Guiding Principles for Cyber Risk Governance: Principles for Directors in Overseeing Cybersecurity

The purpose of this document is to provide boards of directors a set of Guiding Principles to enable the implementation of an effective cybersecurity program. A director should understand the full range of cyber risks facing his or her company and encourage management to develop appropriate strategies tailored to the company’s operating environment, risk profile, and long-term goals.

The specific needs of any effective cyber program include careful planning, smart delegation, and a system for monitoring compliance — all of which directors should oversee. It’s no longer a question of whether a company will be attacked but more a question of when this will happen — and how the organization is going to prevent it. Smart network surveillance, early warning indicators, multiple layers of defense, and lessons from past events are all critical components of true cyber resilience. When things go wrong, whether in a major or minor way, the ability to quickly identify and respond to a problem will determine the company’s ultimate recovery.

Cybersecurity cannot be guaranteed, but a timely and appropriate reaction can.

Longer term, the board should understand and consider the strategic business implications of cybersecurity, foster the right company culture surrounding security, and encourage the integration of cyber risk management practices into other governance and approval processes. In essence, the board should consider cybersecurity as a managerial issue, not just as a technical one.

Click here for the full report.

President Trump Issues Executive Order to Establish Task Force on Market Integrity and Consumer Fraud

President Donald J. Trump issued an Executive Order instructing the Attorney General (“AG”) to establish a Task Force on Market Integrity and Consumer Fraud (the “Task Force”). The goal of the Task Force is to provide guidance on financial fraud and other crimes, including cyber fraud, that target members of the public.

Specifically, the Task Force will give recommendations to the AG on fraud enforcement activities across the DOJ regarding (i) actions to improve inter-agency cooperation in investigating and prosecuting financial crimes, (ii) actions to bolster communication among Federal, State, local and tribal authorities with respect to the detection, investigation and prosecution of financial crimes, and (iii) changes in “rules, regulations, or policy, or recommendations to . . . Congress regarding legislative measures, to improve the effective investigation and prosecution” of financial crimes.

The Task Force will terminate and replace the Financial Fraud Enforcement Task Force created by Executive Order 13519 on November 17, 2009, which is now revoked.

In remarks delivered in Washington D.C., SEC Chair Jay Clayton expressed support for the establishment of the Task Force. Mr. Clayton reaffirmed the importance of inter-agency cooperation when it comes to protecting retail investors, and underscored some of the actions that the SEC recently undertook to confront retail securities fraud. In particular, Mr. Clayton highlighted retail enforcement strategies, emergency actions, and cyber and initial coin offering (“ICO”) fraud. With respect to retail enforcement strategy, Mr. Clayton discussed the Retail Strategy Task Force created by the SEC in 2017 to provide additional protection for Main Street investors by developing strategies for dealing with various types of wrongdoing that most impact retail investors. Mr. Clayton also stated that in response to bad actors utilizing new technologies to commit ICO fraud, the Enforcement Division created a Cyber Unit to deal specifically with cyber-related crimes.

Lofchie Comment: There seem to be two major differences between the newly issued order and the Executive Order that it replaced.

First, the former Task Force included membership from a complete A-Z of agencies making it unwieldy at best. The reconstituted Task Force can call upon the agency alphabet as is needed.

Second, the former Task Force was established, in large measure, to address concerns related to the financial crisis. The new Task Force is forward-looking; it now includes fraud on the government, cyberfraud, fraud against senior citizens, health care fraud, and fraud involving cryptocurrencies.

GAO FinTech Report Calls for Improvements in Customer Protection and Regulatory Oversight

The Government Accountability Office (“GAO”) issued a report evaluating the risks and benefits, customer protections, and regulatory oversight of FinTech products and activities. Among other things, the GAO advised regulators to (i) improve interagency coordination, (ii) address competing concerns on financial account aggregation and (iii) analyze the feasibility of adopting successful foreign regulatory approaches.

The GAO report found that the fragmented regulatory framework, split between state and federal regulators, does not sufficiently address the risks of these products. The GAO advised regulators to protect customers by addressing the unique characteristics of FinTech products, including data security and privacy liabilities. The GAO also found that the regulatory framework presents several challenges to FinTech payment and lending firms, including costly and time-consuming compliance activities.

The GAO report praised innovation taken by regulators in foreign jurisdictions. A “regulatory sandbox” is one such innovation that allows regulators and FinTech firms to collaborate and understand evolving market trends. In practice, it allows FinTech firms to offer products on a limited scale, which enables firms and regulators to get useful feedback on the products and their risks. The GAO advised U.S. regulators to consider similar approaches and be adaptive to market innovations.

Lofchie Comment: According to the summary of the GAO report:

“The U.S. regulatory structure poses challenges to fintech firms. With numerous regulators, fintech firms noted that identifying the applicable laws and how their activities will be regulated can be difficult.”

A great part of the problem is the prevailing Dodd-Frank notion that more rules, more agencies and more overlapping authority means that the market is safer. The reality is that, in many cases, it just means that the system is more cumbersome and that greater authority in ever more governmental agencies provides even less certainty as to what the rules actually are. For a somewhat fuller discussion of the impact of regulatory complexity, here is a 2009 pre-Dodd-Frank article: The Future of Financial Regulation: Meet the New Regulators, Better Than the Old Regulators?

SEC Commissioner Highlights Cybersecurity as Serious Corporate Governance Issue

SEC Commissioner Robert J. Jackson, Jr. highlighted the increasing prevalence of cybercrime and its detrimental effect on public companies, citing over 1,000 incidents in 2016 alone that cost American companies more than $100 billion. Consistent with recent enhanced guidance on cybersecurity risks and disclosure obligations issued by the SEC, Commissioner Jackson encouraged collaboration between corporate counselors and the SEC to develop (i) proactive measures to combat cybercrime and to ensure timely and transparent disclosures following data breaches, (ii) corporate frameworks that discourage insider trading, and (iii) internal reporting structures to enable company boards and management to react.

When a security breach occurs, Commissioner Jackson emphasized the necessity of reporting it to the public quickly. In the absence of timely disclosure, he warned that companies may ultimately face prosecution, pay significant settlements, and suffer reputational harm.

To prevent insider trading, Commissioner Jackson said that senior management should be aware that trading on breach-related information before the breach has been disclosed could be fraudulent. Since the law is less clear regarding non-insiders trading on material nonpublic information, he expressed concern that hackers may be able to profit by making strategic trades after they have executed a cyberattack but before the public has learned about it. To prevent this type of misconduct, Commissioner Jackson said that timely public disclosure must be prioritized in the wake of any cyberattack.

Commissioner Jackson also stressed how vital it is for public companies across all industries to build effective internal cybersecurity controls. In addition to cyber-oriented corporate policies and procedures, Commissioner Jackson urged Congress or the SEC to take further action to address the issue of corporate insider trading in the cybersecurity context.

CFTC and UK Financial Conduct Authority Sign FinTech Collaboration Arrangement

The CFTC and the UK Financial Conduct Authority (“FCA”) signed an agreement to facilitate collaboration, share information and support each other’s FinTech initiatives. This is the first FinTech arrangement for the CFTC with a non-U.S. counterpart.

The “Cooperation Arrangement” is primarily focused on the agencies’ respective FinTech initiatives, specifically the CFTC’s “LabCFTC” and the FCA’s “Innovate” programs. The regulators agreed to a framework for the exchange of information on businesses who participate in the programs, trends and developments in FinTech, regulatory issues surrounding FinTech development, best practices for engaging with innovators, and the activities of organizations that promote innovation. The regulators further committed to referring FinTech businesses to each other when such businesses are interested in operating in the other regulator’s jurisdiction. They also agreed to a variety of other measures intended to foster their mutual understanding of technology. The FCA and CFTC will host a joint event in London to facilitate FinTech firms’ engagement with both regulators.

CFTC Chair J. Christopher Giancarlo spoke of the groundbreaking nature of the arrangement: “This is the first FinTech innovation arrangement for the CFTC with a non-U.S. counterpart. We believe that by collaborating with the best-in-class FCA FinTech team, the CFTC can contribute to the growing awareness of the critical role of regulators in 21st century digital markets.” FCA Chief Executive Andrew Bailey agreed, saying, “As our first agreement of this kind with a U.S. regulator, we look forward to working with LabCFTC in assisting firms, both here in the UK and in the U.S., who want to scale and expand internationally in our respective markets.”

Lofchie Comment: Regulators cooperating with each other to better understand markets and products and to prepare for change is a far better approach than fighting over jurisdiction or shutting down change.

Global Markets into 2018

The Center for Financial Stability (CFS) hosted a small private workshop for leaders in finance to delve into issues that will shape the future of asset values and investment management on December 6.

CFS Special Counselor Jack Malvey set the stage with an essay “Toward the Mid-21 st Century Global Financial System” –
www.CenterforFinancialStability.org/research/MalveyGlobal_Dec_2017.pdf

Workshop topics included:

– Geopolitics and Big Picture Challenges through 2020 – AI, cyber, etc;
– Global Macro, Quantitative Tightening, and Financial Stability;
– Financial Industry Transitions – Active versus Passive Management, etc; and
– Opportunities and Risks (a selection follows).

OPPORTUNITIES

– Buy cash today – the rate of return will be extraordinarily high.
– Central banks will more actively incorporate financial stability into actions and mandates.
– Emerging markets will outperform.
– The Fed desires to move further away from the zero lower bound.
– NPLs in China are overstated / bank earnings mitigate and neutralize risks.
– Global macro investment opportunities via uneven tightening.

RISKS

– I will buy cash – but tomorrow.
– Bitcoin correction.
– Limited attractive equity names based on valuation / similar to Tokyo in 1989.
– Geopolitical tensions will increase with North Korea, China, Russia, and Saudi Arabia.
– Inflation surprise / data may be misread.
– Artificial intelligence channeled for ill.

Best wishes into the Holiday Season and 2018!

SEC Chair Jay Clayton Updates House Finance Committee on EDGAR System Breach

SEC Chair Jay Clayton testified before the U.S. House Financial Services Committee providing an update on the EDGAR system cybersecurity breach (see previous coverage). He also outlined the SEC’s regulatory agenda reiterating previous testimony provided to the Senate Banking Committee (see previous coverage). His principal priorities include the facilitation of capital formation and encouraging initial public offerings.

NY Department of Financial Services Cybersecurity Regulation Now Effective

New York State’s “first-in-the-nation” cybersecurity regulation became effective on August 28, 2017.

The New York Department of Financial Services (“DFS”) cybersecurity regulation requires banks, insurance companies and other institutions regulated by the DFS (“covered entities”) to implement a cybersecurity program to protect consumer data (see previous coverage). A covered entity is required to have (i) a written cybersecurity policy or policies approved by the entity’s board of directors or a senior officer, (ii) a “Chief Information Security Officer” in place to protect data and systems, and (iii) other relevant “controls and plans” intended to fortify the safety of the financial services industry.

Firms also will be required to submit a Certification of Compliance annually that concerns the firm’s cybersecurity compliance program. The first such Certificate must be submitted by February 15, 2018. The DFS now requires covered entities to submit notices of certain cybersecurity events to the DFS Superintendent within 72 hours of any occurrence. Covered entities will be able to report cybersecurity events through the DFS online cybersecurity portal.  Institutions also will be able to use the portal to file notices of exemption.

DFS Superintendent Maria Vullo commented on the program:

“With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems.”

 

Lofchie Comment: As if the life of a compliance officer trying to manage technology risk was not worrisome enough, the NY DFS has now added a state-wide regulatory burden to their job. On the positive side, there is a three-day weekend coming.

OCIE Cybersecurity Report Shows “Overall Improvement”

The SEC Office of Compliance Inspections and Examinations (“OCIE”) examined 75 broker-dealers, investment advisers and investment companies as part of its Cybersecurity 2 Initiative to assess industry practices concerning cybersecurity preparedness. OCIE National Examination Program staff reported an overall improvement in awareness of cyber-related risks and the implementation of certain cybersecurity practices since the OCIE’s Cybersecurity 1 Initiative.

According to the OCIE Risk Alert, the Cybersecurity 2 Initiative examinations focused on written policies and procedures, and included more testing of controls. Specifically, it addressed:

  1. governance and risk assessment;
  2. access rights and controls;
  3. data loss prevention;
  4. vendor management;
  5. training; and
  6. incident response.

Notably, the OCIE found that all broker-dealers, all funds, and nearly all advisers examined in the Cybersecurity 2 Initiative maintained written cybersecurity policies and procedures around the protection of customer/shareholder records. These findings contrasted with those of the Cybersecurity 1 examinations. The OCIE also found firms that were not “adhering to or enforcing” policies and procedures, and firms where guidance for employees was too general. The OCIE report included recommendations for improving controls in their respective cyber programs.

In a related white paper on cyber risk, the Bank for International Settlements Financial Stability Institute evaluated the regulatory and supervisory initiatives in a number of leading jurisdictions, including Hong Kong SAR, Singapore, the United Kingdom and the United States. The report reviewed supervisory approaches to assessing the cyber-risk vulnerability and resilience of banks. The paper also identified a trend toward “threat-informed” testing frameworks, which use threat intelligence to design simulated cyber attacks when testing the cybersecurity of an entity.

SEC Economist Examines Role of Artificial Intelligence

SEC Division of Economic and Risk Analysis Acting Director and Chief Economist Scott Baugess discussed the development and use of artificial intelligence and machine learning within the SEC, challenges presented by artificial intelligence technologies, and the future of these technologies within the SEC.

Mr. Baugess explained that progress in development of artificial intelligence technologies has made it necessary for regulators to examine the potential uses and impacts of this technology on the regulatory environment. He observed that while there is obvious value in potentially being able to more effectively predict investor behavior, “latent variables,” such as fraud which is not seen until it is found, make understanding likely outcomes an especially difficult task. Because of these unobservable outcomes and other difficulties such as translating languages, the application of machine learning to regulating financial markets is less straightforward than it is in other contexts.

Machine learning has been utilized by the SEC in various capacities, including to analyze tips, complaints and referrals and to identify abnormal disclosures. Mr. Baugess noted that machine learning is also useful for detecting potential investment adviser misconduct by identifying outlier reporting behaviors. While acknowledging the value of this form of analysis, he cautioned that reliance on machine learning technologies, such as feeding the results of unsupervised learning algorithms into machine learning, can lead to false positives, or instances where misconduct or SEC rule violation is errantly identified.

Mr. Baugess concluded by emphasizing that although machine learning will improve the SEC’s ability to identify possible fraud or misconduct, he expects that “human expertise and evaluations” will always be necessary in the regulation of capital markets.

Lofchie Comment: This is technology expertise that the SEC should consider outsourcing. Perhaps the SEC should call up the credit card companies and ask them for some lessons in catching fraudulent transactions.