Last month, the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (“OCIE”) formally announced its cybersecurity initiative in a Risk Alert. The initiative followed up on OCIE’s announced prioritization of cybersecurity preparedness as part of its 2014 Examination Priorities. The initiative is also timely because the general public is becoming more conscious of cybersecurity risks and its dangers as they learn of major breaches at Target Corp., Neiman Marcus, Michaels Stores Inc., and other companies. The security of personal information is even more important at financial services companies, which often have a large amount of sensitive personal information about their customers.
The OCIE’s approach is refreshingly proactive: “OCIE’s cybersecurity initiative is designed to assess cybersecurity preparedness in the securities industry and to obtain information about the industry’s recent experiences with certain types of cyber threats.” Further, the areas of cybersecurity assessment are quite broad and they cover “the entity’s cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.”
Importantly, the OCIE examination is detailed and specific about ensuring the adequacy and efficacy of cybersecurity measures. For example, the list of questions regarding identification of cybersecurity risks requires exact dates and times and is prefaced with “please provide the month and year in which the noted action was last taken; the frequency with which such practices are conducted; the group with responsibility for conducting the practice…”.
Further, the OCIE examination questions require naming the person(s) conducting the cybersecurity measures and when those measures were last checked or implemented. For example, the questions on identification of risks/cybersecurity governance include:
- Who (business group/title) conducts periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences, and in what month and year was the most recent assessment completed?
- Please describe any findings from the most recent risk assessment that were deemed to be potentially moderate or high risk and have not yet been fully remediated.
Similarly, the questions regarding a written cybersecurity incident response policy seeks a copy of the policy, the year it was most recently updated, whether there are tests to assess the policy, who conducts the tests, and when and by whom the last test was conducted. Likewise, the questions on event detection processes seek the month and year of the most recent test.
The examination questions also seek a summary of any actual cybersecurity incidents, the services affected, nature of the breach, the availability of services during the breach, and number of other questions about each cybersecurity incident. Notably, although the examination requires companies to provide a large amount of information, the SEC explicitly issued a disclaimer that the “factors are not exhaustive, nor will they constitute a safe harbor.”
Nonetheless, it is good to see the SEC take a proactive approach to the cybersecurity risks posed to financial institutions. Hopefully, this will flow down to other companies because cybersecurity is a hot-button topic that is very concerning to customers and unlikely to be fully resolved soon. With cooperation between government agencies and the private industry, we can be hopeful that cybersecurity risks can be mitigated. As SEC Chair White has noted, there is a “compelling need for stronger partnerships between the government and private sector” to address cybersecurity threats.
Last month, federal prosecutors in Nevada filed a motion to dismiss an indictment that shined a bright light on overly broad federal criminal statutes and the abuse of prosecutorial discretion in using them.
John Kane and Andre Nestor were each charged in an indictment in January 2011 with one count of conspiracy to commit wire fraud and one count of computer fraud in violation of the Computer Fraud and Abuse Act (CFAA), the same law that was used to prosecute Internet activist Aaron Swartz and Andrew Auernheimer.
The indictment alleged that Kane and Nestor used an exploit on video poker machines to defraud casinos and win money that they were not entitled to, which “exceeded their authorized access” on the machines in violation of the CFAA. Kane, who reportedly spent an extremely significant amount of time playing video poker, discovered a bug in the software of the video poker machine that allowed for him, and later his co-defendant Nestor, to achieve large payouts on certain slot machines through a series of moves where he switched games and made bets at different levels. There is absolutely nothing illegal about pressing buttons on slot machines to change the amount of money you are betting or to switch games you are playing, but the prosecution alleged that doing this exceeded lawful access. The court agreed with the defendants and ruled in favor of their motion to dismiss the CFAA count in the indictment.
The CFAA was enacted in 1986 to protect computers that there was a compelling federal interest in protecting, such as computers owned by the federal government and certain financial institutions. The CFAA has been amended numerous times since it was enacted to cover a broader range of computer related activities and there has been recent discussion on Capitol Hill of amending it further. The CFAA prohibits accessing a computer without proper authorizationor it is used in a manner that exceeds the scope of authorized access. The law has faced steep criticism for being overly broad and allowing prosecutors wide discretion by allowing them to charge individuals who have violated a website’s terms of service.
In November, after filing nine stipulations to continue the trial date, the government filed a motion to dismiss the remaining conspiracy to commit wire fraud charges against both Kane and Nestor because “the government has evaluated the evidence and circumstances surrounding court one [wire fraud conspiracy] and determined that in the interest of justice it should not go forward with the case under the present circumstances.”
Although the charges were ultimately dismissed,the issue remains that these charges never should have been brought in the first place. Kane and Nestor had to deal with open criminal charges against them for nearly three years. There are proper uses for statutes such as the CFAA, but the people and the courts should demand that the government only use them for their intended purposes. Prosecutions taking broad and unjustified interpretations of these statutes are not justified.
Cybersecurity, Federal Criminal (Other), Federal Criminal Procedure, Fraud, White-collar crime