In June, Morgan Stanley became the latest financial institution to be fined by the Securities and Exchange Commission for failing to safeguard customer data, thereby breaching sweeping cybersecurity guidance issued by the regulator in 2015.
The US-based financial services organization was ordered to pay $1 million after confidential client data was posted online, and the firm was deemed by the SEC to have insufficient data protection measures in place.
The regulator is taking a hard line on cybercrime, which it considers the single biggest threat to the financial services industry.
Building on a voluntary risk-based cybersecurity framework developed by the National Institute of Standards and Technology in 2014, the SEC created its own set of broad guidelines last year with which it expects the financial services industry to comply. The Office of Compliance Inspections and Examinations – which administers the SEC’s national examination and inspection program – is in charge of ensuring compliance, and it says cybersecurity is now among its top examination priorities.
Along with the SEC guidance, a copy of this exam, which includes pages of detailed questions surrounding data and IT infrastructure protection, has been made available to private equity firms. And the cost of non-compliance, both financial and reputational, is high.
“The SEC is looking very closely at the internal controls of a firm. The cost of having a significant cyber incident is primarily in the reputation or loss of highly valued confidential information. The cost of a significant cyber incident could be the firm itself,” Michelle Reed, partner at Akin Gump and co-head of its cybersecurity, privacy and data protection practice, tells pfm.
It’s not just the SEC that is getting serious on cybercrime. Other regulators have published plans to implement their own far-reaching cybersecurity programs, some of which will have an impact on firms even if they are not based in the jurisdiction.
In Europe, the Global Data Protection Regulation was adopted in April 2016, and affected firms have two years in which to prepare for compliance.
The GDPR expands the scope of EU data privacy protection regulation to cover all businesses that control or process personal data related to the offering of goods and services or that monitor the behavior of individuals in the EU, whether those companies are based there or elsewhere.
“Any data losses following the entry into force of the GDPR will result in a fine equal to 4 percent of a firm’s annual global revenue,” James Rashleigh, cyber director at PwC, tells pfm. In September, the New York Department of Financial Services unveiled its plans to introduce new cybersecurity regulations aimed at safeguarding information systems and non-public data. Under the proposals, covered entities – those operating under the banking, insurance, or financial services umbrella – will be required to appoint a chief information security officer to develop a bi-annual report, available to the DFS, addressing the state of their cybersecurity programs.
The DFS opened a 45-day public consultation on the matter on September 28, and should the legislation be approved it will be effective on January 15 2018.
Despite the strengthening global cyberattack offensive, and the time they have had to prepare for compliance with various legislation, data suggest neither the threat of hefty fines from regulators nor the potential damage a data breach could do to a firm’s reputation has fully mobilized the private equity industry into preventative action. Just over three-quarters of firms surveyed by cybersecurity technology provider eSentire last year rated the threat level of a cyberattack as high, while 66 percent said they had partially implemented a cybersecurity program.
Less than a quarter said they had a fully SEC-compliant regime in place.
“The SEC has been issuing guidance via the OCIE over the course of the last few years, and there has been sufficient time for firms to comply with guidance,” Reed says when asked if firms had enough time to put a plan into place.
While some anti-attack measures require large capital outlay, or the implementation of new procedures, firms can take simple steps within their own house to enhance their cybersecurity.
“Even in the event of a sophisticated attack, if the firm did not have basic controls like access right restrictions and password protections [it] may be deemed [by the SEC] to have inadequate internal controls,” Reed says.
A firm should be aware of where it is holding data and who has access, ensuring there is a cybersecurity-awareness culture. This can be as straightforward as advising employees to be aware of the dangers of clicking links and opening attachments from unknown senders, Michael Patanella, partner and US asset management sector leader at Grant Thornton, tells pfm.
Staff awareness of cybersecurity issues is particularly important; research published by KCS Group shows 80 percent of security breaches at a private equity firm can be traced back to employees. A private equity firm should also brief portfolio companies on the same topics, and ensure they are aware of the risks they face, since failure to do so will have repercussions for the firm.
“They should make sure they know what to do in the case of an attack – how to remedy it and the reporting process it must go through,” Patanella says.
But this practice is rare; 89 percent of respondents to the eSentire survey do not have a standardized cybersecurity program in place for their portfolio companies, while just over three-quarters fail to conduct a cybersecurity assessment as part of due diligence when acquiring portfolio companies.