Article: How Dusty Are Your Cybersecurity Policies and Procedures?

August 28, 2019

Authored by: Steven Cheng

On September 26, 2018, the Securities and Exchange Commission (“the SEC”) announced that Voya Financial Advisors Inc. (“Voya”) agreed to pay $1 million to settle charges related to an April 2016 incident that compromised customer information. While there was no harm to Voya’s customers, the SEC charged Voya with violating: (i) the Identity Theft Red Flags Rule, which requires firms to develop and implement a written program to prevent identity theft, and (ii) the Safeguards Rule, which requires financial institutions under the Federal Trade Commission’s jurisdiction to have measures in place to keep customer information secure. These rules are designed to protect the customer’s personal information and prevent the risk of identity theft.

While Voya had procedures in place, the procedures were neither up to date nor were they reasonably tailored to Voya’s specific business model or risks. In a September 2016 press release from the SEC, Robert A. Cohen, Chief of the SEC Enforcement Division’s Cyber Unit, stated that “[t]his case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models. They also must review and update the procedures regularly to respond to changes in the risks they face.”

Lessons from the Voya Settlement
The SEC requires every investment adviser registered with it to adopt written policies and procedures that are reasonably designed to safeguard their customer records and information. When adopting a cybersecurity program for your company, it is essential to note that cybersecurity policies are not one size fits all and policies cannot simply be taken off the shelf.

Cybersecurity programs will and should vary depending on the company. Therefore, the customization of a company’s program is necessary. Firms should not adopt a model and simply make it their own. While it takes time and effort to create the right plan, the company is better served when cybersecurity programs are tailored to its business and thoroughly implemented.

In addition to creating a uniquely designed plan for your company, it is also essential to review and update procedures regularly to respond to the ever-changing risks a company may face. Both the SEC and, more importantly, your clients demand it. In fact, clients are increasingly inquiring as to the company’s preparedness to handle the ever changing cybersecurity risks before investing.

Not to mention, having a policy that is consistently being updated to keep up with the changing rules and regulations will instill greater confidence in your firm from your clients and regulators.

To that end, retaining outside counsel will prove useful and necessary. Outside counsel can help a company evaluate its current policies and procedures, and ensure the policies and procedures comply with rules and regulations. Similarly, retaining counsel ensures that a trusted professional is continuously checking your plans to make sure they remain in compliance with current rules and
regulations and tailored to the specific risks facing your company.

Moreover, because an effective Incident Response Plan (IRP) requires that a company meets all of its legal obligations, having someone with appointed authority who understands the rules and regulations (i.e. a lawyer) can help provide direction on behalf of the company to efficiently respond to an incident.

We’ve learned that it is more likely a question of when rather than if a cybersecurity event will occur. Retained counsel can assist with coordinating the incident response and communicating with regulators and clients. In addition, counsel can help evaluate parties’ contractual obligations and make sure that the company receives the correct legal advice on whom the company needs to notify, what the notification needs to say, and what the company’s legal obligations are.

With the SEC taking a tougher stance on cybersecurity issues, it is essential that companies take a closer look at their cyber policies. For many companies, the Voya Enforcement Action should serve as a reminder that their policies need to be constantly updated and in line with current rules and regulations. Time to dust off your cybersecurity policies and procedures!

To view the article, please click here.  

Back to News