Regulatory Guidance Informs Best Practices For Cybersecurity

Tuesday, April 23, 2013 - 09:12

The Editor interviews John R. Hewitt, Partner, McCarter & English, LLP.

Editor: Please tell us about your background and practice.

Hewitt: In addition to my law degree, I received an LLM in securities regulation from Georgetown. I started my career as a staff attorney at the SEC in the Enforcement Division and then served in-house at Shearson Lehman (and then at Lehman Brothers) as a senior defense counsel in the regulatory area. My law firm experience includes Mayer Brown before coming to McCarter & English. I am the editor and an author of a Law Journal Seminars-Press treatise entitled “Securities Practice in Electronic Technology,” which was published in 1998 and has been actively revised up to the present time.

My current practice is in regulatory defense litigation – that is, defending broker-dealers and investment advisors and their officers, directors and employees in regulatory matters involving the SEC, FINRA and the states. I also provide advice and counsel on many facets of the federal securities laws, including my area of expertise, which is the use and regulation of electronic technology in the securities industry.

Editor: What factors do you consider in helping clients develop effective information security programs? How does this process tie in with operational risk assessment?

Hewitt: One very helpful resource is the periodic guidance issued by the SEC and the federal banking agencies. Notably, the pending Reg S-P amendments provide definite guidance for developing information security programs.

The series of steps within that guidance includes performing an analysis of the firm’s operations. In so doing, I suggest to my clients that they form a working group of senior officers or employees who are acquainted with the operation of the firm. This would include compliance, IT, legal and the various business operating divisions or departments. These individuals should be particularly savvy in the firm’s systems and its use of electronic technology.

This working group should do an analysis of the electronic operations on a department-by-department basis, with a focus on the security measures already in place. This should include a review of the firm’s security measures from an administrative, technical and physical standpoint. In so doing, you should produce a very good study of the firm’s operations.

Now, the only way to accomplish that is by taking a “blood, sweat and tears” approach to information gathering. You have to get in there and understand what the trading desk does and what security measures are already in place, or understand the research department’s functions and technical operations. By focusing first on the administrative, physical and technological security measures that currently exist, you can take the next step and look for potential vulnerabilities.

For instance, are appropriate technical measures in place to ensure that, from an internal standpoint, the firm can detect operational problems, such as encroachment by an employee in one department into another department’s business area?

Editor: Please give us an overview of Reg S-P and some of the best practices that come from it.

Hewitt: In line with what we’ve been discussing, the Reg S-P amendments detail the manner in which firms should approach the SEC’s regulations governing the privacy and protection of customer information. The SEC has also issued rules on identity theft that serve a similar purpose. Firms are well advised to follow this guidance, and once the risk-analysis step is complete, they must generate a written policy that reflects the firm’s information security program.

Further, many states have specific data breach notification statutes, which can be addressed by developing a strong information security program. In fact, states like Massachusetts, which have very rigorous requirements, call for a “consolidated information security program” that basically follows the same layout the SEC looks for. In addition to the risk analysis and generation of written procedures I just mentioned, firms should conduct an ongoing analysis of those procedures, among other reasons, for the purpose of monitoring the firm’s third-party vendors. It’s very important to be able to audit vendors and to require evidence and documentation from them attesting to their adoption of appropriate measures

Firms also should conduct internal testing on an ongoing basis, perhaps quarterly, and they should retain an outside firm with expertise in this area to do an annual review. Naturally, this outside review includes various types of testing and probing that seek to ensure that the firm has appropriate measures to address the issues of hacking and illegal intrusions. Finally, as part of a firm’s working program, it can supplement the annual review process with its own analysis, for instance, by looking at problems that similar firms are having, applying that knowledge to its own organization, and implementing changes on that basis.

Editor: So let’s assume a company has a good working program in place. What should be its first step upon detecting a flaw or vulnerability?

Hewitt: That’s a good question, and I’ve often been in the position of receiving calls from firms asking “what do I do?” Taking a step back, I should say that any good information security program will include established procedures for an immediate response to problems. This includes developing a data breach response team much like the program development team we discussed earlier, i.e., a team composed of representatives of all major firm departments: compliance, legal, IT, HR, etc.

Now, the team’s first reaction to a potential issue should be to answer some basic questions, such as: Is this an incident of substance? Is it an accidental problem, maybe a former employee inadvertently accessing a system, or one department member wandering into another division’s operation systems? Regardless of the cause, a critical aspect of any response to a bona fide problem is notification, which involves knowing whom to notify, what to say and how to document the notification. Certainly, most state laws require some form of notification, and in many states, you have to notify one or more of the state authorities, such as the attorney general’s office or the state’s treasurer. So procedures like this should be in place to ensure that the response team knows exactly (or nearly so) what to do and, above all, can act quickly. 

While it may sound like overkill, I also advise mock sessions as part of the team’s regular efforts to stay prepared. What do I mean by that? Look at other companies in your industry, let’s say broker-dealers, to see what data breach problems they are experiencing. Then present those same problems, such as a breach into your trading system, as a surprise test for the team and actually go through the process of responding.

Editor: What baseline measures can a company incorporate into its data security program that may mitigate the risk of a negative response from a government agency should a breach occur?

Hewitt: Certain measures, such as data encryption, can help and are often included in well-researched programs. Continuing the discussion above, as part of the response team’s first reaction to a potential problem, they might ask: is this an incident of real consequence? The answer might be “no” if data had been encrypted because it simply may not be usable in spite of a hacker’s success in obtaining it. While there are various interpretations of this, certain states recognize that 128-bit (and now 256-bit) encryption standards are a strong preventative measure, and sometimes strong enough to warrant a determination that additional response measures don’t have to be implemented.

It is appropriate to consider measures that are derived from the guidance issued by the banking regulators, and now those issued by some states like Massachusetts. Programs that are consistent with the Reg S-P amendments, which are proposed but not yet enacted, will present a very strong deterrent to any attempt by outsiders – or for that matter insiders – to illegally probe into your system. 

Editor: What pitfalls should companies try to avoid in their data security efforts? 

Hewitt: The first pitfall is a lack of response. Even if a firm doesn’t have good data security measures in place, it can still ensure that it responds immediately to any reports of potential problems. If its compliance or operational staff observes an inappropriate probing, that’s a genuine sign that the company needs to take notice and react.

If your audit people review the firm and make certain recommendations regarding internal security measures, you should take a very close look at that report and make an affirmative determination on any corrective action that is necessary. With respect to compliance, I consistently advise my clients to answer every question that comes up, even if it is asked by the most junior compliance or clerical staff member. Never assume it’s an overreaction or misinterpretation; investigate and address it as necessary.

Editor: You mentioned guidance by the SEC and some of the states. Are other government agencies providing useful information?

Hewitt: Yes. For example, the FINRA audit team will often issue periodic guidance based on their findings from audits conducted throughout the year. With respect to this year’s upcoming SEC and FINRA audits, it came as no surprise to learn that the agencies have clearly identified cybersecurity as a major focus. Thus, the handwriting is on the wall: if you don’t pay attention to cybersecurity – and if you don’t make the connection between compliance problems and a firm’s lack of adherence to regulatory guidelines – you’re making a genuine mistake.

Editor: President Obama has identified cybersecurity as one of the most serious economic and national security challenges. What does that mean for companies as a broad issue, and what legislative or regulatory developments are on the horizon?

Hewitt: This evidences the national importance of cybersecurity and the impact of the electronic era, which affects all businesses and industries. I am often brought into situations that are outside my area of legal specialization, i.e., securities law, because the principles and strategies involved in designing information security programs apply to all companies that use or maintain highly sensitive or personally identifiable information (PII).

From a legislative standpoint, there are current efforts to establish continuity between federal and state regulations in this area, such as those pertaining to the use of social media and protecting individual rights. Virtually all states have now implemented data breach laws, and an increasing number of states are approving laws pertaining to the development of information security programs. So businesses have to respond on the state and federal levels when they use or maintain PII.

Please email the interviewee at jhewitt@mccarter.com with questions about this interview.