securities practice portfolio series · 2019-02-07 · securities practice portfolio series...
TRANSCRIPT
SECURITIES PRACTICE PORTFOLIO SERIES
TECHNOLOGY REGULATION IN THE FEDERAL SECURITIES MARKETS
By
John R. Hewitt
Jack Hewitt is a partner at Pastore & Dailey LLC. He focuses his practice on securities litigation and regulatory advice and counsel to broker-dealers, investment banks and invest- ment advisors. His work has involved virtually every aspect of the federal and state securities laws, including equity, fixed income and derivatives trading, net capital, Reg SHO, suitability, record retention, insider trading, cybersecurity and registration issues. Mr. Hewitt also fre- quently speaks on these subjects including his participation in Practicing Law Institute (PLI) and Securities Industry and Financial Markets Association (SIFMA) seminars. Cybersecurity is a major part of Mr. Hewitt’s practice, and he is a recognized national authority in this field. He has written extensively on the regulation of electronic technology in the securities markets, including a series of articles for the New York Law Journal, and has chaired and spoken at numerous seminars on it. Mr. Hewitt is the author of Technology Regulation in the Federal Securities Markets, a Bloomberg BNA treatise, and is the editor and author of Securities Practice & Electronic Technology, an ALM publication. He is also the author of the Record Keeping and Advertising Chapters of the PLI Broker-Dealer Regulation treatise. Mr. Hewitt is a recipient of the Compliance Reporter Compliance Person of the Year award, was a partici- pant in the Securities and Exchange Commission’s roundtable discussions on internet issues, and is listed on the International Who’s Who of e-Commerce Lawyers. Mr. Hewitt has a Masters of Law in Securities Regulation from Georgetown University Law Center.
383 SPS Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 8/18 (i)
A
The following cataloging data is provided by the Bloomberg BNA Library
Hewitt, John R., 1944-
Technology Regulation in the Federal Securities Markets. (Securities practice portfolio series, ISSN 2372-1529; no. 383)
Bibliography: p.
1. Securities—Data processing—Security measures—United States. I. Title. II. Series. III. Bloomberg BNA. KF1432.S43 no. 383 ISBN 978-1-61746-928-2
SECURITIES PRACTICE PORTFOLIO SERIES
Gregory C. McCaffery, Chairman
Joshua Eastright, Chief Executive Officer
Scott Mozarsky, President, Legal
Alexander Butler, VP & GM, Corporate & Transactional
Kimberly Dorband Silver, Editorial Director
Kristyn J. Hyland, Deputy Editorial Director
Andrew Couden, Managing Editor
Katherine K. Sear, Assistant Managing Editor
N. Peter Rasmussen, Senior Legal Editor
Diana de Brito, Senior Legal Editor
Annie R. Pavia, Legal Editor
Gary I. Diggs, Paralegal
Neal J. Conway, Quality Assurance Editor
(ii) 8/18 Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 383 SPS
TABLE OF CONTENTS
I. Introduction
A. The Basis for Cybersecurity Regulation in the Securities Markets - A-1
B. Lack of Clarity Regarding the Regulation of the Security of Customer Information - A-1
1. Regulation S-P and related enactments - A-1
2. Proposed revisions to Regulation S-P A-3
3. State privacy laws - A-3
4. Navigating the regulatory maze - A-3
II. Early SEC and FINRA Regulatory
Measures Addressing Cybersecurity
A. Introduction to Early SEC and FINRA Cybersecurity Guidance - A-5
B. SEC Release No. 33-7288: Use of Electronic Media by Broker-Dealers and Investment Advisers (1996) - A-5
C. SEC Staff Legal Bulletin No. 8 (MR) (1998) - A-6
D. Regulation S-P (2000) - A-6 E. SEC OCIE Report: Examinations of
Broker-Dealers Offering Online Trading (2001) - A-7
F. SEC Release: Compliance Programs of Investment Companies and Investment Advisers (2003) - A-7
G. Disposal of Consumer Report Information—Rule 30(b)(1) (2004) A-8
1. Disposal of consumer report information and records A-8
2. Scope of the Disposal Rule - A-8 3. Written policies and procedures to
safeguard customer records and information - A-9
H. FINRA Notice to Members 05-49- Safeguarding Confidential Customer Information (2005) - A-9
1. Wi-Fi - A-9
2. Remote access-Virtual Private Networks - A-9
3. Policy and procedural revisions - A-9 I. Movement Towards Stricter
Cybersecurity Regulation A-10
III. Regulation S-P Amendments
A. Early SEC Guidance on the Safeguards Rule - A-11
B. Information Security Programs - A-12 C. Guidance on Information Security
Programs - A-12 1. Identify reasonably foreseeable
security risks - A-13
2. Design and implement written information safeguards to control security risks - A-13
a. Access controls/authentication - A-13 b. Access restrictions - A-14 c. Encryption - A-14 d. Monitoring and auditing - A-14 e. Intrusion detection and prevention
systems - A-14 3. Regularly test the effectiveness of
the safeguards’ key controls, systems and procedures - A-15
4. Train staff to implement the information security program A-16
a. NIST principles - A-16 b. Oversight of service providers - A-16
D. Data Security Breach Response - A-16 E. Limited Information Disclosure When
Leaving Firms - A-17
IV. Case Analysis—Regulation S-P and
Related Areas
A. Regulation S-P Case Analysis - A-19 1. In re Lincoln Financial Services, Inc. - A-19 2. In re LPL Financial Corp. - A-19 3. In re Centaurus Financial, Inc. - A-19 4. In re Difrancesco - A-20 5. In re Woodbury Financial Services,
Inc. - A-20 6. In re NEXT Financial Corp., Inc. - A-20 7. Sterne, Agee & Leach, Inc. - A-21 8. In the Matter of R.T. Jones Capital
Equities Management, Inc. - A-21 9. In The Matter Of Morgan Stanley
Smith Barney LLC - A-22 10. In re Voya Financial Advisers - A-22 11. Securities and Exchange
Commission v. Iat Hong, et al. A-22
V. Identity Theft Red Flags Rules
A. Introduction - A-23 B. Scope and Definitions - A-23
1. Financial institutions required to have a Program - A-23
2. Definitions - A-23 a. Financial institution - A-23 b. Creditor - A-23 c. Covered account and account - A-23 d. Red Flag - A-24
C. Periodic Determination of Whether Covered Accounts Maintained or Offered - A-24
D. Establishment of an Identity Theft Protection Program - A-24
1. The objectives of the Program - A-24
Table of Contents Securities Practice Portfolio Series
2. The elements of the Program - A-24 3. Administration of the Program - A-25
E. Final Guidelines - A-25 1. Section I—Identity theft prevention
program - A-25 2. Section II—Identifying relevant red
flags - A-25 3. Section III—Detecting red flags
A-26 4. Section IV—Preventing and
mitigating identity theft A-26
5. Section V—Updating the identity theft prevention program - A-26
6. Section VI—Methods for administering the identity theft prevention program - A-26
a. Oversight of identity theft prevention program
A-26 b. Reporting to the board of
directors - A-26 c. Oversight of service provider
arrangements - A-26 7. Section VII—Other applicable legal
requirements - A-26 F. Supplement A to the Guidelines - A-27
VI. State Requirements for the Protection
of Personally Identifiable Information
A. Introduction - A-29 B. Definition of Personally Identifiable
Information - A-29 1. Triggering events - A-9 2. Timing - A-29 3. Notice - A-29 4. Private right of action for violations
of data security regulations - A-29 5. Fines - A-30
C. Disposal of Personally Identifiable Information - A-30
D. Protection of Social Security Numbersc A-30
E. Regulations Regarding Possession of Personal Information - A-30
1. Massachusetts - A-30 2. NYS Department Of Financial
Services Cybersecurity Regulation A-31
a. Definitions - A-31 b. Cybersecurity Program - A-31 c. Cybersecurity Policy - A-31 d. Chief Information Security Officer
A-32 e. Penetration Testing, Vulnerability
Assessments, Audit Trails and Access Privileges - A-32
f. Application Security - A-32 g. Risk Assessment - A-32 h. Cybersecurity Personnel and
Intelligence - A-32 i. Third Party Information Security
Policy - A-32 j. Multi-Factor Authentication - A-33 k. Limitations on Data Retention
A-33 l. Training and Monitoring - A-33 m. Encryption of Nonpublic
Information - A-33 n. Incident Response Plan - A-33 o. Notices to Superintendent - A-33
p. Exemptions - A-33 F. Incident Response Plan - A-33
VII. Mobile Device Security–NIST Guidelines for Managingthe Security of Mobile Devices in the Enterprise
A. Overview - A-35
B. Mobile Device Security Solution Design and Policy Determinations - A-35
C. Types of Mobile Devices - A-35 D. Administration of Organization’s
Centralized Mobile Device Security Management Solution - A-36
1. Data protection and device provisioning - A-36
2. Software update, policy, and asset management - A-36
3. Monitoring and breach detection - A-36
VIII. Cybersecurity Framework
A. Overview - A-39 B. Cybersecurity Framework Functions - A-39 C. Cybersecurity Framework Version 1.1 - A-40
IX. OCIE Cybersecurity Initiative
A. Overview - A-41 B. Cybersecurity Examination Sweep
Summary - A-41 C. Second Cybersecurity Examination
Initiative—2015 - A-42 1. Focus area - A-42 2. Mobile policy - A-42
D. Third Cybersecurity Examination Initiative – 2017 - A-43
1. Summary of Examination Observations - A-43
2. Issues Observed - A-43 3. OCIE Elements of Robust Policies
and Procedures - A-43
X. Information Security Program
Guidelines
A. Origin of Safeguards Rules - A-43 B. Regulatory Agencies’ Information
Security Program Requirements A-43
1. Governance—the Chief Information Security Officer - A-44
2. Risk assessment and asset inventory - A-45 3. Access controls—Identity and Access
Management programs - A-45 Access authorization procedure Access modification Employee termination Access lists, monitoring and recertification Access revocation Special access Session lock Unsuccessful login attempts Password policy
4. Data loss protection - A-47 5. Vendor management - A-47
Current vendor assessment analysis
Securities Practice Portfolio Series Table of Contents • §tc
Vendor selection due diligence Vendor contractual requirements Firm oversight
6. Training - A-48 7. Testing - A-49 8. Cyberinsurance - A-49
C. Incident Response Plans - A-50 1. Incident response team duties and
pre-incident responsibilities A-50
2. Protection of Personally Identifiable Information - A-51
3. Incident detection assessment, training and notification A-51
4. Incident response—pre-designation of Team assignments - A-52
5. Incident response—the investigation A-52
a. PII breach determination - A-53 b. Legal/compliance - A-53 c. Issuance of notice - A-53 d. Cybersecurity Incident Report
A-53 e. Significant cyber-incidents - A-53
XI. New Financial Market Technologies: Early SEC and FINRA Regulatory Measures
A. Introduction - A-55 B. Regulatory Background - A-55
1. SEC Release No. 33-7288: Use of Electronic Media by Broker-Dealers and Investment Advisers (1996) A-55
2. SEC Staff Legal Bulletin No. 8 (MR) (1998) - A-55
3. SEC Release No. 33-7856: Use of Electronic Media (2000) - A-56
4. Electronic Signatures in Global and National Commerce Act of 2000 A-57
5. Regulation S-P (2000) - A-58 C. Technology Based Innovations for
Regulatory Compliance in the Securities Industry - A-58
Role of RegTech Rise of RegTech 1. RegTech Applications in the
Securities Industry - A-58 a. Surveillance and Monitoring - A-59 b. Customer Identification and AML
Compliance - A-59 c. Regulatory Intelligence - A-59 d. Reporting and Risk Management
A-59 e. Investor Risk Assessment - A-59
2. Implications of RegTech for the Securities Industry - A-59
a. Potential Impact on the Securities Industry - A-59
b. Risk Management - A-59 c. Automation, Effectiveness and
Efficiency - A-69 d. Regulatory and Implementation
Considerations - A-60 i. Supervisory Control ii. Outsourcing Structure and
Vendor Management iii. Consumer Data Privacy iv. Security Risks
v. Other Regulatory and Implementation Considerations
XII. New Financial Market Technologies:
Regulation of Electronic Communications
A. Introduction - A-57 B. Broker-Dealers: Regulation of
Electronic Business Communications A-57
1. Broker-dealer business communications A-57
a. FINRA Rule 2210(a) – definitions - A-57
(1) Correspondence and retail communication
(2) Institutional communications (3) ‘‘Reason to believe’’ standard
b. FINRA Rule 2210(b) - approval, review, and recordkeeping requirements - A-58
(1) Retail communications and correspondence
(2) Institutional communications c. FINRA guidance regarding review
and supervision of electronic communications - A-58
(1) Written policies and procedures
(2) Types of electronic communications requiring review
(a) External communications (b) Internal communications
(3) Identification of the person(s) responsible for the review of electronic communications
(4) Method of review for correspondence
(a) Lexicon-based reviews of electronic correspondence
b. Random review of electronic correspondence
c. Combination of lexicon and random review of electronic correspondence
d. Standards applicable to all review systems
5. Frequency of correspondence review
6. Documentation of the review of correspondence
d. Recordkeeping requirements - A-61 1. FINRA recordkeeping
requirements 2. Exchange Act recordkeeping
requirements - A-62 a. Exchange Act Rule
17a-(4)(b)(4)—the ‘‘business as such’’ rule - A-62
b. Electronic retention of records - A-63
3. FINRA 2210(c)—filing requirements and review procedures - A-64
a. Requirement to file certain retail communications prior to first us A-64
Table of Contents Securities Practice Portfolio Series
b. Requirement to file certain retail communications - A-64
c. Filing of television or video retail communications - A-64
d. Exclusions from filing requirements - A-64
e. FINRA Rule 2210(d)—content standards - A-65
f. Limitations on use of FINRA’s name and any other corporate name owned by FINRA - A-65
g. Public appearances - A-66 C. Investment Advisers - A-66
1. Rule 206(4)-7—compliance procedures and practices A-66
2. Annual review - A-67 3. Advisers Act Rule 204-2, books and
records to be maintained by investment advisers - A-67
4. Electronic record retention - A-67 5. Rule 206(4)-1, advertisements by
investment advisers - A-68
XIII. New Financial Market Technologies:
Social Media
A. Introduction - A-61 B. Broker-Dealers - A-61
1. FINRA Regulatory Notice 10-06, Guidance on Blogs and Social Networking Websites - A-61
a. Recordkeeping responsibilities A-61
b. Suitability responsibilities - A-62 (1) Types of interactive electronic
forums (2) Supervision of social media
sites (3) Third-party posts
2. NASD Notice to Members 01-23, Online Suitability - A-63
3. FINRA Regulatory Notice 11-39, Social Media Websites and the Use of Personal Devices for Business Communications - A-64
a. Recordkeeping - A-64 b. Supervision - A-64 c. Links to third-party sites - A-64 d. Data feeds - A-65 e. Questions and answers - A-64
(1) Recordkeeping (2) Posting of business
information (3) Automatic erasure (4) Static and interactive
communication (5) Training (6) Third-party Posts, third-party
links and websites (7) Accessing social media sites
from personal devices 4. FINRA Regulatory Notice 17-18,
Guidance on Social Networking Websites and Business Communications - A-66
a. Previous guidance - A-66
b. Regulatory Notice 17-18 - A-66 c. Third-party content - A-66 d. Hyperlinking - A-66 e. Instant communication - A-66 f. Linking or sharing content - A-66 g. Native advertising - A-66 h. Third-party content and
testimonials - A-67 i. BrokerCheck - A-67
C. Investment Advisors - A-67 1. SEC investment advisor use of social
media, OCIE national examination risk alert - A-67
a. Social media compliance program - A-67 b. Third-party content - A-68
(1) Testimonials c. Recordkeeping responsibilities - A-69
2. Guidance on the testimonial rule and social media - A-69
a. Third-party commentary - A-70 b. Inclusion of investment adviser
advertisements on independent social media site - A-70
c. Reference to independent social media site commentary - A-70
d. Client lists - A-70 e. Fan/community pages - A-70
3. Investment management cybersecurity guidance A-71
XIV. New Financial Market Technologies:
The Cloud
A. Introduction - A-75 B. Broker-Dealers - A-75
1. FINRA Notice to Members 05-48, Outsourcing - A-75
2. FINRA Regulatory Notice No. 08-77, Customer Account Statements (2008) - A-76
3. FINRA vendor guidance - A-76 C. Investment Advisers - A-77
1. Compliance programs of investment companies and investment advisers, SEC Release Nos. IA-2204, IC-26299, File No. S7-03-03 - A-77
2. SEC Review of RIA Outsourcing Services - A-77
XV. New Financial Market Technologies:
Electronic Corporate Finance
A. Introduction - A-87 B. Emerging Growth Companies - A-87
1. Crowdfunding intermediaries - A-87 2. EGC disclosure - A-87 3. Bad actor disqualification provision - A-88 4. Advertising and promotion
restrictions - A-88 5. Resale restrictions - A-88 6. Liability for material misstatements
or omissions - A-88 7. Crowdfunding securities exempt
from § 12(g) stockholder cap A-88
8. Blue Sky laws - A-89 9. Broker-dealers and research reports - A-89
(viii) 8/18 Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 383 SPS
Securities Practice Portfolio Series Table of Contents • §tc
10. Analysts and the JOBS Act - A-89
C. Matchmaking Sites - A-89
1. SEC no-action letters - A-90
2. Citizen VC - A-92
D. Regulation Crowdfunding - A-92
1. Requirements for Issuers - A-92
2. Requirements for Intermediaries
A-93
E. Funding Portal Rules - A-94
1. Funding Portal Rule 100 - A-94
2. Funding Portal Rule 110 - A-94
3. Funding Portal Rule 200 - A-94
4. Funding Portal Rule 300 - A-94
5. Funding Portal Rule 800 - A-94
6. Funding Portal Rule 900 - A-95
7. Funding Portal Rule 1200 - A-95
XVI. New Financial Market Technologies:
Robo-advisers
A. Regulatory Implications - A-97 1. Disclosures - A-97 2. Suitability - A-98
3. Compliance - A-98
XVII. Blockchain: Distributed Ledger
Technology
A. Introduction - A-99
B. The Technology - A-99
C. Applications in the Industry - A-99
D. Implementation Considerations A-100 1. Governance - A-100
2. Operational Structure - A-100
3. Network Security - A-100
E. Regulatory Factors to Consider When
Implementing DLT - A-100 F. Broker-Dealer DLT Network - A-101
XVIII. Blockchain: Broker-Dealer
Retail/Institutional Business
A. Overview - A-103
B. Brokerage Accounts - A-103
1. Customer Account Statements and
Confirmations - A-103 C. Books and Records Requirements
A-104
1. Exchange Act Rule 17a-4(b)(4) - The "Business as Such" Rule A-104
2. Exchange Act Rule 17a-4(f)-The
WORM Rule - A-105 3. DLT Considerations - A-106
4. Use of Electronic Signatures - A-106 a. Types of Signatures - A-106
b. SEC and FINRA Guidance on the
Use of Electronic Signatures and
Electronic Record Retention —
A-107 i. SEC 1996 Release
ii. FINRA Letters
c. The Electronic Signatures in
Global and National Commerce
Act - A-107 i. E-Sign Records Retention
ii. E-Sign Consumer Consent
iii. DLT Considerations
XIX. Blockchain: DLT Use in Broker-Dealer
Operations
A. Overview - A-109
B. Trade Execution and Reporting Requirements - A-109
C. Customer Funds and Securities - A-109 D. Broker-Dealer Net Capital - A-110 E. Fees and Commissions - A-110 F. Clearance and Settlement - A-110 G. Supervision and Surveillance - A-111
XX. Blockchain: Broker-Dealer– Information Security Plans, Business Continuity Plans, and Anti-Money Laundering Programs
A. Overview - A-113
B. Information Security Plans - A-113 1. Governance—the Chief Information
Security Officer - A-113 2. Risk assessment and asset inventory - A-113 3. Data loss protection - A-114 4. Vendor management - A-114 5. Training - A-115 6. Testing - A-115
C. Business Continuity Plans - A-116
D. Anti-Money Laundering and Customer Identification Programs - A-117
XXI. Blockchain: Initial Coin Offering
Interpretation and Guidance
A. SEC Report on Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO Report - A-119
1. The DAO and DAO Tokens - A-119
2. SEC Investigation - A-120 3. DAO Tokens as Securities - A-120 4. DAO as an Exchange - A-121
B. Comparisons: Crowdfunding and EGC Disclosures - A-121
1. Crowdfunding - A-121 2. EGC Disclosure - A-123
XXII. Blockchain: Initial Coin Offering
Enforcement Actions
A. ICO Case Analysis - A-125
1. In re Tomahawk Exploration LLC and David T. Laurance - A-125
2. SEC v. Jon E. Montroll and BitFunder - A-125
3. SEC v. Jesky and DeStefano - A-125 4. In re Munchee, Inc. - A-126
5. Trendon T. Shavers and Bitcoin Savings and Trust - A-126
6. SecondMarket, Inc. and Bitcoin Investment Trust - A-126
TABLE OF PRACTICE TOOLS B–1
Practice Tool 1: — Model State Data Breach Notification Letter B-101
Table of Contents Securities Practice Portfolio Series
PAGE
Practice Tool 2: — State Breach
Notification Statute Chart B-201
Practice Tool 3: — State Data Disposal Laws B-301
PAGE
Practice Tool 4: — Incident Response Plan B-401 Practice Tool 5: — Cybersecurity
Framework B-501
(x) 8/18
Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202
383 SPS
Securities Practice Portfolio Series Summary of Cybersecurity Requirements
X.
Information Security Program Guidelines
A. Origin of Safeguards Rules
The Financial Institutions Safeguards Rule in the Gramm- Leach-Bliley Act1 (‘‘GLB Safeguards Rule’’) is the foundation for the safeguards rules of the Securities Exchange Commis- sion, the Commodity Futures Trading Commission and the Federal Trade Commission. The GLB Safeguards Rule requires firms to set standards2 regarding the security and confidentiality of customer records and information to:3
1. insure the security and confidentiality of customer re- cords and information;
2. protect against any anticipated threats or hazards to the security or integrity of such records; and
3. protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
The SEC, the CFTC and the FTC have developed guide- lines that are mirror images of the GLB Safeguards Rule. These guidelines apply to, among others, broker-dealers, investment advisers and regulated funds (‘‘financial institutions’’) and in- clude provisions for firms to develop and implement informa- tion security programs (ISP).4 Each agency’s requirements are extensive; however, close scrutiny of the rules’ requirements and guidelines reveal that they are quite similar in structure, content and scope. As many firms are subject to all three sets of requirements, compliance can appear to be an onerous regula- tory responsibility; but if a firm develops and implements policies and procedures that are responsive to the cybersecurity requirements of one such agency, it is quite likely to fulfill the requirements of the other two.5
Each of these guidelines identify certain subjects that a properly structured ISP should address.6 While terminology may vary between regulators, these items are essentially the
1 15 U.S.C. § 6801(b). 2 See Guidance on Information Security Programs, 383 SPS § III-
C, above, for earlier discussions of Information Security Programs. This chapter will provide a substantially expanded update of this topic and will review recently published regulatory guidelines that provide more detail.
3 15 U.S.C. § 6801(b). 4 These are titled Information Security Program (FTC); Compre-
hensive Information Security Program (SEC); and Written Informa- tion Security and Privacy Program (CFTC).
5 In response to the GLB Safeguards Rule, the SEC and the FTC each developed a rule containing language very similar to the GLB Safeguards Rule, and the CFTC developed cybersecurity guidelines that are based on this language. SEC Release No. 34-42974, (June 22, 2000); Standards For Safeguarding Customer Information, 16 C.F.R. Part 314; Privacy of Consumer Financial Information Under the Gramm-Leach-Bliley Act, 17 C.F.R. Part 160.
6 As previously noted, the OCIE 2015 Cybersecurity Examination Initiative established a similar list of subjects that should be in an effective ISP. See OCIE Cybersecurity Initiative, 383 SPS § IX, above, for the OCIE 2015 Alert. Similar factors are also discussed in FINRA’s Cybersecurity Study. FINRA Report on Cybersecurity Practices, at 1 (Feb. 2015) [hereinafter FINRA Report].
same and are uniformly viewed as the foundation for an effec- tive ISP. The following factors will be considered in detail below:
• governance
• risk assessment
• access rights and control
• data loss protection
• vendor management
• training
• testing The final part of this chapter will present a framework for
a firm’s Incident Response Plan.7
B. Regulatory Agencies’ Information Security Program Requirements
The FTC security and confidentiality guidelines are con- tained in its Safeguards Rule and in the enacting release for this rule. The Standards for Safeguarding Customer Information require broker-dealers and investment advisers under their ju- risdiction to develop an information security program (ISP):
Information security program. You shall develop, implement, and maintain a comprehensive informa- tion security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.8
The FTC rule provides that a properly structured ISP should address the following:9
• risk identification
• design and implementation of safeguards
• monitoring
• testing
• training
• analysis of service providers
• incident response. In 2000, the SEC enacted its Regulation S-P (‘‘Reg S-P’’),
which contained its Safeguards Rule in Rule 30. While this rule is quite similar to the GLB Safeguards Rule, neither the regu- lation itself nor its enacting release provided any detailed guid- ance on its implementation.10 In 2008, the SEC proposed ex- tensive amendments to Reg S-P that included an ISP providing security and confidentiality requirements similar to those in the
7 For a sample Incident Response Plan, see Practice Tool 4. 8 16 C.F.R. § 314.3. 9 16 C.F.R. § 314.4. 10 SEC Release No. 34-42974, at § III.E (June 22, 2000).
383 SPS Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 8/18 A - 43
Technology Regulation in the Federal Securities Markets Securities Practice Portfolio Series
FTC’s ISP guidance.11 However, these amendments were never enacted.
Comment: While the amendments to Reg S-P were never enacted, the proposing release for them has an extensive discussion of the SEC’s views on the proper implementa- tion of an ISP and contains innumerable sources and inter- pretive material that many firms have used as a guide in developing their ISPs.
Thereafter, the SEC, in its OCIE 2015 Cybersecurity Ex- amination Initiative,12 established that broker-dealers and in- vestment advisers should implement an ISP addressing the following subjects:13
• governance
• risk assessment
• access rights and control
• data loss prevention
• vendor management
• training
• incident response The CFTC established a requirement for an ISP in its
cybersecurity guidelines issued in 2014.14 As noted above, an ISP prepared and implemented in
accordance with FTC, SEC or CFTC requirements should sat- isfy the requirements of each agency. As such, this discussion will now focus on SEC and FINRA cybersecurity requirements.
1. Governance—the Chief Information Security Officer
The SEC and FINRA cybersecurity guidelines now antici- pate that a firm will have in place an operational cybersecurity governance structure originating at and directed by the board and senior management. Senior management in the person of the Chief Information Security Officer (CISO) should be pri- marily responsible for the program’s development, manage- ment and supervision.
A cybersecurity governance structure should provide for the development of an internal framework appropriate to the organization’s size and the nature of its cybersecurity risk exposure. It should specify the departments and firm officers responsible for cybersecurity-related matters, their roles and responsibilities and their positions within the firm’s organiza- tion. It should include policies, procedures and processes to manage and monitor the organization’s regulatory, legal, risk, environmental and operational requirements in this area. This management should include regular CISO briefings of the
cybersecurity risks, incident response planning and actual cy- ber-incidents (both at the member firm and at comparable firms).15
In order for a firm’s board and its senior management to take an active role in overseeing the implementation and op- eration of an ISP, these officers and directors need to have a
detailed understanding of the program on an enterprise level, including its design, structure and implementation.16 The board
should oversee the CISO in his/her establishment of an enter- prise-wide, cyber-risk management framework and should en-
sure that it is adequately staffed and financed. The board should have a definitive understanding of the firm’s cybersecurity legal
obligations so as to make an educated assessment of the pro- gram’s effectiveness and conformance with applicable laws.
The board should also ensure that they receive regular detailed expert briefings—from both internal and outside experts and
advisers—on the firm’s cybersecurity requirements and status. The governance framework should be tailored to the firm’s
needs and risks and permit it to make informed decisions on its cybersecurity responsibilities. It should ensure the expeditious handling of cyber-incidents, including an escalation to higher
organizational levels to identify and manage them.17
Comment: The active involvement of the board and senior management in the development and implementation of any firm project usually has a significant, positive impact on those implementing it and those who must conform to it. Thus, the CISO should prioritize a high level of involve- ment.18
FINRA Rule 4517 requires member firms to file with the FINRA Contact System (‘‘FCS’’) in an electronic format all regulatory notices or other documents required to be filed with FINRA.19 On February 1, 2016, FINRA added the following individual to its FCS filing requirements:
Person at your firm responsible for establishing and maintaining the enterprise vision, strategy and pro- gram to ensure information assets and technologies are adequately protected, or person closest to that role.20 A firm’s CISO would serve as this individual, though the
FCS rule thereafter states that the CISO is not a required role, that the position need not be registered or be a firm principal and that it is not to be included in the firm’s annual review.
Comment: At this point, neither FINRA nor the SEC requires a formal registration and examination for a CISO, but, in light of the Rule 4517 filing requirement and the extensive requirements placed upon a CISO in the OCIE 2015 Alert and the FINRA Report, it appears likely that this may be a required registration role in the near future.
board and senior management on such matters as potential 15 FINRA Report at 6, and OCIE 2015 Alert at 2–3 and Appendix. 16 FINRA Report at 7, and OCIE 2015 Alert at 2 and Appendix and
11 Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information, SEC Release No. 34-57427 (Mar. 4, 2008).
12 See OCIE Cybersecurity Initiative, 383 SPS § IX, above. 13 National Exam Program Risk Alert, OCIE’s 2015 Cybersecurity
Examination Initiative, Vol. IV, Issue 8, (Sept. 15, 2015), at 2–3 [hereinafter OCIE 2015 Alert].
14 CFTC Staff Advisory No. 14-2, Division of Swap Dealer and Intermediary Oversight (Feb. 26, 2014).
National Association of Corporate Directors,CYBER-RISK OVERSIGHT: EXECUTIVE SUMMARY, Director’s Handbook Series (2014 Ed.).
17 FINRA Report at 6, and OCIE 2015 Alert at 2 and Appendix. 18 Id. 19 FINRA Rule 4517 also provides that each member ‘‘identify,
review and, if necessary, update its executive representative designa- tion and contact information as required by Article IV, Section 3 of the FINRA By-Laws in the manner prescribed by this Rule’’.
20 FINRA Contact System, FINRA.
A - 44 8/18 Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 383 SPS
Securities Practice Portfolio Series Summary of Cybersecurity Requirements • §X
2. Risk assessment and asset inventory
Risk assessment involves a comprehensive analysis of a firm’s assets; should be performed on a regular (at least annual) basis; and should be designed to definitively identify all risks. It should include the development and maintenance of a de- tailed, accurate and regularly updated risk inventory, and, in its assessments, the firm must consider both external and internal threats as well as asset vulnerabilities. Points to consider in this analysis are any potential for compromising customer or firm confidential information, for the misuse of customer funds or securities and for the possibility of internal and external theft of proprietary information.21
A successful risk assessment must begin with a complete inventory of a firm’s assets. Each asset, including assets used in its electronic networks, needs be properly identified and cat- egorized, and the importance of each in the firm’s business must be established—priority data categories include person- ally identifiable information (PII) of the firm’s customers22 and the firm’s systems for trading, for order management, that can alter client statements and that deliver securities or cash.
Comment: A firm’s initial risk assessment provides a basic foundation for the development and implementation of the remaining requirements for the development of a firm’s ISP. This assessment is usually a detailed and laborious process similar to the development of a firm’s records management program. In fact, one excellent information source for a firm’s risk assessment is its record manage- ment system. A well-prepared and -implemented assess- ment will result in a more complete and effective ISP.
The actual inventory can be conducted through various means, including a uniform firm-wide procedure involving a centralized team with members from all relevant firm depart- ments including legal, compliance, technical, operations and major business units. It can also be done on a departmental basis under the guidance of a small inventory team designed to work with each department in developing their own inventory. In all cases, effective inventory software (firm-designed or off the shelf) should be used to ensure a uniform gathering, evalu- ation and ranking of assets and their risks. Any acquisition or disposition of assets must be included in this procedure, and the firm should also conduct annual and as-needed reviews.23
The risk assessment procedure should contain specific ob- jectives, and the National Institute of Standards and Technolo- gy’s (NIST) Framework for Improving Critical Infrastructure Cybersecurity24 provides examples:
•
review threat and vulnerability information from infor- mation-sharing forums and sources;26
• identify and document internal and external threats;
• identify potential business impacts and likelihoods;
• use threats, vulnerabilities, likelihoods and impacts to determine risk; and
• identify and prioritize risk responses.27 Upon discovery of any vulnerability, the firm should have
appropriate escalation procedures to ensure that the problem is corrected in an effective and timely manner.
3. Access controls—Identity and Access Management programs
Three basic principles are viewed as the foundation for an effective Identity and Access Management Program (IAM):28
• policy of least privilege;
• separation of duties; and
• entitlement transparency. In employing the policy of least privilege, a financial
institution should grant an employee authorized access only to those systems that are necessary—as determined by established procedures jointly undertaken by human resources, information technology and the applicable business unit—for the employee to accomplish his or her assigned responsibilities.29
The separation of duties requirement targets prevention of potential conflicts of interest and unlawful conduct. An em- ployee should not be permitted to perform a combination of functions that could result in a conflict of interest, fraud or theft. Access authorization review (see below) of employees’ duties and functions will identify areas of potential concern, and a detection procedure should be implemented to ensure the effectiveness of the control mechanisms.30
Some duties, in the following categories, that could in- volve potential conflicts are:31
• Business Functions
• custody
• discretionary control
• check issuance
• funds transfer
• input of vendor invoices
• identify and document asset vulnerabilities;25 known vulnerability assessment tool.
26 A well-known industry threat intelligence source is the Financial 21 FINRA Report at 12, and OCIE 2015 Alert at 2 and Appendix. 22 PII is typically defined as unencrypted or unredacted information
in any form consisting of an individual’s name and either their social security number or their driver’s license or state ID number; or infor- mation that would allow access to financial accounts.
23 FINRA Report at 12, and OCIE 2015 Alert at 2 and Appendix. 24 Framework for Improving Critical Infrastructure Cybersecurity,
National Institute of Standards and Technology (Feb. 12, 2014) [here- inafter NIST Framework].
25 The Common Vulnerability Scoring System (CVSS) is a well-
Services Information Sharing and Analysis Center (FS-ISAC). FINRA Report at 12.
27 FINRA Report at 12, and NIST Framework. See also Practice Tool 5, Cybersecurity Framework.
28 FINRA Report at 17, and OCIE 2015 Report at 2 and Appendix. 29 Id. 30 Id. 31 The EPA, adopting NIST standards, issued its Information Secu-
rity—Access Control Procedure in 2015, which includes a non-exclu- sive separation of duties outline.
383 SPS Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 8/18 A - 45
Technology Regulation in the Federal Securities Markets Securities Practice Portfolio Series
• receiving account information
• Data Creation and Control Functions
• data collection and preparation
• data entry, including input of account data and order placements
• data verification, reconciliation of output and ap- proval
• database administration
• Software Development and Maintenance Functions
• applications programming
• design review
• application testing and evaluation
• application maintenance
• Security Functions
• security implementation
• review of security controls, security audits and audit trail review
• network access
• network audits/reviews A good IAM program provides entitlement transparency
mechanisms delineating all users’ authorized access.
Access authorization procedure
An effective way to minimize the risk of current and former employees as the source of serious security problems for a firm is to implement a centrally controlled and collabora- tive—between a firm’s HR and IT departments and its senior management—access authorization procedure32 that includes the following steps:
• Upon employment, HR should establish an employee record specifying his/her position and responsibilities and the specific access to firm systems that is granted to the employee. This record should be reviewed and ap- proved by the employee’s supervisor and by IT;
• IT must place the employee on the appropriate firm access lists and ensure that the employee’s status is continually maintained and updated on these lists (see below);
• The employee must provide two types of identification acceptable to the firm, such as a state driver’s license, passport, birth certificate or state photo identification;
• HR must have a complete written background check on the employee, completed by a professional investigative agency, that is reviewed by the employee’s supervisor;
• The employee must complete the firm’s required secu- rity training; and
• The employee must review the firm’s compliance and
information security policy and other appropriate firm policies and procedures and verify this review in his/her record.
Access modification
All modifications to an employee’s access to the firm’s system resulting from a job transfer, an increase in job respon- sibilities or other valid reason should be initiated by the em- ployee’s supervisor and reviewed and approved by HR and IT.33
Employee termination
Upon employee termination, the employee’s supervisor should immediately notify HR and IT, and the supervisor must ensure that the individual’s system access is terminated. Upon receiving such notification, HR and IT should ensure that within 24 hours:
• All the employee user IDs, passwords, codes and other system access devices are cancelled;
• All internal employee accounts are closed;
• All access control lists, mailing lists, etc. are updated.
• All keys, badges, cards and similar access items are collected;
• Any financial accounts over which the employee had control are reconciled;
• All firm systems and electronic records that were acces- sible to the employee are reviewed and properly se- cured; and
• The employee’s supervisor ensures that all of the above actions are completed and documented.
Access lists, monitoring and recertification
IT should be responsible for maintaining and monitoring employee access lists by firm department or other appropriate business unit and for appropriately revising them on an as- needed or quarterly basis. IT should provide annually a record to each employee of his/her system access for review and recertification. Each employee should review this information and verify by electronic signature to IT that it is accurate.34
Access lists should be reviewed35 quarterly by each appro- priate firm supervisor to ensure that:
• Only the appropriate levels of access have been granted to employees under their supervision;
• All appropriate modifications have been made for the employee’s access; and
• Employee access rights are limited by the principle of least privilege.
Access revocation
Firms should ensure that employee system access is re- voked if the employee violates the firm’s compliance and su-
supervisory procedures including its code of ethics, its 33 Id. 34 FINRA Report at 19.
32 FINRA Report at 18. 35 Id.
A - 46 8/18 Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 383 SPS
Securities Practice Portfolio Series Summary of Cybersecurity Requirements • §X
pervisory procedures, its ISP or other applicable firm policy or
procedure. Other action, up to and including termination of employment, may also be taken, depending on the violation.
Special access
All special access to firm systems must be authorized and approved by the appropriate supervisor and HR, monitored by
them while in use and immediately terminated when the re- quirement for the special access is completed. Special access
includes training, maintenance or temporary emergency access,
and will require verification in line with an initial grant of access.36
Session lock
A firm should establish a session lock policy for its systems
that would include a lock after a maximum time of inactivity.
Unsuccessful login attempts
A firm should enforce a limit of consecutive invalid login
attempts by a user during a 15-minute time period. This should
include an automatic lock of an account and a lock after the
maximum number of unsuccessful login attempts is exceeded.
Password policy
All employees and all contractors and vendors with access to the network must create and maintain secure passwords and
change them frequently.37 Examples of minimum requirements
for login passwords include:
• passwords must be changed every 90 days;
• passwords must be a minimum of eight characters long;
• none of the last four passwords may be re-used; and
• passwords must be alphanumeric and contain at least one symbol.
4. Data loss protection
One of the primary functions of an ISP is to protect a firm’s confidential and sensitive data through such devices as encryp- tion, intrusion detection and protection systems and monitoring and auditing devices employed as part of a firm’s defense-in- depth strategy.
Under . . . a (firm’s defense-in-depth) strategy, organi- zations layer multiple independent security controls strategically throughout their information technology systems. A successful defense-in-depth strategy is based upon the selection and effective implementation of cybersecurity practices and controls consistent with a firm’s risk profile. Defense-in-depth strategies are promoted by organizations such as the National Secu-
36 See Access controls—Identity and Access Management pro-
grams, 383 SPS § X-B3a, above. 37 See the Society for Human Resource Management’s sample
document for password policies.
rity Agency and Open Web Application Security Proj-
ect (OWASP).38
Two types of data protection tools, Intrusion Detection
Systems (IDS) and Intrusion Protection Systems (IPS), are
often used in defense-in-depth strategies. Though distinct tech-
nologies, IDSs and IPSs sometimes are referred to collectively
as Intrusion Detection and Prevention Systems (IDPS). An
IDPS monitors events occurring in a computer system or net-
work and analyzes them for signs of possible cyber-incidents. It
then attempts to stop the incidents detected. IDPSs generally
record information related to observed events, notify security
administrators of important observed events through alerts and
produce reports summarizing the monitored events or provide
details on particular events of interest.39
Monitoring and audits are also mechanisms that can be
used in a defense-in-depth strategy. Internal and independent outside audits can use automated tools that assist in finding
weaknesses in access control standards, passwords and system
software integrity. Monitoring uses such tools as virus scan- ners, checksumming, password crackers, integrity verification
programs and system performance monitoring and includes regularly reviewing security logs for irregularities in system
access attempts.40
Encryption—providing data access to only approved users
or those with the decryption key—is a common mechanism for restricting access to confidential, sensitive data and is another
tool in a defense-in-depth strategy. Encryption should be used
at individual workstations and at servers, and with stored data as well as transmitted data. Implementation of this control at
the various levels of a firm’s systems has security benefits and operational tradeoffs occurring at each layer.41
Data mapping can be used to establish an understanding of
how the firm utilizes customer PII and other sensitive informa-
tion and to determine the appropriate measures to implement to protect this information at rest and in transit.42
5. Vendor management
As vendors have proven to be a major risk factor in cyber- security, a vendor management policy is a key element in any
ISP.43 This policy should require all outsourced services to be subject to a thorough review and assessment, from a firm’s
initial communication with a potential vendor to ongoing re-
views with existing ones.44
38 FINRA Report at 16. 39 NIST, GUIDE TO INTRUSION DETECTION AND PREVENTION SYSTEMS
(Feb. 2007) contains a discussion of IDPSs. 40 NIST, GENERALLY ACCEPTED PRINCIPLES AND PRACTICES FOR SE-
CURING INFORMATION TECHNOLOGY SYSTEMS (Sept. 1996) contains a discussion of monitoring.
41 FINRA Report at 20. 42 OCIE 2015 Report at 2 and Appendix.
43 FINRA Report at 26, and OCIE 2015 Report at 2 and Appendix. 44 The FINRA Report, at 26, provides an itemization of important considerations for managing vendors, which include limiting data
access, virus protection, data encryption, specific procedures for sub- contractors and ensuring the use of patch management and change
management processes.
383 SPS Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 8/18 A - 47
Technology Regulation in the Federal Securities Markets Securities Practice Portfolio Series
Current vendor assessment analysis
If a firm is initiating its vendor management policy or is updating it, the policy should be designed to address the fol- lowing requirements:
• Identify all current vendors;
• Review all current vendor contracts and supporting documents and ensure that their provisions include those points noted below in the section addressing ven- dor contractual requirements;
• Review all vendor audit reports, all internal audits and any other relevant reports;45
• Identify, review and assess any vendor information se- curity problems;
• Identify, review and assess the manner in which vendors handle any firm PII;
• Identify, review and assess vendors’ ISPs;
• Make site visits to vendors to determine cybersecurity preparedness.
Vendor selection due diligence
The firm must have an established due diligence process for selection of vendors. For each vendor:
• Review all applicable vendor financial documents in- cluding financial statements;
• Require completion of vendor due diligence question- naires;
• Review all vendor regulatory, compliance and internal audits;
• Verify, including a detailed access evaluation procedure for the vendor’s employees, that the vendor maintains the same cybersecurity requirements as the firm; and
• Review all relevant vendor subcontracts to ensure that the subcontractors are required to maintain the same due diligence and cybersecurity requirements as the vendor and as the firm.
Vendor contractual requirements
The firm must ensure that all vendor contracts contain the following provisions:46
• Provision to the firm of a complete copy of vendor compliance procedures, including its ISPs and all pro- cedures relating to the firm’s PII;
• Maintenance of the same or greater level of cybersecu- rity than the firm;
• Provision to the firm of copies of all security audits;
• Access by the firm to an annual onsite audit of vendor;
45 See guidance from AICPA for relevant auditing standards.
46 The FINRA Report, at 27, identifies common areas in contracts with vendors.
• Maintenance of any appropriate cyberinsurance poli- cies;
• Employment of all appropriate cybersecurity practices in the handling of firm PII (e.g. encryption);
• Notification to the firm in the event a vendor experi- ences a cyber-incident and full cooperation with firm in addressing the incident;
• Full cooperation with the firm in the event that the firm experiences a cyber-incident;
• Notification to the firm of any changes in management, operational structure, cybersecurity measures or any other occurrence that may have a material effect on the contractual relationship;
• All appropriate non-disclosure agreements;
• Retention of all appropriate records; and
• Definitive termination procedure.
Comment: In the event that a vendor does not meet one or more of the firm’s risk requirements but the firm still desires to contract with the vendor, an analysis of the risk factors should be undertaken with firm senior management to determine if the risks are acceptable under the circum- stances. If the decision is to use the vendor, special moni- toring measures should be undertaken to compensate for the higher risk.
Firm oversight
The firm must employ the following oversight practices:
• Annual evaluation of the vendor’s performance of its responsibilities;
• Review of all vendor licensing to ensure that it is prop- erly registered on a state and federal level;
• Annual evaluation of vendor’s financial condition;
• Review of vendor’s insurance coverage;
• Review of all audit reports;
• Onsite inspection visit to vendor;
• Review vendor employee training, including cybersecu- rity training; and
• Review of all relevant records maintained by vendor.
6. Training
As many cybersecurity attacks originate from employee lapses, such as downloading malware or responding to phishing attempts, a firm’s cybersecurity program must include em- ployee training.47 To assist in developing timely and effective training programs, firms often utilize cyber-intelligence.48
Various employees within a firm may be exposed to dif- ferent cybersecurity risks, and firms should tailor their training
47 FINRA Report at p. 31. Among other training, employees must
know their own roles and responsibilities in the firm’s cybersecurity program. NIST Framework at 24–25.
48 FINRA lists some of the resources firms have used in developing
A - 48 8/18 Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 383 SPS
Securities Practice Portfolio Series Summary of Cybersecurity Requirements • §X
content to particular categories of employees based on their potential risk exposure. The FINRA Report lists the following as key topics for a firm’s training program:49
• recognizing risks
• social engineering schemes and phishing
• handling confidential information
• password protection
• escalation policies
Pen tests, as laid out by the FINRA Report:54
• determine the feasibility of attack vectors;
• identify higher-risk vulnerabilities that a firm may not be able to detect;
• assess the magnitude and impact of successful attacks;
• test the ability of existing firm systems to successfully detect and respond to an attack; and
• provide evidence to support increased investments in
• physical security
• mobile security
• application lifecycles
• application security
• privilege management
• emerging technology issues
• software vulnerabilities Some cybersecurity risks, such as social engineering or a
failure to create secure passwords, may originate with clients, and thus firms should consider directing educational programs to their clients.50
Cybersecurity training should be provided to new employ- ees immediately upon their employment, annually to existing employees, to employees when they assume a new role at the firm and in response to a specific event. These training pro- grams should be developed in conjunction with the firm’s cybersecurity program and its incident response plan and in close coordination with its incident response team, including its legal, compliance and IT staff.51
NIST lists certain training principles in its Generally Ac- cepted Principles and Practices for Securing Information Tech- nology Systems.52 These principles provide a timeless guide to organizing, structuring and implementing a cybersecurity train- ing program.
7. Testing
Regular testing is a requirement of all ISPs and involves internal testing by firms as well as independent outside vendors executing penetration testing. The object of most testing is to ensure that the key controls, systems and procedures of an ISP meet established standards. One of the most important types of testing is third-party penetration testing.53
Penetration testing or ‘‘pen testing’’ is designed to view the firm’s systems from an attacker’s perspective and to demon- strate weaknesses in a firm’s security systems. A firm should be prepared to note all firm failures and to remediate these as quickly as possible.
specific security measures. Pen Tests can be categorized as:55 Broad vs. Targeted—Can encompass all accessible sys-
tems or be focused on one specific system or application. Find vs. Exploit—Designed to find apparent vulnerabili-
ties, or to demonstrate how an attacker can exploit existing vulnerabilities. Such testing can provide a basis and justifica- tion for funding additional security measures.
Production vs. Non-production—Testing against a sys- tem that is currently operational provides real evidence of system’s problems. As production testing can result in harm to a firm’s system, some firms may prefer to conduct such tests with the system offline and to provide a facility for capturing the production state prior to the test and restoring it after the test.
External vs. Internal—A firm’s system should undergo testing by both external and internal systems.
‘‘Blackbox’’ vs. ‘‘Glassbox’’ —Blackbox, or zero-knowl- edge tests, are conducted by vendors with little knowledge of the firm’s systems and therefore offer a realistic assessment of a firm’s ability to thwart intrusions such as a DDoS attack.56 A glassbox test is usually designed to simulate an insider attack. Performance of both types of test is recommended.
Secret vs. Open—Secret tests are conducted to determine a firm’s ability to detect and respond to a serious problem and are quite helpful in assessing this ability. An open test is designed to test a system’s preventative controls.
8. Cyberinsurance
Cyberinsurance is now a realistic way for a firm to transfer its security risk exposure and should be considered at the time a firm makes its annual or other periodic risk assessment. If a firm is making this analysis, it should first consider the distinct possibility that its existing policies may cover some of its cybersecurity exposure. Standalone policies can address spe- cific risks, such as data breaches, remediation cost reimburse- ment limits to respond to the breaches and coverage for regu- latory penalties.57 Firms also must assess whether an event is insurable, whether the firm’s ISP addresses the risk in such a way as to minimize any potential risk and if there are any gaps in existing coverage that would require addressing.
cybersecurity threat training. FINRA Report 32–33. 49 FINRA Report at 31. 50 The firm should consider noting these resources on their home
page and providing links to them for vendors. 51 See Incident detection, assessment, training and notification, SPS
383 § X-C3, below. 52 Id. 53 Id.
54 See FINRA Report at 21. 55 FINRA Report 21–22. 56 A successful distributed denial-of-service attack will render a
network inaccessible to legitimate users and can indicate infiltration of a network or attempts to extort the target or permanently disable its system.
57 See FINRA Report at 37.
383 SPS Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 8/18 A - 49
Technology Regulation in the Federal Securities Markets Securities Practice Portfolio Series
C. Incident Response Plans
One key element in an ISP is an incident response plan (‘‘Plan’’) that provides a procedural structure for the firm to expeditiously respond to a cybersecurity incident. A Plan should contain specific policies and procedures for responding to a cyber-incident, including provisions that:
• define a cybersecurity incident;58
• create an incident response team;
• establish team duties, including preparing for and inves- tigating an incident;
• require the drafting of incident notifications to clients and regulators;
• create a cybersecurity incident log, a cybersecurity in- cident report and other appropriate forms for the Plan;
• direct the investigation of the incident;
• establish training and testing programs; and
• address remedial measures.59 As an example, cybersecurity incidents have been defined
as:
Breach of the security of the system means unauthor- ized access to and acquisition of computerized data that compromises the security or confidentiality of personal information owned or licensed by a person and that causes, reasonably is believed to have caused, or reasonably is believed will cause a material risk of identity theft or other fraud to the person or property of a resident of this state.60
1. Incident response team duties and pre-incident responsibilities
To facilitate these investigations, the Plan should require the firm to establish an incident response team (‘‘Team’’) that will be responsible for addressing all cyber- incidents. The Team is usually comprised of senior firm officers from a firm’s IT, compliance, legal, HR, security and other relevant depart- ments.61 Each Team member should be a seasoned officer sophisticated in the firm’s technical systems and operations, and the CISO should be appointed the Team leader.
The Plan should include specific duties for each Team member to complete in preparation for an incident:
CISO—Leader
• Assume authority for the overall implementation of the Plan;
• Secure authority for the Team to access any firm system and to take any necessary action to respond to and remediate an incident;
• Secure authority to retain appropriate outside counsel, forensic vendors or other third parties necessary to assist in preparing for and responding to an incident;
• Ensure that each Team member has an appropriate back- up; and
• Working closely with legal, IT and compliance, keep senior management and the board informed of the firm’s cybersecurity capabilities and potential risks, including a realistic assessment of the firm’s current ability to respond to anticipated cybersecurity incidents;
Human Resources
• Maintain current office and personal contact information for all relevant firm personnel, third-party vendors, out- side counsel, forensic experts and other appropriate third parties;
• In the event that a firm employee may be involved in an incident, ensure that the Team can have immediate ac- cess to that employee’s personnel file (including any pre-employment investigation), current employment re- sponsibilities, system access and other relevant informa- tion;62
Legal
• In coordination with IT, ensure that the Team can main- tain during an incident continual communications with senior management, the board, appropriate outside ven- dors, regulators and other necessary parties;
• Working closely with IT and compliance, keep senior management and the board regularly informed of the firm’s cybersecurity capabilities, potential risks and re- quired system improvements, including a realistic as- sessment of its current ability to respond to anticipated cybersecurity incidents;
• Maintain a schedule and current knowledge of all rel- evant federal and state cybersecurity statutes and, in states where the firm is likely to be involved in an incident, maintain a specific knowledge of their breach notification requirements;63
• Draft and maintain a model state breach notification letter;
• Review all relevant vendor contracts for cybersecurity standards;64
• In close coordination with compliance and IT, conduct a detailed analysis of the firm’s cyberinsurance needs in- cluding recommendations for policy revisions;65
• In close coordination with compliance, annually review and revise the firm’s ISP and the Plan based on all
58 Reg S-P defines an incident as ‘‘Unauthorized access to or use of personal information that could result in substantial harm to any consumer, employee, investor or security holder who is a natural person.’’
59 See e.g. FINRA Report at 23, and NIST, COMPUTER SECURITY INCIDENT HANDLING GUIDE (Aug. 2012).
60 OHIO REV. CODE § 1349.19. 61 Use of a Team may vary between firms as smaller firms may only
require the CCO, CISO and certain department members, while larger firms may need a Team in each of its various divisions.
62 HR must ensure that this information is maintained and provided to the Team in a manner that is consistent with the firm’s privacy requirements under Reg S-P and other relevant regulations.
63 See Practice Tool 2 for a complete state breach notification chart. 64 See Vendor management, SPS 383 § X-B5, above. 65 The FINRA Report at 37 contains a succinct discussion of cy-
berinsurance and notes that firms should evaluate the utility of cyber insurance as a way to transfer some risk as part of their risk manage- ment processes.
A - 50 8/18 Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 383 SPS
Securities Practice Portfolio Series Summary of Cybersecurity Requirements • §X
appropriate sources including SEC and FINRA releases, CFTC guidelines, CERT publications, NIST publica- tions and vendor announcements;
IT
• Maintain a close, working relationship with all cyberse- curity technology professionals and forensic vendors that the firm may utilize in responding to a cybersecurity incident;
• Working closely with legal and compliance, keep senior management and the board informed of the firm’s cy- bersecurity capabilities, potential security risks and re- quired system improvements, including a realistic as- sessment of its current ability to respond to anticipated cybersecurity incidents;
• In conjunction with compliance and outside vendors, develop cybersecurity training and testing programs in- cluding mock and tabletop sessions;66
• In coordination with legal, ensure that the Team can maintain during an incident continual communications with senior management, the board, appropriate outside vendors, regulators and other necessary parties;
• In close coordination with compliance and legal, con- duct a detailed analysis of the firm’s cyberinsurance needs including recommendations for policy revisions;
• Ensure that the Team can be provided immediate access to any firm system, including any identification and access requirements necessary to permit expeditious en- try into these systems;
• Prepare for responding to all known potential cyberse- curity risks by maintaining a current knowledge of all such risks, among other things, through the use of all available threat intelligence sources;67
Compliance
• Develop a Security Incident Log, a Security Incident Report and other appropriate reporting forms;
• In conjunction with IT and outside vendors, develop cybersecuity training and testing programs including mock and tabletop sessions;
• In close coordination with legal, annually review and revise the ISP and the Plan based on a regular review of all appropriate sources including SEC and FINRA re- leases, CFTC guidelines, CERT publications, NIST publications, vendor announcements and other appro- priate sources;
• In close coordination with IT and legal, conduct a de- tailed analysis of cyberinsurance needs, including rec- ommendations for policy revisions;
Department Members
• Department-level Team members should secure an inti- mate working knowledge of their department’s systems and the security measures that exist within them and work with IT and compliance to ensure that such mea- sures are current and effective.
2. Protection of Personally Identifiable Information
As noted, firms are subject to data breach notification statutes in 51 states and territories, and each requires the Firm to notify a state agency and any affected citizen if a data breach at the firm results in unauthorized access to that citizen’s PII.68
The notification requirements vary among states based on their PII definition, the risk of harm to their citizens, the actual use of the information and other factors. Typically, a statute contains a notification requirement, a definition of PII, possible notification exemptions, required timing of the notification, the type of required notice, the state agencies to receive notice and the penalties for failure to comply. Of the 51 notification laws, forty-five contain a notification exemption if the firm’s PII is encrypted, and 38 provide that no notification is required if it can be established, usually in consultation with the state, that no harm resulted from the breach.
As PII plays a significant role in a firm’s cybersecurity policies and there are specific exemptions from many state notification requirements for properly protecting it, the firm should focus on identifying PII use, location and security status within the firm and employing appropriate measures to protect it. Any PII sent outside the firm should be encrypted in transit, and any believed to be at risk within the firm should also be encrypted. The firm should ensure that all devices carrying such information outside the firm—such as laptops, tablets and smartphones—be appropriately encrypted and also contain wiping software.69 Encryption notification exemptions exist in 45 states, and the wiping software, used effectively and timely, may permit a no-harm exemption claim.
3. Incident detection assessment, training and notification
Early detection is critical in responding to cyber-incidents, and, as many types of current intrusion devices are notoriously difficult to detect, the ISP and the Plan should require IT and compliance to ensure that their firm’s detection systems are current and effective.70 In so doing, the IT and compliance Team members should work closely with IT to assess the firm’s security mechanisms including all maintenance logs, virus scanners, firewalls, new-generation firewalls, IDSs, IPSs and other new-generation security and detection measures.71 Where corrective action or additions are found necessary, the firm
66 If IT maintains a close working relationship with such vendors, the vendors will likely have a current knowledge of the firm’s systems and, in the event of an incident, be able to more efficiently enter into these systems, make their assessment and remediate the situation.
67 See FINRA Report at 34 for an excellent review of cyber threat intelligence. A well-recognized industry threat intelligence source is the Financial Services Information Sharing and Analysis Center (FS- ISAC).
68 See Practice Tool 2 for a complete state breach notification chart. 69 Virtually all new mobile devices are equipped with wiping soft-
ware. 70 A Ponemon Study noted that 35 percent of all cyberattacks are
not detected and that the true nature of many attacks is not known for over a month after detection. THREAT INTELLIGENCE & INCIDENT RE- SPONSE: A STUDY OF U.S. AND EMEA ORGANIZATIONS, Ponemon In- stitute (Feb. 12, 2014).
71 Among other resources, the SANS Critical Security Controls
383 SPS Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 8/18 A - 51
Technology Regulation in the Federal Securities Markets Securities Practice Portfolio Series
should place a high priority on their acquisition and implemen- tation.
As breaches are often difficult to detect and may exhibit themselves in various ways throughout the firm’s systems, all affected firm employees should receive specific training in detecting the particular types of incidents that they may en- counter in their work.72 To accomplish this, the Plan should provide that the IT Team member, working with the IT depart- ment, furnish the firm’s training staff specific information on the type of cyber-incidents that its employees are likely to encounter. Based on this information, the training staff then should compile and periodically present a succinct, specifically directed training program to firm employees.
The Plan should also provide for an incident reporting procedure prominently posted throughout the firm for em- ployee use when a cybersecurity-related problem is suspected. In training, employees should be instructed only to report to a trained IT employee the potential problem and not to take any action on it. These reports should be live person-to-person communications: no voice mail or e- mail should be used as such messages may not be discovered for many critical hours. The IT employee receiving the message should immediately report it to the CISO or, if not available, to another pre- designated Team member.
4. Incident response—pre-designation of Team assignments
As an immediate response to a cyber-incident is para- mount, a great deal depends on a firm’s rapid assessment of and response to the situation. Responsiveness will be enhanced by the pre-designation of Team assignments. In each incident, certain Team members will often have some of the same re- sponsibilities, which should be specified in the Plan.
CISO—Leader
• Confer initially with appropriate Team members and make an initial assessment of the incident;
• Designate the members of the particular Team and specify each Team member’s assignment in responding to the incident;73
• In consultation with Team members, determine all strat- egy to be employed in the response;
• Provide continual support of and coordination with the Team during the incident including daily morning brief- ings and evening debriefings;
• Provide continual status communications to senior man- agement, the board, appropriate outside vendors and other necessary parties;
HR
• Provide appropriate contact information for all firm de- partments, department senior management, outside ven- dors and other appropriate third parties as needed during the incident;
•
In the event that the incident involves a firm employee, provide all available information regarding the em- ployee, evaluate all potential violations of firm policy and assess any possible sanctions against the employee, including termination;
• In consultation with legal, coordinate and control all communications and interaction regarding the incident with the media;
Legal
• Determine specifically what civil and, if applicable, criminal laws apply to the incident and any potential violations and sanctions including the determination of PII and any possible notice exemptions;
• In close coordination with compliance and IT, conduct a detailed analysis of all cyberinsurance issues pertaining to the incident;
• Draft appropriate state breach notification letters;
• Ensure the proper preservation of all evidence;
• In conjunction with compliance, manage communica- tions with all regulatory authorities.
IT
• In close coordination with the CISO and other appro- priate Team members, make an initial assessment of the incident;
• In conjunction with compliance and legal, determine if the incident involves PII and if there are any possible notice exemptions;
• In close coordination with compliance and legal, con- duct a detailed analysis of cyberinsurance issues pertain- ing to this incident;
Compliance
• Ensure that the Team is making all appropriate entries into the Security Incident Log and, at the conclusion of the incident, properly completes a Security Incident Re- port;
• In conjunction with legal, manage communications with all regulatory authorities;
• In conjunction with compliance and IT, advise on the determination of PII and any possible notice exemptions;
• In close coordination with IT and legal, conduct a de- tailed analysis of cyberinsurance coverage.
5. Incident response—the investigation
If the CISO determines that the incident requires Team involvement, she or he should assemble the Team in person or through a conference call to further analyze the problem.74 As each incident will have different facts, issues and problems, each will demand a different set of expertise. Therefore, the
CISO will designate Team members with the requisite capabil-
Guidelines provide an excellent review of such measures. 72 See THREAT INTELLIGENCE & INCIDENT RESPONSE: A STUDY OF
U.S. AND EMEA ORGANIZATIONS, Ponemon Institute (Feb. 12, 2014). 73 Certain Team members may not necessarily be needed in a
ity to address each problem as well as outside experts, if necessary, to address the particular situation. The CISO should
particular incident and will not be assigned a responsibility in it. 74 Alternates should attend if the primary member is unavailable.
A - 52 8/18 Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 383 SPS
Securities Practice Portfolio Series Summary of Cybersecurity Requirements • §X
ensure that each involved Team member is given a clearly defined role that is understood by all other Team members, and the investigation should commence immediately.
a. PII breach determination
IT should assume a primary role in and lead the investiga- tion and be given all necessary support by the CISO and other Team members. IT’s most important initial task is to determine the nature and security status of the compromised information as well as the circumstances regarding its loss. If it is deter- mined that a PII breach has occurred, IT, working closely with legal and compliance, should ascertain what information and states are involved; whether the information is encrypted and if a wiping software is available.
If the information is verified to be encrypted, it is likely exempt and legal and compliance should be immediately in- formed. If it is unencrypted and a data wipe can be used, IT, at the direction of legal and compliance, should execute and document the wipe.
If IT establishes that the information is not encrypted and a wipe is not an option, a determination between legal and compliance and IT should be made as to the current state of the information and whether, under these conditions, the affected customers will be harmed.
For example, if the PII is in the possession of a sophisti- cated, trustworthy client, vendor or financial services firm (‘‘Recipient’’), certain measures may be taken to ensure that no harm will result from this breach. In this situation, legal and compliance should immediately notify the Recipient of the situation, direct them not to open the e-mail or other docu- ments; to destroy them and to document the destruction. The Recipient should then verify these actions through an e-mail to legal. This process may establish a reasonable basis for con- cluding that no harm will come to the affected persons.
b. Legal/compliance
In these situations, legal and compliance would be charged with analyzing the statutory requirements for the involved states, including their definition of PII and any available ex- emptions.75 This analysis is critical, as in many instances the compromised information may contain some but not all the personal information required to be defined as PII in that state. If legal and compliance determines that it is not PII, the firm must still make an assessment of the situation pursuant to federal and other state cybersecurity and privacy requirements, but it will not have any state notification concerns.
If it is determined to be PII and is encrypted, it is likely exempt. Legal and compliance should quickly make this as- sessment, and provide the firm with appropriate guidance. If not encrypted and the PII can be immediately wiped clean, there is a good possibility that it can be established that the client was not harmed. Establishing an exemption by determin- ing that no harm has come to the information must in most instances involve communication with the appropriate state agency. This should be done by legal and/or compliance as soon as the firm has a complete understanding and command of
75 Legal should maintain a schedule of the current state laws that
will permit it to make a quick assessment of applicable requirements. See Practice Tool 2 for a complete state breach notification chart.
the situation. Legal and compliance should make this assess- ment, document it and coordinate with the appropriate state agency to ensure that this approval is secured.
c. Issuance of notice
If the email was opened or the information was accessed by unauthorized personnel, the possibility of compromise is likely. In this event, the firm should still act expeditiously to address the problem and contact appropriate authorities as required. If it is determined that notification is necessary, legal and compliance should ensure that the appropriate state agency is notified and that the client notice conforms to the state’s requirements and is timely issued. Necessary client notification may entail additional requirements depending on the states that are involved.76 These requirements should be analyzed care- fully by legal and compliance, discussed with the appropriate state agency and executed in accordance with statutory require- ments and agreement with the agency.
d. Cybersecurity Incident Report
Once the matter is resolved, a Cybersecurity Incident Re- port should be written by compliance and include recom- mended remedial measures. The CISO then should ensure that the remedial measures are undertaken and properly docu- mented.
e. Significant cyber-incidents
If the CISO, in consultation with the Team, determines that this is a significant cyber-incident requiring a major Team undertaking, the directives of the Plan must be closely fol- lowed, and IT must determine immediately the type of incident involved—data corruption, DDoS, network intrusion, customer account intrusion or malware infection77— and whether it is ongoing. A significant incident may require outside expertise, especially if it is ongoing; IT should determine quickly if outside expertise is needed to assist in its assessment and ultimate containment, and, if so, the experts should be promptly retained and employed.78 Further, as many current intrusion devices are not only difficult to detect but are equally difficult to assess in their magnitude and complexity, it is likely that the exact nature and extent of the problem will not be known at the onset. IT should inform senior management of any uncertainty in making a complete and accurate assessment of an incident’s severity level.79 Many firms have certain defined levels of cyber-incidents; every effort should be made to make an accu-
76 Some states may require an 800 number in the notice for con- tacting the firm, while others may require the firm to provide clients with credit report access and/or the ability to place a fraud alert or credit freeze on the client’s credit file.
77 The loss of PII, depending on the extent and nature of the loss and any accompanying cyber-problems, can itself be viewed as a signifi- cant event.
78 If IT has maintained a working relationship with such vendors, for example through ongoing training and testing, the vendors will have a current knowledge of the firm’s systems and thus be able to more efficiently enter into the firm’s systems, make their assessment and resolve the situation.
79 One of the pre-incident requirements for legal, compliance and IT is to provide senior management and the board with a realistic
383 SPS Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 8/18 A - 53
Technology Regulation in the Federal Securities Markets Securities Practice Portfolio Series
rate assessment and to report the classification to the Team and senior management.
At this juncture, the primary objective of the Team is to take swift decisive action to contain and control the incident. This is one of the key reasons that the CISO is given full authority to retain appropriate outside counsel, forensic ven- dors or other third parties necessary to assist in responding to an incident; to access any firm system for analysis; and to take any necessary action to respond to and remediate an incident. Such action will not only save the firm from incurring serious and prolonged problems and costs, but will assist it in dealing with the regulatory authorities.80
Compliance should ensure that appropriate and continual entries are made in the Cybersecurity Incident Log tracking the progress of the investigation. The CISO should also continually coordinate with the Team members throughout the investiga- tion, coordinating a daily morning briefing and an evening debriefing with the entire Team. During the course of the investigation, IT will oversee the work of the outside forensic experts in coordination with legal and compliance. It is impor- tant that IT and the forensic experts be provided freedom to pursue their responsibilities without unnecessary interruption, therefore an appropriate chain of communication should be established internally and externally—Only the CISO, along with specific IT, legal and compliance Team members, should communicate with the forensic experts.
Internally, the CISO along with legal should communicate conditions, status and actionable news to senior management and the board, and notices should be based on realistic, factual assessments and projections. The CISO, legal and HR should closely coordinate on all media communications. All external
media communications should be approved in advance by HR and legal, and copies of all such communications should be retained. One senior firm officer should have sole responsibility for communicating with the media. Legal and compliance should have sole authority for communicating with the regula- tory authorities, and one senior legal officer should have pri- mary responsibility for the actual communications.
Legal should ensure that all federal and state regulatory authorities are appropriately notified, and updated when neces- sary. In the event that a regulatory inquiry is initiated, legal and compliance should cooperate completely with the regulators and keep the CISO and senior management fully informed of progress.
After containing an incident, it will be necessary to eradi- cate the residual effects of the attack and to identify and correct all vulnerabilities that led to the attack. It may be necessary to restore systems to normal operation, which may involve par- tially restoring systems, rebuilding systems from scratch and installing software patches.
Comment: It is important to remember that the very areas that were the subject of the current attack may well be attacked again in the immediate future, and, if the vulner- abilities are not properly corrected, the firm will likely suffer even greater damage.
When the incident is resolved, legal must ensure that all documentation and evidence is retained in accordance with relevant regulatory and evidentiary requirements and that all reports are completed pursuant to the Plan. The firm’s reporting obligations under FINRA Rule 4530(b) must also be consid-
ered. Upon resolution, the CISO should direct compliance to
assessment of the firm’s cybersecurity program. This assessment should include a briefing on the problems that can occur in initially detecting an incident, and, if this earlier briefing is done properly, it should provide a good foundation for the initial discussion of an actual incident.
80 FINRA Report at 24.
compile a Cybersecurity Incident Report including recommen- dations for remedial measures and should ensure that all ap- propriate documents are retained with the Report. The CISO should also make an extensive analysis of all required remedial measures and ensure that such measures are included in the report and then undertaken and completed by the firm.
A - 54 8/18 Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 383 SPS
Securities Practice Portfolio Series Blockchain: Initial Coin Offering Interpretation
XXI.
Blockchain: Initial Coin Offering Interpretation and Guidance
A. SEC Report on Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO Report
The Securities and Exchange Commission (‘‘Commis- sion’’ or ‘‘SEC’’) has been actively monitoring the use of cryptocurrency and Initial Coin Offerings (‘‘ICOs’’) over the last several years and has periodically issued guidance in this area as well as instituting enforcement actions when appropri- ate. One of the Commission’s main concerns about ICOs is the sale of so-called ‘‘tokens’’, as they may be considered securi- ties under the federal securities laws and would therefore re- quire registration. Recently, the Commission’s Division of En- forcement (‘‘division’’) investigated whether the DAO, (a so- called online Decentralized Autonomous Organization), had violated the federal securities laws by its sale of tokens in a public offering.1
In this matter, the SEC took the unusual step of issuing what is known as a ‘‘21(a) Report’’2 in which it discussed in detail its concerns about such sales under the federal securities laws.
This is a very important discussion as it acts as a guide in the handling of such matters and will be addressed here in detail.
1. The DAO and DAO Tokens
The DAO was created by Slock.it, a German online busi- ness, and its co-founders Christoph Jentzsch, Simon Jentzsch and Stephan Tual. The objective of the DAO was to operate a for-profit online entity that would create and hold certain funds through the sale of DAO tokens to investors, which would then be used to fund ‘‘projects.’’ DAO token holders could monetize their token investments by re-selling them on a number of web-based platforms that support secondary trading of the DAO tokens.
The DAO is the ‘‘first generation’’ implementation of the white paper3 concept of a DAO entity.4 In 2016, Slock.it de- ployed the DAO code (‘‘DAO Code’’) on the Ethereum Block-
1 DAO is an online ‘‘virtual’’ organization embodied in computer
code and executed on a distributed ledger or blockchain. 2 Report of Investigation Pursuant to Section 21(a) of the Securities
Exchange Act of 1934: The DAO,SEC Release No. 81207 (Jul. 25, 2017) (‘‘DAOReport’’)
3 See Christoph Jentzsch, Decentralized Autonomous Organization to Automate Governance (‘‘white paper’’). Authorized by Christoph Jentzsch, the Chief Technology officer of Slock.it, Simon Jentzsch and Stephan Tual, the white paper purports to describe the first implemen- tation of a DAO entity code to automate organizational governance and decision making. The DAO Entity can be used by individuals working together outside of a traditional corporate form and can also be used by a registered corporate entity to automate formal governance rules contained in corporate bylaws or imposed by law.
4 Christoph Jentzsch, The History of the DAO and Lessons Learned, SLOCK.IT BLOG (Aug. 24, 2016). Although the DAO can be de- scribed as a ‘‘crowdfunding contract,’’ it would not meet the require- ments of Regulation Crowdfunding, adopted under Title III of the
chain as a set of pre-programmed instructions for the purpose
of governing how the DAO was to operate. The goal of the
DAO was to allow investors holding DAO tokens to vote on
contract proposals, including proposals to fund projects and to
distribute the DAO’s anticipated earnings from the projects it
funded. In exchange for Ethereum (‘‘ETH’’), a virtual currency,
the DAO issued DAO tokens which were assigned the
Ethereum blockchain address of the person or entity remitting
the ETH. DAO token holders would earn profits by funding
projects that would provide a return on investment.5
The DAO offered and sold DAO tokens from April 30,
2016 to May 28, 2016, and all of the funds raised in the offering
(as well as any future profits earned by the DAO) were pooled
and held in the DAO’s Ethereum Blockchain address. There
were no limitations on the number of DAO tokens offered for
sale, the number of purchasers of the DAO tokens, or the level
of sophistication of such purchasers. DAO token holders were
not restricted from re-selling DAO tokens acquired in the of-
fering, and DAO token holders could sell their DAO tokens in
a variety of ways in the secondary market and thereby monetize
their investments. Additionally, DAO tokens were to be freely
transferable on the Ethereum blockchain. DAO token holders
would also be able to redeem their DAO tokens for ETH
through a complicated, multi-week process. The primary pur-
pose of this was to prevent a ‘‘51% attack,’’ where an attacker
holding 51% of a DAO’s tokens could send all of the DAO
Entity’s funds to him or herself.6
In order for a proposal to be placed on the DAO for token
holders to vote on, a curator chosen by Slock.it was given the
discretionary power to determine whether it would be submit-
ted for voting. Once a proposal is approved, it will be placed on
a ‘‘whitelist,’’ which was a list of Ethereum blockchain ad-
dresses that could receive ETH from the DAO, if the majority
of DAO token holders voted for the proposal. Online platforms
became a vehicle for DAO token holders to buy and sell DAO
tokens in the secondary market by using virtual or fiat curren-
cies.7
In late May 2016, concerns about the safety and security of
the DAO funds began to surface due to vulnerabilities in the
DAO’s code. Precautions were taken by Slock.it and Christoph
Jentzsch to minimize these concerns. On June 17, 2016, an
unknown individual or group (the ‘‘attacker’’) began rapidly
diverting ETH from the DAO, causing approximately 3.6 mil-
lion ETH to move from the DAO’s Ethereum Blockchain ad-
dress to an ETH that was being controlled by the attacker. In
response to the attack, Slock.it’s co- founders and others cre-
Jumpstart Our Business Startups (JOBS) Act of 2012 (providing an exemption from registration for certain crowdfunding), because, among other things, it was not nor did it use a broker-dealer or a funding portal registered with the SEC and the Financial Industry Regulatory Authority (‘‘FINRA’’) in the sale of the tokens. See Regu- lation Crowdfunding: A Small Entity Compliance Guide for Issuers, SEC (Apr. 5, 2017); Updated Investor Bulletin: Crowdfunding for Investors, SEC (May 10, 2017).
5 DAO Report at 4. 6 Id. at 5. 7 Id. at 6.
383 SPS Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 8/18 A - 119
Technology Regulation in the Federal Securities Markets Securities Practice Portfolio Series
ated a work-around where DAO token holders could opt to have their investment returned to them.8
2. SEC Investigation
The Commission at that point became concerned about the DAO and their sale of tokens, and began their investigation. Ultimately, the Commission determined that tokens are securi- ties under the Securities Act of 1933 and the Securities Ex- change Act of 1934, and deemed it appropriate to issue the report. A key purpose of the report was to stress that the federal securities laws apply to products and platforms involving emerging technologies (DLT or blockchain technology) and new investor interfaces.9
The application of the federal securities laws to emerging technologies depends on the particular facts and circumstances, without regard to the form of the organization or technology used to effectuate a particular offer or sale. In the sale of DAO tokens, the Commission intends to apply the existing federal securities law to this new paradigm. The registration provisions of the Securities Act contemplate that the offer or sale of securities to the public must be accompanied by the ‘‘full and fair disclosure’’ afforded by registration with the Commission and delivery of a statutory prospectus containing information necessary to enable prospective purchasers to make an in- formed investment decision. Registration entails disclosure of detailed ‘‘information about the issuer’s financial condition, the identity and background of management, and the price and amount of securities to be offered. . .’’10 ‘‘The registration statement is designed to assure public access to material facts bearing on the value of publicly traded securities and is central to the Act’s comprehensive scheme for protecting public inves- tors.’’11
3. DAO Tokens as Securities
Section 5 of the Exchange Act makes it unlawful for any broker, dealer, or exchange, directly or indirectly, to effect any transaction in a security, or to report any such transaction, in interstate commerce, unless the exchange is registered as a national securities exchange under Section 6 of the Exchange Act, or is exempted from such registration.12 Section 3(a)(1) of the Exchange Act defines an ‘‘exchange’’ as ‘‘any organization, association, or group of persons, whether incorporated or un- incorporated, which constitutes, maintains, or provides a mar- ket place or facilities for bringing together purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock ex- change as that term is generally understood ’’.13
Under Section 2(a)(1) of the Securities Act and Section 3(a)(10) of the Exchange Act, a security includes ‘‘an invest-
8 Id. at 9. 9 Id. at 10. 10 SEC v. Cavanagh, 1 F. Supp. 2d 337, 360 (S.D.N.Y. 1998), aff’d,
155 F.3d 129 (2d Cir. 1998). 11 SEC v. Aaron, 605 F.2d 612, 618 (2d Cir. 1979) (citing SEC v.
Ralston Purina Co., 346 U.S. 119, 124 (1953)), vacated on other grounds, 446 U.S. 680 (1980).
12 See 15 U.S.C. § 78e. 13 15 U.S.C. § 78c(a)(1); DAO Report at 11.
ment contract.’’14 An investment contract is an investment of money in a common enterprise with a reasonable expectation of profits to be derived from the entrepreneurial or managerial efforts of others. Investors in the DAO used ETH to make their investments, and DAO tokens were received in exchange for ETH. These investments are the type that can be defined as an investment contract under Howey.15 Further, investors who purchased DAO tokens were investing in a common enterprise and reasonably expected to earn profits through that enterprise when they sent ETH to the DAO’s Ethereum blockchain ad- dress in exchange for DAO tokens. The curators proposed projects (or contracts), the DAO token holders voted on whether or not to fund the contracts and, depending on the terms of the particular contract, DAO token holders stood to share in potential profits from them. Thus, a reasonable investor would have been motivated, at least in part, by the prospect of profits on their investment of ETH in the DAO.
Additionally, the efforts of Slock.it, Slock.it’s co-founders and the DAO curators were essential to the enterprise. The DAO investors relied on the managerial and entrepreneurial efforts of Slock.it, its co-founders and the DAO curators to manage the DAO and put forth project proposals that could generate profits for the DAO investors. Investor expectations were primed by the marketing of the DAO and the active engagement between Slock.it and its co- founders with the DAO and DAO token holders. Slock.it created and maintained a website that further promoted the DAO tokens and main- tained other online forums that it used to provide information to DAO token holders about how to vote and perform other tasks related to their
investment. The expertise of the DAO’s creators and cu- rators was critical in monitoring the operation of the DAO, safeguarding investor funds, and determining whether pro- posed contracts should be put to a vote, and investors relied on this expertise. DAO token holders relied on the curators to (1) vet contractors; (2) determine whether and when to submit proposals for votes; (3) determine the order and frequency of proposals that were submitted for a vote; and (4) determine whether to halve the default quorum necessary for a successful vote on certain proposals. Thus, the curators had significant power and control that the DAO token holders relied on.16
Further, DAO token holder’s voting rights were limited. DAO token holder’s rights were substantially reliant on the managerial efforts of Slock.it, its co-founders, and the curators. Even if an investor assisted in making an enterprise profitable, those efforts do not necessarily equate with a promoter’s sig- nificant managerial efforts or control over the enterprise.17 The DAO Holders’ rights did not provide them with meaningful control over the enterprise because (1) a DAO token holder’s ability to vote for contracts was a largely perfunctory one; and
(2) DAO token holders were widely dispersed and limited in their ability to communicate with one another. Thus, the DAO token holders were unable to exercise meaningful control over the enterprise through the voting process, and therefore, relied
14 15 U.S.C. § § 77b-77c. 15 SEC v. W.J. Howey Co., 328 U.S. 293, 301 (1946). 16 DAO Report at 13. 17 SEC v. Glenn W. Turner Enters, Inc., 474 F.2d, 482 (9th Cir.
1973).
A - 120 8/18 Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 383 SPS
Securities Practice Portfolio Series Blockchain: Initial Coin Offering Interpretation • §XXI
extensively on the efforts by Slock.it, its co-founders and the DAO curators, as these efforts were essential to the overall success and profitability of any investment in the DAO.18
Finally, issuers must register offers and sales of securities unless a valid exemption applies. The definition of ‘‘issuer’’ is broadly defined to include ‘‘every person who issues or pro- poses to issue any security,’’ and ‘‘person’’ includes ‘‘any un- incorporated organization.’’19 The term ‘‘issuer’’ is flexibly construed in the Section 5 context ‘‘as issuers devise new ways to issue their securities and the definition of a security itself expands.’’20 The DAO was an issuer of securities, and infor- mation about the DAO was ‘‘crucial’’ to the DAO token hold- ers’ investment decision. During the offering period, the DAO offered and sold DAO tokens in exchange for ETH through the DAO website. The DAO sold approximately 1.5 billion DAO tokens in exchange for approximately 12 million ETH, which was valued in USD at approximately $150 million. Those who participate in an unregistered offer and sale of securities not subject to a valid exemption are liable for violating Section 5.21
4. DAO as an Exchange
Exchange Act Rule 3b-16(a) provides a functional test to assess whether a trading system meets the definition of ex- change under Section 3(a)(1). Under Exchange Act Rule 3b- 16(a), an organization, association, or group of persons shall be considered to constitute, maintain, or provide ‘‘a marketplace or facilities for bringing together purchasers and sellers of securities or for otherwise performing with respect to securities the functions commonly performed by a stock exchange,’’ if such organization, association, or group of persons: (1) brings together the orders for securities of multiple buyers and sellers; and (2) uses established, non-discretionary methods (whether by providing a trading facility or by setting rules) under which such orders interact with each other, and the buyers and sellers entering such orders agree to the terms of the trade.22 A system that meets the criteria of Rule 3b-16(a), and is not excluded under Rule 3b-16(b), must register as a national securities exchange pursuant to Sections 5 and 6 of the Exchange Act23 or operate pursuant to an appropriate exemption. One frequently used exemption is for alternative trading systems (‘‘ATS’’).24 Rule 3a1-1(a)(2) exempts from the definition of ‘‘exchange’’ under Section 3(a)(1) an ATS that complies with Regulation ATS,25 which includes, among other things, the requirement to register as a broker-dealer and file a Form ATS with the Com- mission to provide notice of the ATS’s operations. Therefore, an ATS that operates pursuant to the Rule 3a1-1(a)(2) exemp-
18 DAO Report at 13. 19 15 U.S.C. § 77b(a)(4). 20 Doran v. Petroleum Mgmt. Corp., 545 F.2d 893, 909 (5th Cir.
1977); accord SEC v. Murphy, 626 F.2d 633, 644 (9th Cir. 1980). 21 DAO Report at 15. 22 17 C.F.R. § 240.3b-16(a) 23 15 U.S.C. § 78(e). 24 Rule 300(a) of Regulation ATS promulgated under the Exchange
Act. 25 See 17 C.F.R. § 240.3a1-1(a)(2)
tion and complies with Regulation ATS would not be subject to the registration requirement of Section 5 of the Exchange Act.26 The DAO is a system that meets the definition of an exchange
and must register as a national securities exchange or operate pursuant to an exemption from such registration.27
Because the DAO is defined by the Commission as an entity that sells securities in the United States, they must com- ply with the federal securities laws, including the requirement to register with the Commission or to qualify for an exemption from the registration requirements of the federal securities law.28 These requirements apply to those who offer and sell securities in the United States, regardless of whether the issuing entity is a traditional company or a decentralized autonomous organization, whether those securities are purchased using U.S. dollars or virtual currencies, or whether they are distributed in certificated form or through distributed ledger technology. The Commission’s report also found that the platforms that traded DAO tokens appear to have satisfied the criteria of Rule 3b- 16(a) and do not appear to have been excluded by Rule 3b- 16(b).29
The Commission’s issuance of this 21(a) report is a sig- nificant step in its regulation and continual review of this new technology and cryptocurrency markets, and should be read and understood by all participants involved in them.
B. Comparisons: Crowdfunding and EGC
Disclosures
1. Crowdfunding
The SEC has established a crowdfunding mechanism that can be utilized in an ICO, although it provides for funding that is considerably less than was sought and ultimately obtained in the DAO offering.30 It also has established regulatory require- ments and procedures that are quite different than those em- ployed in the DAO offering. In the United States, crowdfunding has often been employed as a vehicle to seek funding for various small charitable undertakings. In such a situation, the request is usually for funds to support a particular non-profit cause and, as such, it rarely involves the sale of a security. The SEC therefore has little concern about such undertakings, bar- ring any fraudulent design.
The crowdfunding requirements under the Securities Act of 1933 that govern the funding of small businesses are dis- cussed below in comparison to the DAO offering, which the SEC viewed as seriously violating the federal securities laws. Specifically, Section 4A(a) of the Securities Act provides for the use of a crowdfunding intermediary that is to be used in all crowdfunding transactions.
26 DAO Report at 16. 27 DAO Report at 5. 28 Id. 29 Id. 30 The DAO could be described as a ‘‘crowdfunding contract.’’
Christoph Jentzsch, The History of the DAO and Lessons Learned, SLOCK.IT BLOG (Aug. 24, 2016)
383 SPS Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 8/18 A - 121
Crowdfunding Re- quirements under the Se- curities Act of 1933
The DAO Offering Tactics
Registration: Regis- ter with the SEC as a broker-dealer or a fund- ing portal and register with any applicable self- regulatory organization. 31 15 U.S.C. § 77d- 1(a)(1).
Although the DAO could be described as a "crowdfunding contract," it did not meet the requirements of the Regulation Crowdfunding exemption as, among other things, it did not employ a broker-dealer or a funding portal registered with the SEC and the Financial In- dustry Regulatory Authority in its sales.
Disclosures: Provide any disclosure, including disclosure related to risks and other investor educa- tion materials, as the SEC requires by rule. 32 Id. § 77d-1(a)(3).
The DAO offered cer- tain financial transparency and its finances were visible on its blockchain to potential and ex- isting investors.
Fraud Reduction: Take measures to reduce the risk of fraud, includ- ing background and secu- rities enforcement regula- tory checks on the officers, directors and 20 percent shareholders of each issuer whose securi- ties it offers, and any other requirements the SEC adopts. 33 Id. § 77d-1(a)(5).
With a DAO, all transac- tions are traceable and auditable by all permitted parties.
Provide SEC Infor- mation: No later than 21 days before the first day on which securities are sold to any investor make available to the SEC and to potential investors any information provided by the issuer in response to the requirements of Sec- tion 4A(b). 34 Id. § 77d-1(a)(6).
The DAO provided its white paper to all potential in- vestors although there was no regulatory or procedural re- quirement for the offering.
Conflicts of Interest: Prohibit its directors, offi- cers or partners (or any similar person) from hav- ing any financial interest in an issuer that uses its services. Additionally, the entity may not compen- sate promoters, finders, or lead generators for pro- viding the broker or fund- ing portal with per- sonal identifying informati 35 Id. § 77d-1(a)(10), (11).
The DAO does not have any directors, officers or manag- ers since it is a fully automated system. It does have certain officials such as the curators who play specific roles in the DAO. The DAO has stakehold- ers who own tokens that repre- sent a share in the performance of the DAO. These stakeholders have the ability to vote ‘‘yes’’ or ‘‘no’’ on every proposal pre-
osne.nted to the organization.
Technology Regulation in the Federal Securities Markets Securities Practice Portfolio Series
A - 122 8/18 Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 383 SPS
Securities Practice Portfolio Series Blockchain: Initial Coin Offering Interpretation • §XXI
2. EGC Disclosure
Under Section 4A of the Securities Act, ‘‘Requirements with Respect to Certain Small Transactions,’’36 Emerging Growth Companies (EGC) must file with the SEC, provide to investors and the broker or funding portal and make available to potential investors the following information:
Disclosure Require- ments for Issuers
The DAO Disclosures
Basic Issuer Informa- tion:Name, legal status, physical address and web- site address. 37 Id. § 77d-1(b)(1)(A).
The DAO has provided a website address but does not have a physical address as the ‘‘tokens’’ are being sold through the internet.
Basic Individual In- formation: The names of its directors, officers and 20% stockholders. 38 Id. § 77d-1(b)(1)(B).
The DAO has no CEO and no staff; although it does have certain officials such as the curators that perform vari- ous DAO functions.
Business Plan: A description of its business and anticipated busi- ness plan. 39 Id. § 77d-1(b)(1)(C).
The DAO does not have a description of its business and anticipated business plan, al- though several articles, includ- ing the white paper, have been published describing the busi- ness and the anticipated busi- ness plan of the company. 40 SeeThe DAO Report: Un- derstanding the Risk of SEC Enforcement; see also IN- SIGHT: In the Wake of the DAO Report: A Year in Re- view.
Financial Condition: A description of its finan- cial condition. The level of detail of the required disclosure depends on the level of crowdfunding activity undertaken by the issuer during the preced- ing 12 months. 41 15 U.S.C. § 77d- 1(b)(1)(D).
The DAO provides open access to its financials through the blockchain.
36 15 U.S.C. § 77d-1.
383 SPS Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202 8/18 A - 123
Financial Statements: For offerings that, to- gether with all other crowdfunding offerings by the issuer in the past 12 months, have in the aggregate target offer- ing amounts of:
• $100,000 or less: the issuer must provide income tax returns for its most recently com- pleted year and finan- cial statements certified by the principal executive officer;
• More than $100,000 but less than $500,000: the issuer must provide financial state- ments reviewed by a pub- lic accountant that is inde- pendent of the issuer; and
• More than $500,000 (or such other amount as the SEC estab- lishes by rule): the issuer must provide audited fi- nancial statements. 42 Id.
As of May 2018, over
$161 million was invested in the DAO by investors. After its funding period concluded, its investors were to collectively vote on how to spend its money.
Use of the Proceeds: A description of the in- tended use of the pro- ceeds. 43 Id. § 77d-1(b)(1)(E).
DAO has described their business practices as creating and holding a corpus of assets through the sale of the DAO tokens to investors, which would then be used to fund ‘‘projects.’’
Target Offering: The target offering amount, the deadline to reach the tar- get offering amount and regular updates regarding the progress towards meeting the target offering amount. 44 Id. § 77d-1(b)(1)(F).
The DAO does not pro- vide a target amount, it just allows investors to purchase tokens then vote on how they want to spend the tokens.
Technology Regulation in the Federal Securities Markets Securities Practice Portfolio Series
Price: The price to the public of the securities or the method for deter- mining the price. Before each sale, each inves- tor must be provided in writing the final price and all required disclosure, with a reasonable opportu- nity to rescind its pur- chase commitment. 45 Id. § 77d-1(b)(1)(G).
The price of bitcoins, ETH and other tokens is available on various cryptocurrency ex- changes.
Issuer Structure: A description of the owner- ship and capital structure of the issuer, including:
• A detailed descrip- tion of the terms of the offered securities and each other class of the issuer’s securities.
• A description of how the issuer’s principal stockholders’ exercise of their rights could nega- tively affect the purchas- ers of the securities being offered.
• The name and ownership level of each stockholder holding more than 20% of any class of the issuer’s securities. 46 Id. § 77d-1(b)(1)(H).
The white paper addressed the offering terms and who the money will be distributed to and how it will be spent.
The stakeholders in the DAO are anonymous and there is no requirement to disclose any shareholders by percentage of ownership.
A - 124 8/18
Copyright @ 2018 by The Bureau of National Affairs, Inc., Arlington, VA 22202
383 SPS