, including the securing of
networks handling such business. Identifying a violation of
the operative regulation, Regulation 166.3, is a fact-intensive
determination that examines whether (1) the registrant’s supervisory
system is generally inadequate, or (2) the registrant
failed to perform is supervisory duties diligently.1
Registrants
have an affirmative duty to actively supervise their delegates
by instituting procedures for both detecting and preventing
wrongdoing by such persons, including appropriate supervisory
structures and compliance programs.2
Evidence of inadequate
supervision can come from the nature of the violations
themselves or from repeated violations.3
Under the fund compliance rule (Rule 38a-1), the SEC similarly
requires every registered investment company and business
development company to “[a]dopt and implement written policies
and procedures reasonably designed to prevent violation
of the Federal Securities Laws by the fund, including policies
and procedures that provide for the oversight of compliance
by each investment adviser, principal underwriter, administrator,
and transfer agent of the fund.” Rule 206(4)-7 likewise requires
advisers to institute policies and procedures to prevent violations, which could include oversight of their vendors’ cybersecurity.
Indeed, oversight of vendors has been cited by the
SEC’s Division of Investment Management as a key measure for
implementing effective compliance programs under Rules 38a1
and 206(4)-7. In guidance published by the SEC’s Office of
Compliance Inspection and Examination (OCIE) on its Cybersecurity
Examination Initiative, which reviewed the cybersecurity
practices of broker-dealers, investment advisers, and investment
companies, OCIE has also stressed the importance of implementing
practices and controls related to vendor management,
including ongoing monitoring and oversight of vendors. OCIE
has gone as far as to indicate that an element of robust policies
and procedures is to require third-party vendors to periodically
provide logs of their activities on a firm’s network.
In the AMP Order, the CFTC connects registrants’ information
security obligations with their diligent supervision obligations—asserting
that it “flow naturally” from a registrant’s
obligation to adopt appropriate policies and procedures to
safeguard customer information under Regulation 160.30 that
the same registrant must, under Regulation 166.3, diligently
supervise how those policies and procedures are implemented
by downstream service providers, including the IT providers
tasked with securing a registrant’s network infrastructure and
customer data. With the AMP Order, the CFTC is sending a
clear signal that registrants cannot “abdicate” their data security
responsibilities under Regulation 166.3 by simply passing
them on to a service provider without further liability.
The AMP action emphasizes the importance of robust cybersecurity
oversight of vendors and the ease with which a regulated
entity can find itself in the crosshairs of an enforcement action.
The broader regulatory landscape and the SEC’s toolbox can
lead to similar results. Comprehensive, documented technical
and physical safeguards for customer records and information
alone are not sufficient. Funds, fund sponsors, and advisers
should also actively oversee the cybersecurity activities of their
vendors and document those efforts. The level of diligence required,
which could include security questionnaires or more detailed
examinations, could depend on the level of access granted
to the vendor as well as an overall assessment of the vendor’s
risk profile. For vendors providing critical IT services, such as
with AMP, a more rigorous level of oversight is likely required.
Paulita Pike
Partner, Chicago
Investment Management
paulita.pike@ropesgray.com
+1 312 845 1212
CONTACTS
Elizabeth Reza
Partner, Boston
Investment Management
elizabeth.reza@ropesgray.com
+1 617 951 7919
Heather Sussman
Partner, Boston
Privacy & Cybersecurity
heather.sussman@ropesgray.com
+1 617 951 7125
Kevin Angle
Counsel, Boston
Privacy & Cybersecurity
kevin.angle@ropesgray.com
+1 617 951 7428
March 23, 2018
Cybersecurity Oversight
by Ropes & Gray LLP
THIS IS THE FIRST UPDATE from a working group of
investment management and cybersecurity attorneys.
We look forward to sharing more insights on cybersecurity
trends and developments of concern to the
investment management industry.
CYBERSECURITY OVERSIGHT
FINANCIAL REGULATORS continue to expand their reach in the cybersecurity
space, and funds, fund sponsors, and advisers should
take note. Most recently, on February 12, the CFTC fi led a simultaneous
Order and Settlement against AMP Global Clearing
LLC (AMP), a registered futures commission merchant, related
to a breach of its networks in April 2017 by a third party who
obtained approximately 97,000 AMP fi les, including customers’
personal information. Notably, the CFTC did not charge AMP
under its regulation requiring that registrants have in place policies
and procedures to safeguard customer records and information;
rather, the CFTC proceeded under a separate regulation
requiring that registrants diligently supervise any delegated entity
tasked with performing any aspect of the registrant’s business
activities. The Order and Settlement highlight the importance
for funds, fund sponsors, and advisers of adequately supervising
their service providers’ cybersecurity measures.
BACKGROUND ON THE AMP ORDER AND SETTLEMENT
AMP had adopted a written information systems security
program (ISSP) that delegated to an IT provider the implementation
of certain provisions, including (1) identifying and
performing risk assessments of network access routes, and (2)
performing quarterly network risk assessments to identify and
report vulnerabilities to AMP. In June 2016, the IT provider
installed a back-up data storage device, but failed to identify a
default feature that allowed third parties to access AMP’s backup
fi les from the Internet without permissions. In April 2017,
a third party detected this vulnerability on AMP’s network
and successfully copied approximately 97,000 fi les from the
installed back-up data storage device, unbeknownst to AMP.
The CFTC therefore concluded that the IT provider violated
the ISSP, fi rst by failing to identify or run a risk assessment of
the problematic feature in its initial installation, and second
by failing to report any network abnormalities or concerns
in each of three quarterly network risk assessments between
the time of installation and when the third party accessed the
AMP network.
The CFTC proceeded, however, not against the service provider
(which was outside of its jurisdiction, in any event), but against
AMP for failure to supervise the vendor. As evidence of its failure
to diligently supervise its IT provider, the CFTC pointed
to the 10-month period during which AMP was unaware that
thousands of customer records were unprotected, and the fact
that AMP only learned of the subsequent breach when notifi ed
by the third party. Notably, the CFTC did not identify any specifi
c action (or lack thereof) by AMP in determining that AMP
had failed to adequately supervise its service provider, instead
pointing to circumstantial factors such as the length of time the
vulnerability remained unremediated as the bases for its charge.
CFTC AND SEC CYBERSECURITY REGULATIONS
Regulations and interpretive notices published by the CFTC and
the National Futures Association (NFA), the self-regulatory
organization for the U.S. derivatives industry, put in place a
framework for registrants’ obligations for cybersecurity. CFTC
registered entities are required, for example, to “adopt policies
and procedures that address administrative, technical and physical
safeguards for the protection of customer records and information”
under Regulation 160.30. The CFTC has issued a staff
advisory clarifying that the policies and procedures should be in
writing and should identify reasonably foreseeable security risks
and the controls for assessing and mitigating such risks. The
NFA’s Interpretive Notice 9070 similarly requires NFA Members
to “adopt and enforce a written ISSP reasonably designed
to provide safeguards appropriate to the Member’s size, complexity
of operations, type of customers and counterparties, the
sensitivity of the data accessible within its systems, and its electronic
interconnectivity with outer entities, to protect against
security threats or hazards to their technology systems.”
The SEC has issued similar rules, compliance with which will
also satisfy obligations under CFTC Regulation 160.30. Regulation
S-P requires registered broker-dealers, investment companies,
and investment advisers to “adopt written policies and
procedures that address administrative, technical, and physical
safeguards for the protection of customer records and information.”
The regulation goes further to specify that policies and
procedures must be “reasonably designed” to protect customer
information, protect against anticipated threats to the security
of customer information, and prevent any unauthorized “access to or use of” any customer information that could result in
“substantial harm or inconvenience to any customer.”
Interestingly, however, in its recent action against AMP, the
CFTC did not rely on Regulation 160.30 and related notices.
Instead, the CFTC brought charges under Regulation 166.3,
which broadly imposes supervisory obligations on CFTC-registered
fund sponsors and commodity trading advisers. In
doing so, the CFTC expanded its enforcement reach beyond
failures to maintain policies and procedures to the supervisory
obligations of registrants in the cybersecurity space. AMP had
adopted an ISSP pursuant to NFA Interpretive Notice 9070—
but its cybersecurity obligations did not end there.
DUTY TO SUPERVISE
Both the CFTC and SEC have in place regulations imposing
supervisory obligations on registered fund sponsors and commodity
trading advisers, and registered investment companies,
advisers, and broker-dealers, respectively. CFTC registrants,
for example, are required to “diligently supervise the handling
by its partners, officers, employees and agents” of all
of the registrant’s business activities, including the securing of
networks handling such business. Identifying a violation of
the operative regulation, Regulation 166.3, is a fact-intensive
determination that examines whether (1) the registrant’s supervisory
system is generally inadequate, or (2) the registrant
failed to perform is supervisory duties diligently.1
Registrants
have an affirmative duty to actively supervise their delegates
by instituting procedures for both detecting and preventing
wrongdoing by such persons, including appropriate supervisory
structures and compliance programs.2
Evidence of inadequate
supervision can come from the nature of the violations
themselves or from repeated violations.3
Under the fund compliance rule (Rule 38a-1), the SEC similarly
requires every registered investment company and business
development company to “[a]dopt and implement written policies
and procedures reasonably designed to prevent violation
of the Federal Securities Laws by the fund, including policies
and procedures that provide for the oversight of compliance
by each investment adviser, principal underwriter, administrator,
and transfer agent of the fund.” Rule 206(4)-7 likewise requires
advisers to institute policies and procedures to prevent violations, which could include oversight of their vendors’ cybersecurity.
Indeed, oversight of vendors has been cited by the
SEC’s Division of Investment Management as a key measure for
implementing effective compliance programs under Rules 38a1
and 206(4)-7. In guidance published by the SEC’s Office of
Compliance Inspection and Examination (OCIE) on its Cybersecurity
Examination Initiative, which reviewed the cybersecurity
practices of broker-dealers, investment advisers, and investment
companies, OCIE has also stressed the importance of implementing
practices and controls related to vendor management,
including ongoing monitoring and oversight of vendors. OCIE
has gone as far as to indicate that an element of robust policies
and procedures is to require third-party vendors to periodically
provide logs of their activities on a firm’s network.
In the AMP Order, the CFTC connects registrants’ information
security obligations with their diligent supervision obligations—asserting
that it “flow
obligation to adopt appropriate policies and procedures to
safeguard customer information under Regulation 160.30 that
the same registrant must, under Regulation 166.3, diligently
supervise how those policies and procedures are implemented
by downstream service providers, including the IT providers
tasked with securing a registrant’s network infrastructure and
customer data. With the AMP Order, the CFTC is sending a
clear signal that registrants cannot “abdicate” their data security
responsibilities under Regulation 166.3 by simply passing
them on to a service provider without further liability.
The AMP action emphasizes the importance of robust cybersecurity
oversight of vendors and the ease with which a regulated
entity can find itself in the crosshairs of an enforcement action.
The broader regulatory landscape and the SEC’s toolbox can
lead to similar results. Comprehensive, documented technical
and physical safeguards for customer records and information
alone are not sufficient. Funds, fund sponsors, and advisers
should also actively oversee the cybersecurity activities of their
vendors and document those efforts. The level of diligence required,
which could include security questionnaires or more detailed
examinations, could depend on the level of access granted
to the vendor as well as an overall assessment of the vendor’s
risk profile. For vendors providing critical IT services, such as
with AMP, a more rigorous level of oversight is likely required.
Paulita Pike
Partner, Chicago
Investment Management
paulita.pike@ropesgray.com
+1 312 845 1212
CONTACTS
Elizabeth Reza
Partner, Boston
Investment Management
elizabeth.reza@ropesgray.com
+1 617 951 7919
Heather Sussman
Partner, Boston
Privacy & Cybersecurity
heather.sussman@ropesgray.com
+1 617 951 7125
Kevin Angle
Counsel, Boston
Privacy & Cybersecurity
kevin.angle@ropesgray.com
+1 617 951 7428
(6)
(0)Zerify Inc (ZRFY) Stock Research Links
Scroll down for more posts ▼