SEC issues actions for deficient cybersecurity procedures

Here’s how CUBE would have done it differently.

Earlier this month, the US’ Securities and Exchange Commission (SEC) took punitive action against eight firms, issuing three actions across the organisations who had failed to properly implement their cybersecurity policies and procedures. The eight firms, all of which were broker dealers or investment advisory firms, had failed to adequately manage their policies. So, while policies were in existence – they had not been properly actioned.

These implementation failures led to a number of cybersecurity breaches, including the takeover of several email accounts, which in turn exposed the personal data of thousands of customers at each firm. In one instance, these failings continued over a time span of almost three years, during which time the personal identifying information (PII) of over 4,000 customers was exposed.

In another example, a firm discovered that email accounts had been taken over in January 2018 but failed to bolster its firm-wide security for cloud-based email until 2021. This meant that additional customer and client data was exposed in this latent, three year period.

The SEC also sanctioned a firm that waited two years after a cybersecurity breach had occurred to adopt written policies and procedures. And, once those policies and procedures were adopted, they were not fully implemented for a further three months.

Failure to act

These actions have a number of things in common, but at the heart of all three lies a failure of these financial institutions to act. As Kristina Littman, Chief of the SEC Enforcement Division’s Cyber Unit, commented:

“It is not enough to write a policy requiring enhanced security measures if those requirements are not implemented or are only partially implemented, especially in the face of known attacks.”

The theme of action (or inaction, as the case may be) is one that I see burdening financial institutions on a daily basis. Regulatory compliance relies on action being taken; new regulations are enacted, new risks emerge, old technology becomes outdated, historical policies and procedures are no longer effective – all of these are events that should (in fact, must) trigger action.

Given the necessity for action, it is always interesting to see when financial institutions operate on the basis of inaction. When, in 2018, these companies realised that they had gaps in their policies and controls that were leaving them exposed to external risks, they failed to act. This failure in turn led to even more damage.

It does not seem uncommon, in fact, for some financial institutions to manage compliance – especially regulatory change – on a “heads buried in the sand” model. This is especially true when things get tough; gaps emerge, and cracks start to show, but some teams (as the SEC’s action clearly shows) are just hoping the problem will go away.

It has always puzzled me why these firms don’t work proactively to resolve their compliance problems – especially given that financial regulators almost always spot compliance-related deficiencies. Surely, if such firms chose action rather than inaction, they would have avoided regulatory fines. And, more than that, they would have avoided the reputational damage that comes with exposing customers’ PII to external sources.

How CUBE could have told a different story

When I see cases such as this, my immediate reaction is that if these firms had CUBE they wouldn’t now be contending with regulatory and reputational costs. In fact, if they had CUBE the gaps in their policies and controls would likely never have occurred. Here’s why:

CUBE automates much of the initial impact assessment when a regulatory change occurs. So, when a regulatory change is published, our customers are presented with a data set that enhances their understanding of the change. This means that implementing that change is then faster and more robust.

If we break this down, this means that if the recently-fined companies had CUBE, they would have been:

• Alerted to any relevant regulatory change as soon as it happened.
• Directed to the exact, updated section of the publication, with changes highlighted through red-lining comparison.
• Presented with a conceptual classification of the regulatory update, through our Ontology.
• Given an immediate understanding of the impact of the change on their business via automated mapping to their policies, controls, processes, business lines etc.
• Shown where other items of regulatory content existed, that related to the change.

In essence, if the above companies had CUBE, the process would have been automated and cracks would never have started to show – let alone be picked up by the SEC. more than this, the compliance teams working within the companies would have had more time to focus on managing and implementing their regulatory obligations.

Regulatory fines are detrimental and sometimes crippling for firms. Loss of reputation can be debilitating. Neither cost is quick to recoup, especially with regard to reputation. What is far quicker is employing a purpose-build SaaS product that prevents the causes of such loss from ever occurring. It just makes sense.