Why investment firms and data breaches are an especially bad combination

An investment firm's servers are full of sensitive data. The bad guys know it, and so does the SEC, along with a host of other regulatory bodies. Read lawyers' tips on avoiding data breaches.

Image: iStock

Let's face it: A company hit with a data breach is going to suffer serious consequences. That is no more evident than when an investment firm's network and servers have been compromised. Due to the sensitive nature of the stored data, it is almost guaranteed that a breached investment firm will come under the scrutiny of state, federal, and possibly foreign authorities.

SEE: Information Security Policy (Tech Pro Research)

The regulatory environment is complicated... to put it mildly

"In the United States, several federal agencies, including the Federal Trade Commission, Federal Communications Commission, and Consumer Financial Protection Bureau have claimed authority to regulate privacy and data security," writes Ropes & Gray LLP's Privacy & Data Security Practice Group in this Mondaq commentary. "Determining which agency is likely to claim jurisdiction (and sometimes there is more than one) will depend on the business sector of the company, the activities in which the company is engaged, or the underlying data at issue."

The Securities and Exchange Commission (SEC) is another agency extremely interested in the cybersecurity risks facing investment firms. In 2014, the SEC's Office of Compliance Inspections and Examinations (OCIE) conducted a series of examinations and determined that investment firms need to:

  • conduct periodic risk assessments regarding cybersecurity practices;
  • develop a strategy to prevent, detect, and respond to cybersecurity threats; and
  • implement that strategy through policies, procedures, and training.

In 2015, the OCIE went through another round of examinations focusing on:

  • governance and risk assessment;
  • access rights and controls;
  • data loss prevention;
  • vendor management;
  • training; and
  • incident response.

Both the SEC and OCIE publicly announced that failure to meet these expectations could result in enforcement actions. True to their word, on September 22, 2015, the SEC announced its first settlement of an enforcement action against an investment firm that suffered a data breach.

"R.T. Jones Capital Equities Management allegedly failed to establish cybersecurity policies and procedures prior to a breach of the personally identifiable information of approximately 100,000 individuals that was stored on a third-party-hosted web server," mentions the Mondaq post. "Even though none of R.T. Jones' clients were alleged to have been harmed as a result of the intrusion, R.T. Jones agreed to pay a $75,000 penalty as part of the settlement."

The SEC is certainly taking this seriously. One only has to page through SEC press releases to find more examples of investment firms not necessarily admitting guilt, but agreeing to changes suggested by the SEC, accepting censure, and paying fines.

SEE: Investment firms become cybercrime focus, highlights insurance need (ZDNet)

Portfolio companies' security practices must be considered

There is something else that can and does haunt investment firms. "Not only should investment firms secure their networks and information, but it is important they consider and address the privacy and data-security practices of the portfolio companies they manage, because a privacy or security incident could undermine a firm's investment in a portfolio company," mentions the Mondaq commentary. "For similar reasons, investment firms should review the privacy and data-security practices of third parties with which portfolio companies contract to provide services."

The authors go on to mention that managing privacy and risk from losing data within a portfolio is especially challenging given the portfolio could include clients from a broad range of industries, varying types of information that must be secured, and a host of third parties interacting with those portfolio companies.

SEE: Gallery: The 15 most frightening data breaches (TechRepublic)

Mitigating cybersecurity risks

The members of the Privacy & Data Security Practice from Ropes & Gray offer the following suggestions on how to avoid data breaches.

Pre-Acquisition Diligence: The authors stress that due diligence on potential investments or acquisition targets should be a priority, mentioning, "Representations and warranties in the transaction documents can help limit risk but diligence should be undertaken to understand how a potential target collects, uses, stores, discloses, transfers, and disposes of data in its business operations."

Policies and Procedures: The authors are firm believers in creating clear, understandable policies and procedures to prevent, detect, and respond to security threats. The authors suggest the written incident response plan should:

  • Clearly define the roles and responsibilities for managing the incident
  • Account for the retention of legal, technical, and public-relations experts
  • Include test/practice procedures and schedules to facilitate an effective response if and when needed

Training and Assessments: Besides the incident-response team, the group from Ropes and Gray feels privacy and security training should extend to both company officers and employees. The authors stress that monitoring employee compliance with the investment firm's privacy and security policies should also be included.

Vendor Management: Regarding their concern for the impact that third-party privacy and data-security practices can have on an investment firm and its portfolio companies, it is suggested that investment firms should establish a vendor management program that includes the following:

  • A process to select and retain third-party providers capable of maintaining the security of the investment firm's network and data
  • Standard contractual clauses to implement security controls appropriate to the services being provided
  • Ongoing monitoring of the relationship to ensure the vendor continues to have appropriate controls designed to protect the client's systems and data

The members of the Ropes & Gray LLP's Privacy And Data Security Practice Group feel that developing an effective privacy and data-security program using their proactive steps should go a long way to eliminate, or at least reduce, the impact of a data breach.

Also see