1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

SEC Issues Cybersecurity Alert For Brokers And Financial Advisers

On May 17, 2017, the US Securities and Exchange Commission (SEC), through its National Exam Program, issued a “Risk Alert” to broker-dealers, investment advisers and investment firms to advise them about the recent “WannaCry” ransomware attack and to encourage increased cybersecurity preparedness. The purpose of the alert, according to the SEC, was to “highlight for firms the risks and issues that the staff has identified during examinations of broker-dealers, investment advisers, and investment companies regarding cybersecurity preparedness.”

Based on a 2015 survey of 75 SEC registered broker-dealers, investment advisers and investment firms, the SEC National Exam Program staff recognized certain firm practices that registrants may find relevant when dealing with threats such as the WannaCry ransomware attack:

  • Cyber-risk Assessment: Five percent of the broker-dealers, and 26 percent of the investment advisers and investment companies examined “did not conduct periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences.”
  • Penetration Tests: Five percent of the broker-dealers, and 57 percent of the investment companies “did not conduct penetration tests and vulnerability scans on systems that the firms considered to be critical.”
  • System Maintenance: All broker-dealers, and 96 percent of investment firms examined “have a process in place for ensuring regular system maintenance, including the installation of software patches to address security vulnerabilities.” And only ten percent of the broker-dealers, and four percent of the investment firms examined had a significant number of critical and high-risk security patches that were missing important updates.

The SEC recommends registrants undertake at least two separate tasks: (1) assess supervisor, compliance and/or other risk management systems related to cybersecurity risks; and (2) make any changes, as may be appropriate, to address or strengthen such systems. To assistant registrants, the SEC highlights its Division of Investment Management’s recent cybersecurity guidance, and the webpage of the Financial Industry Regulatory Authority (FINRA), which has links to cybersecurity-related resources.

The SEC cautions that the recommendations described in the Risk Alert are not exhaustive, “nor will they constitute a safe harbor.” Factors other than those described in the Risk Alert may be appropriate to consider, and some factors may not be applicable to a particular firm’s business. Moreover, future changes in laws or regulations may supersede some of the factors or issues raised in the Risk Alert. Ultimately, the “adequacy of supervisory, compliance, and other risk management systems can be determined only with reference to the profile of each specific firm and other facts and circumstances.”

The SEC recognizes that it is not possible for firms to anticipate and prevent every cyber-attack. However, “appropriate planning to address cybersecurity issues, including developing a rapid response capability is important and may assist firms in mitigating the impact of any such attacks and any related effects on investors and clients.”

Dentons is the world’s largest law firm, a leader on the Acritas Global Elite Brand Index, a BTI Client Service 30 Award winner, and recognized by prominent business and legal publications for its innovations in client service, including founding Nextlaw Labs and the Nextlaw Global Referral Network. Dentons’ global Privacy and Cybersecurity Group operates at the intersection of technology and law, and was recently singled out as one of the law firms best at cybersecurity by corporate counsel, according to BTI Consulting Group.  

SEC Issues Cybersecurity Alert For Brokers And Financial Advisers

NIST Plans To Examine Internet of Things (IoT) For Its Cybersecurity Framework

The National Institute of Standards and Technology (NIST) is holding a Cybersecurity Framework Workshop this week at its headquarters in Gaithersburg, Maryland. The purpose of the workshop is to discuss issues related to its widely used Cybersecurity Framework. Sessions at the workshop are being livestreamed, and are exploring the extraterritorial application of the NIST framework, sector-specific requirements, and uses for small businesses.

One closely watched workshop being held today is entitled “Cyber Meets the Physical World,” and is intended to examine how the NIST framework can be applied to the Internet of Things (IoT) sector:

The diverse use and rapid proliferation of connected devices – typically captured by the “Internet of Things (IoT)” – creates enormous value for industry, consumers, and broader society. At the same time, emerging threats, such as last year’s Mirai DDoS attacks, highlight the critical need to develop and apply guidance to maintain the cybersecurity of devices and the ecosystems into which they are deployed. NIST is seeking feedback on how the Framework may be applied to the IoT, both in terms of the devices themselves, as well as their integration into broader enterprise and network environments. Topics in this breakout may include: existing IoT definitions and taxonomies and their consistency with the Framework; IoT specific threats and constraints; sector-specific considerations for IoT security; and the integration of IoT – specific threats into the Framework model.

NIST’s focus on IoT at its workshop this week comes on the heels of its new draft NIST cybersecurity guidance on securing wireless infusion pumps in the healthcare industry. NIST is accepting public comment on the new draft guidance through July 7, 2017.

NIST’s focus on the IoT sector also comes as the IoT sector is coming under greater regulatory scrutiny in the US. In 2015, the US Federal Trade Commission (FTC) issued guidance encouraging certain best practices in the IoT sector. In January 2017, the FTC brought its first enforcement action against a computer networking equipment manufacturer for failing to undertake what the FTC considers reasonable steps needed to secure wireless routers or IP cameras from “widely known and reasonably foreseeable” risks of unauthorized access by failing to proactively address “well-known and easily preventable security flaws.” And in California, a new bill is being considered by the California legislature (Cal. Senate Bill 327) that would impact the manufacturers and sellers of IoT connected devices by requiring them to:

  • Equip the device with reasonable security features appropriate to the nature of the device and the information it collects, contains or transmits;
  • Design the device to indicate to the consumer when it is collecting information;
  • Obtain consumer consent before the device collects or transmits information;
  • Provide an explicit privacy notification to the consumer about what data is collected by the device; and
  • Directly notifies consumers of security patches and updates intended to make the device more secure on an ongoing basis.

If you or your business is engaged in the IoT space, the Dentons Privacy and Cybersecurity Group can help you navigate the growing regulatory environment and understand and implement the new NIST framework standards, as they are developed and adopted. We will also continue to monitor the NIST / IoT developments and report any further developments coming out of the NIST conference this week.

NIST Plans To Examine Internet of Things (IoT) For Its Cybersecurity Framework

New ABA Opinion – Attorneys Must Take Reasonable Cybersecurity Measures To Protect Client Data

On May 11, 2017, the American Bar Association (ABA) issued Formal Opinion 477, making clear that a lawyer may transmit information relating to the representation of a client over the Internet without violating the Model Rules of Professional Conduct so long as the lawyer takes reasonable efforts to prevent inadvertent or unauthorized access to client information. Lawyers may also be required to take special security precautions to protect against the inadvertent or unauthorized disclosure of client information when required by an agreement with the client or by law, or when the nature of the information requires a higher degree of security. This new opinion updates a prior opinion issued by the ABA in 1999 (Formal Opinion 99-413), in which the ABA concluded that attorneys may use the Internet to transmit unencrypted communications relating to a client without running afoul of the Model Rules of Professional Conduct.

According to the ABA, in the “technical landscape of Opinion 99-413,” unencrypted email posed “no greater risk of interception or disclosure than other non-electronic forms of communication.” Although this premise remains true today for routine communication with clients, and the use of unencrypted routine email generally remains an acceptable method of lawyer-client communications, cyber-threats and the proliferation of electronic communications devices have “changed the landscape and it is not always reasonable to rely on the use of unencrypted email.” As an example, the ABA notes that electronic communication through certain mobile applications or on message boards or via unsecured networks may lack the basic expectation of privacy afforded to email communications. Lawyers must therefore, on a case-by-case basis, constantly analyze how they communicate electronically about client matters.

Although the ABA does not provide specific steps for attorneys to take in this regard, it does provide the following considerations as guidance:

Understand the Nature of the Threat

The ABA says that understanding the nature of the threat includes consideration of the sensitivity of the client’s information and whether the client’s matter is a higher risk for cyber intrusion. Client matters involving proprietary information in highly sensitive industries such as industrial designs, mergers and acquisitions or trade secrets, and industries like healthcare, banking, defense or education, may present a higher risk of data theft.

Understand How Client Confidential Information is Transmitted and Where It Is Stored

The ABA says a lawyer should understand how their firm’s electronic communications are created, where client data resides, and what avenues exist to access that information. Every “access point is a potential entry point for a data loss or disclosure.” Every access point, and each device, should therefore be evaluated for security compliance.

Understand and Use Reasonable Electronic Security Measures

Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client. What is “reasonable” will vary depending on the facts of each case. The ABA indicates that making reasonable efforts may include “analysis of security measures applied to both disclosure and access to a law firm’s technology system and transmissions.” A lawyer should also understand and use electronic security measures to safeguard client communications and information, including using secure internet access methods to communicate, access and store client information, using unique complex passwords, changed periodically, implementing firewalls and anti-malware/spyware/antivirus software on all devices, and applying necessary security patches and updates to software when required.

Determine How Electronic Communications About Client Matters Should Be Protected

Different communications require different levels of protection. The ABA recommends that the lawyer and client discuss what levels of security will be necessary for each electronic communication about client matters. For example, if client information is of sufficient sensitivity, the ABA says a lawyer should encrypt the transmission and determine how to do so to sufficiently protect it, and consider the use of password protection for any attachments. Lawyers can also consider the use of well vetted and secure third-party cloud based file storage systems to exchange documents normally attached to emails. Lawyers should also be cautious in communicating with a client if the client uses computers or other devices subject to the access or control of a third party.

Label Client Confidential Information

The ABA recommends lawyers follow the “better practice” of marking privileged and confidential client communications as “privileged and confidential” and using disclaimers in client emails.

Train Lawyers and Nonlawyer Assistants in Technology and Information Security

The ABA recommends lawyers establish policies and procedures, and periodically train employees, subordinates and others assisting in the delivery of legal services, in the use of reasonably secure methods of electronic communications with clients.

Conduct Due Diligence on Vendors Providing Communication Technology:

The ABA recommends lawyers examine a vendor’s reference checks and credentials, security protocols and policies, hiring practices, and the use of confidentiality agreements when determining which vendors to use in supplying communications technologies.

Takeaways

Although most enterprises and firms use some level of protection in their electronic communications, this new opinion highlights the growing focus on cybersecurity across all industries and professions. Encryption is increasingly becoming the industry standard in securing electronic data and communications, and is often the first line of defense when facing a data breach scenario.

New ABA Opinion – Attorneys Must Take Reasonable Cybersecurity Measures To Protect Client Data

HHS Plans To Launch Cybersecurity Center Focused On Medical App Security

The US Department of Health and Human Services (HHS) announced on April 20 that it plans to launch a cybersecurity initiative modeled on the US Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC) that will be aimed at educating healthcare organizations and consumers about the risks of using mobile applications and data. The new center, which will be called the Health Cybersecurity and Communications Integration Center (HCCIC), is intended to be a collaborative effort between public and privacy industry. A similar cybersecurity initiative is being developed by the Centers for Medicare & Medicaid Services (CMS).

Chris Wlaschin, the chief information security officer for HHS, says this type of collaborative center is needed because approximately 50% of US healthcare organizations lack the adequate tools to deter and manage cyber breaches. As mobile health applications become more prevelant, the HHS sees the HCCIC as an opportunity to help developers secure patient data.

The new HHS center represents a continual effort by the federal government to address healthcare app cybersecurity. In December 2016, the FDA released guidance on “Mobile Medical Applications.” The HHS Office of Civil Rights and Federal Trade Commission  have also launched online resources for medical app cybersecurity. And HHS’s Health Care Industry Cybersecurity Task Force recently submitted a draft report to Congress that laid out six “imperatives” for lawmakers and executive branch officials to consider when seeking to secure patient data, including security surrounding applications.

If you or your company is developing, or has implemented a medical app, the Dentons Privacy and Cybersecurity Group can help you navigate this constantly developing federal landscape. We will also provide further updates as the HCCIC becomes operational this summer.

HHS Plans To Launch Cybersecurity Center Focused On Medical App Security

NIST Releases Draft Guidance On Securing Wireless Infusion Pumps In The Healthcare Industry

On May 8, 2017, the National Institute of Standards and Technology (NIST), through its National Cybersecurity Center of Excellence (NCCoE), released a new draft NIST Cybersecurity Practice Guide (SP 1800-8) entitled “Securing Wireless Infusion Pumps in Healthcare Delivery Organizations.” The purpose of the new guidance is to address the security flaws in external infusion pumps in the healthcare industry, and provide engineers and IT professionals a roadmap for how they can securely configure and deploy wireless infusion pumps by using “standards-based commercially available technologies and industry best practices[.]” NIST Cybersecurity Practice Guides (Special Publication Series 1800) target specific cybersecurity challenges in the public and private sector, and are intended to serve as practical, user-friendly guides that facilitate the adoption of standards-based approaches to cybersecurity. They do not describe regulations or mandatory practices. Nor do they carry statutory authority. NIST is accepting public comment on the new draft guidance through July 7, 2017.

Overview Of Draft Guidance

Infusion pumps are defined by the FDA as a medical device that delivers fluid into a patient’s body in a controlled manner. Once standalone instruments that interacted with the patient or medical provider only, infusion pumps are now connected to a variety of systems and networks, contributing to what NIST calls the Internet of Medical Things (IoMT). This new connectivity brings with it benefits and challenges. Although connecting fusion pumps to point-of-care medication systems and electronic health records can improve the healthcare delivery process, it can also create significant cybersecurity risk that could lead to operational or safety risks. Specifically, tampering with the wireless infusion pump ecosystem can expose a healthcare provider to:

  1. Access by malicious actors;
  2. Loss or corruption of enterprise information and patient data and health records;
  3. A breach of protected health information;
  4. Loss or disruption of healthcare services; or
  5. Damage to an organization’s reputation, productivity, and bottom-line revenue.

Key Takeaways From New Draft Guidance

The new guidance is written from a how-to perspective, providing details on how to install, configure and integrate components. It is therefore primarily intended for professionals implementing security solutions within a healthcare organization, such as biomedical, networking and cybersecurity engineers and IT professionals who are responsible for securing and configuring wireless infusion pumps. The new guidance maps out the security characteristics of wireless infusion pump ecosystems to currently available cybersecurity standards and the HIPAA Security Rule, and applies “security controls to the pump’s ecosystem to create a ‘defense-in-depth’ solution for protecting infusion pumps and their surrounding systems against various risk factors.”

NIST claims organizations will, if they adopt the new guidance:

  • Reduce cybersecurity risk, and potentially reduce impact to safety and operational risk, such as the loss of patient information or interference with the standard operation of a medical device;
  • Develop and execute a defense-in-depth strategy that protects the enterprise with layers of security to avoid a single point of failure and provides strong support for availability; and
  • Implement current cybersecurity standards and best practices, while maintaining the performance and usability of wireless infusion pumps.

A copy of the draft guidance is here. If you or your business are interested in submitting public comments in response to the new draft guidance, the Dentons Privacy and Cybersecurity Group can help. We are also prepared to assist your organization in navigating the new draft guidance and securing your networked devices against the constantly evolving threat landscape.

 

NIST Releases Draft Guidance On Securing Wireless Infusion Pumps In The Healthcare Industry