Vince Martinez on SEC and Cybersecurity Policies

LIFARS question and answers session with cyber security experts, Where,who,when,how,why,what

Vince Martinez is a partner in the Government Enforcement practice of K&L Gates LLP, where he focuses on investigations, defense and compliance advice matters.  Mr. Martinez previously served in the Enforcement Division of the Securities and Exchange Commission for almost 12 years, where he brought and supervised the prosecution of numerous anti-fraud actions.  In his most recent roles at the SEC, Mr. Martinez served as the Chief of the Enforcement Division’s Office of Market Intelligence and as a member of the SEC’s Cybersecurity Working Group.  Mr. Martinez was also the first Director of the Whistleblower Office at the Commodity Futures Trading Commission.

Vince talks about cybersecurity policies and procedures the Securities and Exchange Commission (SEC) has set at an interview conducted by LIFARS. 

LIFARS: Tell us some background on you and how you got where you are today.

Vince:  I started my career in 1997 as a transactional attorney in private practice in New York, where I concentrated on debt and equity offerings.  In 1999, I joined another law firm in Washington, DC, where I focused on litigation including False Claims Act defense, class action defense, and white collar work.  In 2003, I joined the Securities and Exchange Commission (SEC).  I started with a part of the SEC’s Enforcement Division called the “Financial Fraud Task Force,” which was created in an effort to strengthen the SEC’s response to major accounting frauds.  I investigated and litigated several financial fraud matters, as well as other matters including an emergency stop order action and a Ponzi scheme.

In 2009, the SEC created the Office of Market Intelligence (OMI), and I was one of the first managers to join the office.  OMI is the Commission’s central point for collecting, analyzing and disseminating intelligence received from the public, whistleblowers, other government agencies, and self-regulatory organizations.  It has a staff of around 50 people, composed of attorneys, accountants and market surveillance specialists.  OMI staff take all of those pieces of intelligence and try to determine what is within the SEC’s jurisdiction and what is actionable, and also to make decision on whether to assign items to examination staff or enforcement staff, as well as where in the country to assign those items.  OMI also has FBI agents and analysts who help determine whether criminal interest exists or whether criminal referrals should be made.  OMI also performs trading-based investigation expert analyses, market surveillance, and analyses of Suspicious Activity Reports.  At the end of 2011, I joined the Commodity Futures Trading Commission (CFTC), where I established that agency’s whistleblower program.  I stayed at the CFTC until early 2013, until a chance to lead OMI opened up.  I then served as the Chief of OMI until August of this year, and I am now a partner at K&L Gates LLP.

LIFARS: I understand that one of your concentrations has been in how the Securities and Exchange Commission (SEC) is addressing cybersecurity preparedness.  Could you tell us how the SEC strategizes to address cybersecurity threats?

Vince:  There are three main ways by which the SEC has been focusing on cybersecurity:  examinations; enforcement actions; and staff guidance.  Let me start with the examination sweeps.  In March of 2014, the SEC held a Cybersecurity Roundtable where people from government and industry discussed the cybersecurity landscape, especially related to cybersecurity preparedness for companies and market intermediaries.  Shortly after that, the Office of Compliance Inspections and Examinations (OCIE) published a Risk Alert announcing a series of cybersecurity examinations.  One of the unique features of that Risk Alert was that it had an Appendix that contained questions that OCIE staff intended to ask while conducting examinations of broker-dealers and investment advisers.  Some of the questions were drawn from the framework for “Improving Critical Infrastructure Cybersecurity,” published by the National Institute of Standards and Technology..  For almost a year, they examined more than100 registrants and in February of 2015 they announced summary results of their examinations.  It was mainly statistical results regarding how the examined firms were doing in terms of such cybersecurity concepts as whether or not they were conducting risk assessments, using security tools like encryption, and whether or not they are using standards to guide their cybersecurity preparations.  In September of 2015, OCIE announced the beginning of another cybersecurity examination sweep, for which they have not yet announced results.  For this second examination sweep, OCIE also provided an Appendix.  The most distinctive differences are that the second Appendix is more technology infrastructure-oriented, has more detailed questions, and contemplates the production of control documentation from registrants.

There have also been three enforcement actions since the Roundtable.  One was against an investment adviser where the firm was holding unencrypted customer information on a third party server, just behind the administrator wall.  Despite the fact that the firm could not tell if anyone’s information had been used improperly, the SEC brought an action and found fault with the firm for not having certain plans and measures in place.  The SEC brought its action under Regulation S-P, which states that broker-dealers, investment advisers, and investment companies are required to have written policies and procedures reasonably designed to protect customer records and information.

In the second action, brought against a broker-dealer, the SEC found that the firm was handling customer records and information in ways not specified in its policies and procedures.  Specifically, firm personnel were sending and receiving electronic faxes outside of the firm’s domain using personal addresses.  During the examination, the SEC found that the firm had deficiencies in its policies and procedures, and that firm personnel were not following the policies and procedures the firm had in place.  One of the key criteria that the SEC seeks to determine is whether a firm’s policies and procedures are tailored to the risks of the business.

The last case I want to share happened just a few months ago.  There, an employee stole customer records from his firm and put them on his own personal server, which was then likely hacked.  The firm realized it had a problem when customer information began to show up for sale on the Internet.  The SEC found fault with the firm’s policies and procedures from a controls perspective.  Particularly, the firm purportedly did not have adequate access controls, and the employee was therefore able to access records for which he did not have any business need.  The SEC also found that the firm’s data monitoring was insufficient.

There has also been staff guidance offered by two of the SEC’s Divisions.  In 2011, the Division of Corporation Finance issued disclosure guidance for public companies with respect to their cybersecurity preparedness and cybersecurity incidents.  In April of 2015, the Division of Investment Management issued staff guidance that goes over corporate governance issues, risk assessments, preparedness and incident response for registered investment advisers and investment companies.

There are a number of other regulations that are applied to firms.  One of them is called Regulation Systems Compliance and Integrity (SCI), which applies to a number of market-critical registrants including self-regulatory organizations, certain clearing agencies, high-volume alternative trading systems, and data-collection companies.  Regulation SCI requires theses registrants to have policies and procedures in place to help ensure the robustness and resiliency of their technological systems, and also has a reporting regime where if a system intrusion, disruption or compliance event occurs, it needs to be reported.

I think it would be fair to say that much of what the SEC has been doing is intentionally designed to educate the industry on how to deal with the task of cybersecurity preparedness.

LIFARS: Could you briefly tell us about the required cybersecurity policies and procedures the SEC has set? Especially, regarding the policies that have to be set up in advance of a breach?

Vince:  As I mentioned, for broker-dealers, investment advisers, and investment companies, Regulation S-P is the main regulation which establishes standards for protecting customer records and information.  It has a rule called the ‘Safeguard Rule,’ which requires firms to have policies and procedures that are reasonably designed to insure the security and confidentiality of customer records and information; protect against any anticipated threats; and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.  The only thing that is actually required in the rule is that these policies and procedures must be written.  The technological measures that would be appropriate to satisfy the rule are not stated in the regulation.  Instead, firms are expected to understand what is available in terms of technological measures and also expected to perform risk assessments to determine where their particular risks are so that they can adopt policies and procedures to match their risks.

LIFARS: What kind of penalties could companies be charged if they don’t follow the SEC’s regulations and guidance? Could you provide a case you have seen or heard?

Vince:  Often these matters are handled through settled administrative proceedings where a registrant agrees to settle and the SEC will bring out the settlement order.  I can use one of the examples I mentioned above.  The investment adviser who was holding customer information on a 3rd party server was a company called R.T. Jones, which agreed to be censured and to pay a $75,000 penalty.  I believe an important lesson here is that if a company is proactive in response to a cybersecurity breach, that response can be taken into account by the SEC.  In this case, after they found out there was a breach, R.T. Jones brought in two technological consultants so that they could determine the scope of the breach.  They then informed the customers or others for whom they had information of the breach and offered identity theft monitoring services.  Moreover, when the SEC investigated the case, they cooperated with the SEC.  Given their efforts, they received a relatively mild penalty.  Therefore, in a breach scenario there are ways for companies to respond quickly and effectively that can mitigate their risk posture.

The SEC also emphasizes in its staff guidance that incident response is one of the features of cybersecurity preparedness.  The Division of Investment Management guidance states that firms cannot be expected to protect against all breaches.  Incident response plans are therefore an important part of a firm’s overall cybersecurity preparedness.

It has also been the case that firms have received relatively higher penalties for failing to respond to red flags.  For instance, there is a matter in which it was found that a firm did not respond adequately to the fact that one of its employees did not have anti-virus software installed on his computer, which led to a breach.  The firm received a $100,000 penalty.  Keep in mind that this was back in 2009.  There was also a case where a firm had to pay a $275,000 penalty because it failed to institute policies and procedures despite knowing of breaches.  It is difficult to argue that a firm’s policies and procedures are adequate both in the face of breach and a negligent response to red flags.

On the other hand, if a firm has good policies and procedures in place, and it is making a good faith effort to act with a reasonable standard and care for its cybersecurity preparedness, the firm should be in a better place in the event of a breach.  However, even though a company actually has policies and procedures, there can be certain control failures that can still be found actionable.

Even though the SEC has been fairly restrained so far, firms should not consider that this will continue to be the case.  The SEC finds this to be a priority area and to be one of the biggest issues that the financial system is facing.  It is fair to assume that as more cybersecurity examinations occur, more deficiencies will be found, and therefore more enforcement actions will be brought.  The SEC really wants the industry to be in the right preparedness posture.