Cyber attack response - What do you do?

A client database has been hacked – and personal details of individuals stolen. It’s every company’s nightmare, and now it’s happened. What steps should the firm take? And who needs to be notified?

In today’s world of cyber risk, a successful attack on a financial services firm’s systems is not a matter of “if”, but rather of “when”. While it makes sense to invest in the best cyberattack deterrence technology, and to put in place preventative policies and procedures, bad things can still happen to good cybersecurity programs. And when they do, it’s the firm’s reputation that is on the line.  

Firms need to have a plan of action ready to implement if they are hacked and data is stolen. Like a business continuity strategy, such a plan will help guide individuals as to the actions they should be taking – to limit further damage to systems, to mitigate reputational risk, and to ensure compliance with a growing number of regulatory requirements.

A key part of any plan must be managing the notification requirements. Firms usually will need to notify a regulator or other government body that it has been hacked. Sometimes there is also a requirement to notify impacted clients too – but if there isn’t, it is usually best practice to make them aware in any case. Failure to report a cyber breach to either a government body or to clients – if the breach comes to light later – can have a serious negative impact on a firm’s reputation. The internet is littered with companies who delayed reporting and have encountered supervisory censure as well as negative headlines and client lawsuits – Equifax is a recent example.

Many jurisdictions are putting formal notification requirements in place. For example, New York State’s March 2017 regulations now require financial services firms to notify the regulator within 72 hours of a breach taking place, and other US states are putting in place similar requirements. The US Securities and Exchange Commission (SEC) published some observations from its cybersecurity examinations in August which noted that firms need to have robust reporting frameworks.

In the EU and the UK, the General Data Protection Regulation (GDPR) will require firms to notify the correct regulator within 72 hours of a breach, and impacted individuals “without undue delay”. Failure to meet these notification requirements can result in a significant fine of up to 10 million Euros or 2% of global turnover.

There are good reasons why governments are asking firms to make a formal notification of a cyber breach. First, they are recognizing the need for more action on their part to combat hacking. Registration of incidents helps governments to understand the nature of the problem. Secondly, in some jurisdictions this information is shared in some way with other financial services firms – helping all firms to collaborate to prevent successful cyberattacks.

Thirdly, regulators are beginning to use this cyber breach reporting data in their pre-examination analysis. Supervisors can see which firms are having incidents and what kind of incidents they are having – perhaps to formulate good questions for discussion with the firm during the visit. On the flip-side, they can also see who is reporting below-normal levels of incidents. If the firm has some form of cybersecurity best-practice, then that is of interest. However, if the firm is simply not reporting cyber breaches, then more difficult questions will be asked.  

As a result of these new breach reporting regulatory requirements and client expectations, firms are advised to develop specific policies and procedures for when an incident occurs. This should include identifying what their breach reporting requirements are, developing reporting templates, and actually testing this part of the incident response plan. Specific elements of the communications plan could contain when and how to:

  • Notify investors 
  • Bring in the legal team 
  • Call law enforcement 
  • Report to the regulator if a requirement, or when to contact if no requirement
  • Communicate to employees 
  • Disclose to clients 

Best practice firms conduct table-top exercises using several different scenarios, such as ransomware, or an insider attack. If the firm outsources significant portions of its IT infrastructure, it’s important to conduct these exercises in partnership with the IT supplier. If the firm engages with third parties for other types of activities, and those activities involve use of client data, the firm should perform these table top exercises with these vendors – and ensure the vendor is aware of all reporting obligations the firm has to regulators.

If a firm is genuinely not subject to any cyber breach reporting requirements, it should nonetheless put a framework in place to document each incident and note why no reporting is required. This will help support the firm’s engagement with regulators in the future.

In short, it’s important for firms to understand the notification requirements that impact them, as well as how they wish to engage with clients – and to then formulate an incident response plan. For financial services firms, reputation and trust are of high importance, and so ensuring a solid approach can make a real difference to how well a firm weathers a cyberattack. 

FA: Is Your Firm Cyber Secure?

Last year, the SEC fined Morgan Stanley $1 million for failure to protect information in 730,000 client accounts, which were first stolen by an employee and transferred to a personal server and then hacked and offered for sale online. The SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure the security of clients’ personally identifiable information.

The case shines light on what the SEC expects from firms when it comes to their internal web applications and portals that give employees access to customers’ confidential account information.

To try to avoid future enforcement actions, broker-dealers and investment advisors should focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques.

Examiners are also looking at employee training and vendor relationships, Rubin said, adding that firms should have policies that show they’re actively training their employees and registered persons to try to ensure that each person understands her role and responsibility with regard to cybersecurity. Firms are also responsible for knowing what kind of cybersecurity system their vendors have.

State regulators have already found nearly 700 deficiencies during exams of 1,200 state-level investment advisors—in the first year state regulators reported on cybersecurity incidents.

The North American Securities Administrators Association (NASAA) used the data to generate a list of cybersecurity best practices for investment advisors: prepare and maintain records by backing them up; maintain client information; revise Form ADV and disclosure brochures; implement safeguards through cybersecurity policies and measures; and prepare a written compliance and supervisory procedures manual.

NASAA found policies and procedures to be adequate when firms require and enforce frequent password changes, lock devices, report lost devices, and create specific roles and responsibilities for people to frequently assess these requirements.

To minimize threats posed by data breaches, NASAA recommends that firms routinely back up devices and store the underlying data in a separate, remote location. And they should regularly test backup procedures to ensure their suitability. Similarly, firms should consider whether e-mail communications should be sent securely, especially where they involve identifiable information regarding a client.  MORE

Wealth Management: The Cybersecurity Problem Requires Human Solutions

Despite headlines all month showing the scope of compromised personal information in attacks on EquifaxYahoo and the SEC, many advisors still aren’t taking cybersecurity seriously.

An examination of more than 1,200 investment advisors by the North American Securities Administrators Association uncovered 698 deficiencies, including no or inadequate cybersecurity insurance, no testing of cybersecurity vulnerability, lack of procedures regarding securing or limiting access to devices, no technology specialist or consultant and a lack of procedures regarding hardware and software updates or upgrades.

Frank Quinlan, a counsel to law firm Newmeyer & Dillion who has a background in cybersecurity with the U.S. military, says that because of the amount and type of client information advisors hold, not to mention money and other assets, advisors have to understand that attacks are coming and they are targets, no matter how big or small their firms. Quinlan says advisors absolutely must spend some time understanding information security principles to protect themselves and clients.

He recommends advisors get the NASAA’s “Cybersecurity Checklist for Investment Advisors,” which Quinlan says is written to be easily understandable by advisors and will especially help independent RIAs and small firms get up-to-snuff. But for those worried about these headline-grabbing attacks and what they can do immediately to improve security, Quinlan recommends three key steps.

The first is to read through the National Institutes of Standards and Technology’s guide on the fundamentals of small business information security to have a baseline understanding of the terms and concepts. “[It is] your operational manual for securing a small business,” Quinlan said.  MORE

SEC’s Most Recent Cybersecurity Move: What Registered Investment Advisors Need to Know Friday, October 27, 2017

In a recent Risk Alert, the SEC stressed that its proposed measures were suggestions and not requirements at this point, although RIAs should be proactive and prepare for the possibility that new regulations could be on the way. 

The Office of Compliance Inspections and Examinations (OCIE) of the SEC recently released a Risk Alert that detailed its examination of the cybersecurity preparedness of 75 broker-dealers, investment advisers and investment companies in the United States. In comparison to prior cybersecurity examinations, this exam involved more active testing and validation of the firms’ procedures and controls related to cybersecurity. 

Common Weaknesses

The SEC found two overarching themes. First, it found that firms were better prepared during this examination than during the 2014 Cybersecurity Initiative exams. Second, the staff found that investment adviser firms tended to be less prepared than broker-dealers in some areas examined, such as penetration testing and data breach notification.

The staff noted three main areas of weakness across firms:

Cybersecurity policies too general or vague to be useful to the firm’s employees. Investment adviser firms should develop procedures that give specific, not merely general, guidance. To maximize employee comprehension and adherence, an investment adviser firm’s policies and procedures should include concrete examples and specific procedures tailored to the firm’s practices.

Failure to enforce or to tailor cybersecurity policies to the firm’s needs. This risk is not limited to an investment adviser firm’s cybersecurity practices; a firm without cybersecurity policies and procedures adequately tailored to its needs may also have similar deficiencies throughout its compliance program.

Inadequate maintenance of information technology systems. Some examinees were found to be using outdated operating systems or other software that was no longer supported with security updates by the manufacturer. Running software without security updates leaves an investment adviser vulnerable to otherwise avoidable cybersecurity losses. Furthermore, the staff found situations in which some examinees had identified vulnerabilities during cybersecurity testing but failed to take action to remediate their findings.

SEC Guidance

The SEC staff highlighted three main actions that an RIA firm could take to help address information technology security issues:

  • Conduct a periodic information technology security risk assessment.
  • Create and test a strategy that is created to “prevent, detect and respond to cybersecurity threats.”
  • Implement the strategy by creating written policies and procedures and training internal staff and possibly clients.

The staff further suggested that assessing information technology security risks should be a critical part of a firm’s annual compliance risk assessment. The logic of the argument is that it’s hard to successfully design a cybersecurity strategy without first taking a step back and identifying the key threats and vulnerabilities that are unique to a particular advisory firm.

When crafting an information technology security strategy, the staff noted that some of the key focus areas of that strategy may include:

  1. Access control to systems and sensitive data
  2. Encryption
  3. Restricting the use of removable storage media
  4. Having the ability to monitor network activity for unauthorized intrusions
  5. Data backup and retrieval
  6. Creation of an incident response and business continuity plan

Going Forward

Even though the SEC has not issued any regulations, it is clear that cybersecurity will remain a priority. It should be for RIA firms, too. The North American Securities Administrators Association is mulling a model cybersecurity rule for investment advisors and is currently developing cyber guidance and a “checklist” for small advisory firms to use to assess their cyber preparedness.

Firms can also incorporate the elements present in the policies and procedures of firms the SEC determined had the most robust cybersecurity programs. These include:

  • Keeping a detailed inventory of data, information and vendors
  • Giving specific instructions in the policies and procedures, including examples where helpful
  • Regularly testing technology systems and implementing cautious but timely security patch deployment to all machines
  • Establishing and enforcing controls for access to firm data or systems, such as acceptable use policies, mobile device management, vendor activity logs detailing use of the firm’s system and immediate elimination of system access for terminated employees
  • Mandatory employee training, both upon hire and periodically throughout the year
  • Active engagement by senior management  MORE

Scams to Look Out for After the Equifax Breach

It’s been a little over a month since news of the Equifax Breach first broke, and the incident is turning out to be the quite the gift to fraudsters. From gaffes made by Equifax and other credit bureausto the fact that the data breach was more extensive than initially thought, everything surrounding this incident has made it difficult for victims to quickly and thoroughly secure their information. While a credit freeze will protect your credit reports, it will not protect you from the other side effect of data breaches — scams. As time goes on, consumers should prepare themselves for the onslaught of opportunists who will use any leaked information and circumstances surrounding the Equifax breach to their advantage. Keep reading below as we detail the types of scams you should be watching out for in the near future.

How exactly does the Equifax breach benefit scammers?

Unfortunately for consumers, this breach will likely prove to be the gift that keeps on giving to identity thieves. That’s because this breach not only provides criminals with lots of personal information — most of which is probably now available on the dark web — but it also provides the perfect context for making fake phone calls and phishing emails. Essentially, scammers now have two solid choices for perpetuating schemes: they can either steal your information if it was captured in the breach, or they can use the details surrounding the incident to convincingly pull off social engineering scams. For example, scammers could pretend to be someone from Equifax who’s offering some form of assistance navigating the personal and financial fallout of the breach. How scammers target you will depend on what they want, but you should be prepared for any potential scam, given the size and scope of the Equifax breach.

What types of scams should I look out for?

Given that every week we seem to learn something new about the breach, the possibilities are potentially endless with regard to what exactly scammers might try to pull off. That said, based off of what we currently know, here are some of the more likely scams you can expect in the coming months and perhaps even years:

Scams offering assistance in dealing with the breach

The FTC and other organizations have already begun reporting on an emerging scam which involves fraudsters calling up consumers under the guise of being Equifax representatives. In the most common version of the scam, fraudsters ask for their victims to “verify” account information with their full name, social security number, home address, date of birth, etc. This type of scam has also expanded to phishing emails, though it could conceivably even spread to snail mail. It’s also possible that scammers could pose as attorneys and credit repair services to offer you legal and financial assistance.

To protect yourself from these threats, you should under no circumstances provide personal information to someone who contacts you and claims they’re offering any sort of assistance, as they are likely scammers. If you’ve personally vetted the owner of the phone number or email address and can confirm they’re legitimate, you can provide the information. For example, providing your credit card number over the phone to Experian (through the phone number listed on its site) is not the same as giving your credit card details to someone calling from a random number claiming that they’re affiliated with Experian. In one scenario, you’ve done the work needed to verify the identity of the party on the other side of the phone, so if your credit card is misused, you have some form of recourse. Essentially, there is no reason for you to respond to unsolicited messages or calls that purportedly come from organizations you may or may not be familiar with. If you feel compelled to respond, do not respond to the email or over the phone; instead, go to the service’s website (do not click on any links in emails or text messages) and contact them directly to get more information. The odds of a company or credit bureau legitimately reaching out to you randomly over the phone or via email without first notifying you are fairly low, especially now that we live in an era where organizations and businesses know these types of scams are common.

Scams promising compensation (especially from Equifax)

Someday down the line you might get a call (or email) from an Equifax representative or attorney who informs you that you’re entitled to compensation as a result of the breach. Should you believe them? Probably not. Although it sounds cynical, most experts suspect that Equifax won’t face punishment for the breach. This means there’s no reason to expect Equifax to offer any compensation beyond what it has already offered in the form of free identity monitoring and a temporary fee waive for credit freezes.

One of the few exceptions might perhaps come in the form of a successful class-action lawsuit. Although the possibility of such a lawsuit isn’t off the table, even then, you shouldn’t expect to be contacted out of the blue for a payout (assuming there is one), and if you are, follow our tips at the bottom of this post to confirm the legitimacy. Generally, you should take anyone claiming that you can receive compensation for this breach with the finest grain of salt possible, especially if they’re asking for your personal information over the phone or through a link in an email.

Scams involving your lender/creditor

With the information taken in the Equifax breach and previous breaches, it might be possible for scammers to learn of the companies and lenders you have open accounts or relationships with. From there, they can pretend to be a representative from one of these companies in an attempt to gather your personal information either over the phone or through email. As with the other scams, if you receive unsolicited contact from your creditor or lender asking for personal information, do not click on any links or provide any information. Instead, contact the creditor or lender directly using the legitimate phone number or website to avoid being phished or scammed.

IRS and tax scams

The big worry for many is that the treasure trove of information contained in the Equifax breach will inevitably lead to tax identity theft for years to come. While there will likely be many different types of scams deployed by fraudsters and hackers, you should predominately be on the lookout for scam calls or emails from “the IRS.” Remember that the IRS itself won’t contact you by phone or email, though debt collectors may call on behalf of the IRS for back-owed taxes. In addition, you should aim to file your taxes as early as possible to prevent someone from claiming your tax refund (or a phony refund) on your behalf.

Keep in mind, this list of scams is not conclusive, as hackers and other types of fraudsters might choose to go after the information that’s already available to sell it or to acquire credit or government benefits in your name. For more information about scams and how to protect yourself from them, read our scams blog. And to keep an eye on the latest details regarding Equifax, follow our Equifax breach blog.

Tune up your firm’s cybersecurity training program

There may have been a time when an annual employee training program on cybersecurity was enough to satisfy regulators that an advisory firm was taking the threats of hackers and other malicious actors seriously.

No longer.

The Securities and Exchange Commission has made no secret that it expects more from firms in the area of cybersecurity, identifying the issue in its recent exam priorities letters, conducting sweep exams focused on firms' cyber policies and procedures, and, most recently, announcing the establishment of a dedicated cyber unit.

TD Ameritrade recently launched a campaign to promote the message to its registered investment advisers that a strong, dynamic cybersecurity training program is an essential element of a modern practice. A key part of that effort is the notion that employee training must be ongoing, that policies to protect the firm's systems and information aren't just a set-it-and-forget-it proposition.  MORE

Tune up your firm’s cybersecurity training program

There may have been a time when an annual employee training program on cybersecurity was enough to satisfy regulators that an advisory firm was taking the threats of hackers and other malicious actors seriously.

No longer.

The Securities and Exchange Commission has made no secret that it expects more from firms in the area of cybersecurity, identifying the issue in its recent exam priorities letters, conducting sweep exams focused on firms' cyber policies and procedures, and, most recently, announcing the establishment of a dedicated cyber unit.

TD Ameritrade recently launched a campaign to promote the message to its registered investment advisers that a strong, dynamic cybersecurity training program is an essential element of a modern practice. A key part of that effort is the notion that employee training must be ongoing, that policies to protect the firm's systems and information aren't just a set-it-and-forget-it proposition.  MORE

Cybersecurity: How to satisfy regulators

NASAA Checklist

State securities regulators could put forward this year a model rule on cybersecurity, Joe Borg, Alabama securities director and president of the North American Securities Administrators Association, said in a recent interview.

If so, elements of the regulation may be drawn from NASAA’s cybersecurity checklist for investment advisers. Here are a few of the 89 items on the roster and what they might look like as provisions of a cyber rule.  MORE

SEC and States Are Upping Their Cyber Game, Are You Doing the Same?

September 2017 saw no respite from the relentless pace of cyber developments, not only from the perspective of rapidly evolving attacks, but also from the perspective of dynamic federal and state regulatory moves. In particular, on September 25, 2017, the Securities and Exchange Commission (SEC) announced a new enforcement initiative to address growing cyber-based threats and protect retail investors.1 The initiative established a Cyber Unit to target misconduct, a move that could place further pressure on broker-dealers and investment advisers already feeling the heat from an uptick in cyber-related exams and the relentless onslaught of cyber intrusion attempts. Second, a day earlier, the North American Securities Administrators Association (NASAA) announced that state securities examiners conducted over 1,200 coordinated examinations of state-registered investment advisers between January and June 2017, finding 698 cybersecurity-related deficiencies.2

Given the advancing threats and the increasing regulatory scrutiny, broker-dealers and investment advisers should consider acting with increased urgency to further prepare themselves, focusing in particular on having written cyber policies that are regularly updated to account for the latest threats. The severity and frequency of attacks are only growing, while the tolerance among regulators for failing to take sufficient preventive steps is only diminishing. Against both attackers and regulators, the best offense truly is a good defense, and regulators are strongly indicating that it is not enough to simply have a defense; but rather, that defense must also evolve to keep pace with the rapidly evolving offense. 


What the Cyber Unit Will Do

With the creation of the Cyber Unit, the SEC is beefing up its technical expertise and demonstrating that it too will evolve and adapt as cybersecurity threats become more advanced. The agency is making it increasingly clear that it expects those it regulates to up their games as well. 

The unit will function as part of the SEC’s Enforcement Division to target misconduct along six cyber-related priority areas:

  • Market manipulation schemes involving false information spread through electronic and social media;
  • Hacking to obtain material nonpublic information;
  • Violations involving distributed ledger technology and initial coin offerings;
  • Misconduct perpetrated using the dark web;
  • Intrusions into retail brokerage accounts; and 
  • Cyber-related threats to trading platforms and other critical market infrastructure.

By examining each of these areas in depth, this Alert tries to discern the SEC’s key concerns and suggests issues that firms may want to consider addressing, before facing the SEC in an examination or in an enforcement action. 

Market Manipulation Schemes

With the spread and growing influence of “fake news” to manipulate political outcomes (and with further proof of intentional nation-state involvement in spreading such false stories),3 it is no surprise that the SEC is concerned about the use of targeted misinformation via social media to manipulate market outcomes. 

The SEC will likely be on the lookout for companies hoping to turn an illicit profit by creating or spreading known misinformation via the internet. The SEC could bring fraud cases against those who disseminate false information to manipulate the market, and aiding and abetting cases against those who negligently spread the false information. In fact, the SEC has already started. In 2015, the SEC filed securities fraud charges against a Scottish trader whose false tweets caused sharp drops in the stock prices of two companies and triggered a trading halt in one of them.4

In light of the growing prevalence of intentionally fake stories, it may be prudent for firms to have proactive policies in place that not only explicitly prohibit the dissemination of knowingly false information, but that also require some form of verification before sharing certain market-related news with clients and prospective clients. 

Hacking to Obtain Material Nonpublic Information

The SEC’s new enforcement unit will be on the lookout for hackers that infiltrate broker-dealers and investment advisors to trade on nonpublic information or try to manipulate the market, something from which even the SEC is not immune.5 While firms are victims of a cyberattack, the SEC may nonetheless bring “strict liability” enforcement actions against them if they had deficient proactive policies or procedures in place. While not a market manipulation case per se, in September 2015 the SEC brought an enforcement action against an investment adviser that had been breached, compromising the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients (although there was no evidence that any of the information was used).6 The SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure security of 100,000 individuals’ personally identifiable information. The “Safeguards Rule” in Rule 30(a) of Regulation S-P requires certain policies and procedures for financial institutions to put into place to ensure confidentiality of their client’s information.7 Similarly, in April 2016, the SEC brought an action against a dually registered broker-dealer/investment adviser that had an employee impermissibly access and transfer data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties.8 The SEC alleged that the firm failed to adopt written policies and procedures reasonably designed to ensure the security of customer records and information.

Accordingly, to try to avoid future enforcement actions, broker-dealers and investment advisors may want to focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques. Cyber is a dynamic, if not volatile, environment—the best laid plans of last year may not mean much this year.

Violations Involving Distributed Ledger Technology and Initial Coin Offerings

The SEC is signaling that it will not allow distributed ledger technology (DLT) or cryptocurrency to be used in a way that evades regulations, results in market manipulation, or is used to perpetrate frauds on investors. Unlike China, which has outright banned cryptocurrency—a move that has further a black market of cryptocurrency trading9—the SEC is indicating more of a desire to focus on regulating it. 

On September 29, for example, the SEC brought its first enforcement action involving two Initial Coin Offerings (ICOs) for “defrauding investors” by selling these “unregistered securities” purportedly backed by investments in real estate and diamonds.10  

At this juncture, however, it remains unclear whether the SEC will mandate that all or some ICOs be registered as securities.

Misconduct Perpetrated Using the Dark Web

As part of its effort to keep up with the rapidly evolving techniques to engage in insider training and market manipulation, the SEC is now putting potential bad actors on notice that it will be shining the light on the so-called dark web, where bad actors have traditionally gone to anonymously buy and sell improperly obtained information and tools to conduct nefarious cyber activity. Therefore, if firms are not periodically—either themselves or through third parties—monitoring the dark web for stolen firm information that could impact their business or clients, it is possible that the SEC may focus on that failure. 

Intrusions Into Retail Brokerage Accounts

The SEC is also calling out the practice of hacking retail brokerage accounts to manipulate markets. By making certain trades, the hacker can try to inflate the prices of holdings that he or she possesses or decrease prices to facilitate successful short selling. In 2016, the SEC charged a man from the UK with breaking into numerous accounts and placing unauthorized trades, ultimately leading to profits within minutes of trading the same stocks within his own account.11 While the broker-dealer was not charged in that case, it is possible that in future cases, the SEC could charge the firm for allowing the hack to take place. 

In another case, a dually registered broker-dealer/investment adviser had experienced a series of computer system security breaches in which an unauthorized person or persons had accessed and traded, or attempted to trade, customer accounts.12 The SEC alleged that the firm had failed to implement increased security measures and adopt policies and procedures reasonably designed to safeguard customer information as required by Regulation S-P. Thus, broker-dealers and investment advisers may want to consider assessing what the scope of their data is and adopt procedures to attempt to prevent intrusions, and to respond to an intrusion if one takes place.  MORE

Massive spike in deficiencies at smaller RIAs

SEATTLE — Deficiencies found by regulators during their examinations of state-registered RIAs jumped nearly 60% to 7,907 in the first half of the year, and agencies are signaling plans to make advisors accountable for shortcomings in cybersecurity, officials say.

While recordkeeping is the most frequently cited concern among RIAs with $100 million in assets under management or less, the new category of cybersecurity helped drive the growth in deficiencies, according to a survey released this week by the North American Securities Administrators Association.

State securities regulators examined 25 compliance areas, up from 22 in the last study by NASAA in 2015. State-registered RIAs that year showed only 4,983 deficiencies over six months. Regulators at the state level echoed SEC officials’ warnings about cybersecurity and their bulked-up exam capacity.

“Training and technology have combined to enable state examiners to conduct more examinations and better detect deficiencies,” NASAA Investment Adviser Section chairwoman Andrea Seidt said in a statement released at the group’s conference.  MORE

SEC Sharpens Cybersecurity, Boosts RIA Exams

The SEC has sharpened its focus on cybersecurity in recent days, with its chairman Jay Clayton releasing a statement identifying it as a priority, and announcing by the creation of a cyber unit that will focus on targeting cyber-related misconduct. Additionally, the watchdog will also focus on the fiduciary rule and boost its RIA examination capacity, Clayton has told lawmakers.  MORE

Top 10 companies that phishing attackers impersonated in the first six months of 2017:

Phishing attacks are on the rise, and show no signs of slowing down: Nearly 1.4 million new, unique phishing sites are created each month, according to the Webroot Quarterly Threat Trends Report, released Thursday. In May, this figure reached a high of 2.3 million sites created, the report found.

Today's phishing attacks are highly targeted, sophisticated, and difficult to detect, making them increasingly hard to avoid. The phishing sites being built each day appear to be realistic, and are almost impossible to find using web crawlers, the report stated. And instead of randomly targeting large groups of people, hackers now use social engineering to individualize attacks.

Here are the top 10 companies that phishing attackers impersonated in the first six months of 2017:

1. Google (35%)

2. Chase (15%)

3. Dropbox (13%)

4. PayPal (10%)

5. Facebook (7%)

6. Apple (6%)

7. Yahoo (4%)

8. Wells Fargo (4%)

9. Citi (3%)

10. Adobe (3%)

Users should be wary if they receive an email that appears to be from any of these sources that asks them to click on a link or download a file.  MORE

Cybersecurity Must Be C-Suite Concern at RIAs, Brokers and Managers

Recently, the Securities and Exchange Commission (SEC) issued a risk alert urging broker/dealers, registered investment advisers (RIAs) and investment fund companies to take direct steps to improve their cybersecurity policies and practices.

According to Marlon Paz, partner at Seward & Kissel LLP and former compliance staffer at the SEC, this risk alert was a long time coming, and the themes it presents actually occupied much of his own work at the regulator from 2004 to 2010. The big upshot of the risk alert is that, following case study reviews of some 75 investment management firms, the SEC’s Office of Compliance Inspections and Examinations (OCIE) feels that most broker/dealers, investment advisers and funds have at least one potentially serious cybersecurity issue to be addressed—likely more. 

“This is a very well written and informative risk alert,” Paz says, encouraging all investment industry practitioners to read it carefully. “The SEC has made it clear that they will continue to examine and test for cybersecurity compliance procedures and controls, and will not shy away from potential enforcement actions for those who are not compliant.”

Given his former time at the SEC, Paz offered up some inside baseball analysis of what the SEC is signaling in the text and between the lines of its risk alert publications. 

“One of the clearest messages I am getting is that the SEC is actually fairly pleased that more and more firms are drafting and adopting well-crafted policies and procedures in this area,” Paz says. “However the SEC also is warning that there is clear evidence that the policies and procedures are not always being followed as closely as the regulator would like. Protecting client information and assets is becoming a major focus for SEC examinations. That is the message.”

Paz reminds readers that there are very specific and exacting requirements to be followed in this area, enforced under various statues and the Employee Retirement Income Security Act (ERISA). 

The “SEC has put the industry on notice and offered specific guidance with this risk alert, so we should all expect the next round of examinations and enforcement actions to use the requirements here laid out as a baseline for future compliance,” Paz says. “In other words, there really is not any more time to wait to improve your practices, because the SEC is seemingly done with having leniency in this area. Here is the SEC telling us in clear terms what they expect, so we should listen.”  MORE

8 things to give your clients after Equifax's data breach

From Dave Sather, Sather Financial.

Last week, we were informed 143 million Americans had key identifying information stolen through credit reporting company Equifax.

Equifax responded by saying they will offer a one-year "credit monitoring" service and then tried to upsell their premium service.  Being as they are the ones responsible for the breach in the first place, this does not reassure. 

Furthermore, one year of monitoring is completely random. Suppose thieves only want my information for the next year and then will promise to never use it again? Ridiculous.

Given this, what to do?

1. Religiously read and scrutinize your bank and credit card statements every month. If you see something that does not look right, contact the institution immediately. They will generally suspend the payment of the suspicious transaction pending a more thorough investigation. If you have moved to all-online access (no monthly hard-copy statement), make sure you are thorough in reviewing transactions on a regular basis. 

2. Use credit cards instead of debit cards. If someone has hacked into your world, a credit card offers a grace period in which you can review your statement before payment is due. However, if someone hacks into the debit card, the burden falls more on your shoulders. If you have payments auto-drafting from your bank account, this can easily send you into a cascading problem of overdrafts. If this happens, it is a pain to fix. 

3. Once you have determined a fraud has occurred, put an alert in your credit report and send a copy of the ID theft report ( to all the credit reporting companies. Although this may sound like closing the barn door after the horses are out, you want proper documentation that you have reported this and are working with the authorities. 

4. Monitor credit reports closely. Not only can these reports have errors that can hinder your ability to get credit, but it's a good habit to be in to see what accounts have been opened in your name. This service is available for free on an annual basis by going to: 

5. Evaluate a credit freeze. This offers the most serious level of protection, in our opinion. It literally freezes the ability for anyone, including you, to open new credit of any kind in your name or Social Security number. Although it works very well, it can also be a bit of a burden to undo. Allow yourself at least a week to lift a credit freeze once you have submitted the necessary information. This is important to consider if you plan on financing a new car or applying for a mortgage. 

It is also important to understand that a credit freeze does not stop someone from accessing an existing credit card and using it. As such, a second reminder to review your credit and debit statements religiously!

6. Contact the police and Federal Trade Commission. Although cybercrime may not involve a gun and masked robber, it is still a crime. To get needed protection, contact the local police and the FTC to obtain their official reports. These reports must go in your credit files. Not only does this help law enforcement track and catch criminals, but it is necessary for your protection, too.

7. Change passwords and be careful of where you access Wi-Fi. If there has been a breach, determine what accounts are affected. Immediately change those passwords. Furthermore, reduce vulnerability to someone stealing passwords by not using public Wi-Fi. Public Wi-Fi allows keystrokes to be more easily monitored, allowing information to be stolen. 

8. Contact the Social Security fraud hotline ( In some cases, we have seen clients who have had their Social Security numbers used for fraudulent purposes. Depending on the level of severity, they not only had to not only prove their innocence but then apply for a new Social Security number. 

We have only seen the tip of the iceberg relative to the Equifax debacle. As such, be proactive and remain vigilant to prevent being a victim.

Disco, Sex And The Cybersecurity Nightmare


Remember “Disco Inferno” and “The Hustle” and the “anything goes” promiscuous lifestyle of the late ’70s? All of that did not end very well, as the world learned that all behaviors are accompanied by their own set of—potentially very bad—consequences.

This good general rule of life somehow was forgotten in the Internet Age. Suddenly, we were in a “New Economy.” Everyone was going to be connected and share information—an electronic “anything goes” era in which convenience and access were far more important than safety. If you think about it, there are probably more than a few eerie parallels between the way people have approached using the internet over the last 25 years and how they thought about sex in the late ’70s.

But the recent WannaCry ransomware attack (which briefly shut down millions of computers around the world), along with the hacking of political campaigns, government agencies and Fortune 500 companies, is probably only a sniffle compared with what is to come. Someday, hackers will release an unstoppable computer virus or malware. And the only real protection will be responsible behavior.

Internet theft is now a very big business—in many cases, it’s done by government-funded and operated businesses. The stereotypical hacker is no longer an overweight, personality-challenged geek living in his mother’s basement. In fact, hackers, virus makers and other cyberterrorists in countries such as China and Russia openly work in large office buildings as part of organizations designed to steal money or spread mayhem.

Unfortunately—and this is particularly surprising to anyone who follows this industry—very few wealth managers seem to recognize the magnitude of this threat to their livelihoods. Their firms are particularly attractive targets for bad guys because their clients’ non-public personal information (Social Security numbers, account info, etc.) is regularly sold in aftermarkets (known as “darknets”) to organizations that use it to loot bank and brokerage accounts, steal credit cards and tax refunds.

Typical wealth management firm clients have substantial amounts of liquid assets and robust credit, so their data can be sold for a high price—in fact, on the dark web they are referred to as “whales.”

The wealth management landscape is littered with firms—including some of its largest and most sophisticated—that have already been hit. The CEO of one multibillion-dollar firm recently clicked on a link in an e-mail and all of his clients’ e-mail addresses were exported. Another big firm discovered that hackers seeking client information were sending e-mails appearing to be from people inside the firm. MORE

Financial Firms’ Worst Mistakes With Cybersecurity

Law360, New York (August 21, 2017, 10:55 PM EDT) -- Although the U.S. Securities and Exchange Commission said earlier this month that broker-dealers, investment advisers and funds have improved their “cybersecurity preparedness” in recent years, it found a majority of firms still had issues. 
The findings came in an Aug. 7 risk alert released by the SEC’s National Exam Program detailing observations from its exams of registered firms, and were mirrored in survey results released last week by Cipperman Compliance Services.

Cipperman found that 57 percent of surveyed alternative managers — a category that includes hedge fund and private equity fund managers — felt their cybersecurity policies didn’t meet regulatory requirements.

While broker-dealers were more certain their policies passed muster, they were less sure about their programs overall, with 64 percent saying they weren’t confident in their respective firms’ cybersecurity.

John Araneo, managing director and general counsel of Align Cybersecurity, said he’s seen many investment advisers and broker-dealers who wait to “jump into the cybersecurity pool” out of fear they’ll immediately find deficiencies.

“When you approach cybersecurity, there’s an apprehension that, ‘I almost don’t want to open the door because I don’t want to see what’s in the closet,’” Araneo said. “That’s very shortsighted, and it’s only going to get you into trouble.”

Seward & Kissel LLP partner Marlon Q. Paz, who previously served in the SEC’s Division of Trading and Markets, said financial firms face particular risks that make cybersecurity especially important. While data breaches or incidents in other sectors like retail can lead to financial losses if customers’ credit card information is stolen, hackers that breach a broker-dealer or investment adviser get direct access to client assets, he said.

“The issue of safeguarding and protecting other people’s money is paramount,” Paz said. “That’s not the same in other industries.”

With that in mind, here are some of the biggest mistakes firms in the financial industry make with cybersecurity.

Their Systems Aren’t Tailored

The failure to reasonably tailor cybersecurity policies and procedures topped the list of issues the SEC identified in its latest sweep, and experts said they’ve noticed just such ill-fitting practices at many broker-dealers and investment advisers.

Among other things, agency staff said they observed policies that gave only general guidance, were narrow in scope, or gave confusing instructions, including policies governing remote customer access to accounts that contradicted instructions for investor fund transfers.

The alert illustrates that firms can’t just buy a cookie-cutter cybersecurity program off the shelf, Paz said, as untailored policies will not protect firms from their particular risks.

“I feel like there’s too many snake oil salesmen, just saying, ‘Here, I’ve got a nifty policy that’s been reviewed and vetted by the SEC,’” Paz said. “That doesn’t matter a bit — it’s got to be tailored for that business.”

Araneo said the risk alert also illustrates that the “devil was in the details,” as the SEC faulted firms both for failing to customize their programs and for failing to follow through on cybersecurity plans. The agency noted, for example, that some firms that required annual customer protection reviews conducted them less frequently, while others that required ongoing reviews to see if additional security protocols were needed performed those reviews “only annually, or not at all.”

“It can’t be a one-stop, buy this policy, buy this technology, hire this person and stop there — this really is an exercise that needs to cascade through the entire enterprise and involve different employees or at least different functions,” Araneo said.

To design policies that are adequately tailored to fit the firm, experts said, broker-dealers and investment advisers need to perform a deep risk assessment to identify exactly what the procedures must address.

An assessment will help a firm focus its limited resources and personnel, so that written procedures are followed in practice, said Mayer Brown LLP partner Jeffrey P. Taft. But the assessment has to focus on the firm itself and its unique systems, customer base and other potential risks.

“Taking someone else’s risk assessment or looking at the risks applicable to other companies doesn’t do you much good,” Taft said.

Their Plans Are Too Long

In addition to broader cybersecurity policies, experts said firms need incident response plans with instructions on how to deal with an unauthorized intrusion — but the SEC said more than one-third of examined investment advisers and funds didn’t have such plans.

“We’ve seen many organizations that have been caught flat-footed, don’t have a plan, and when an incident happens they don’t know what to do,” said Robert Prucnal, the president of Cipperman Compliance Services.

Of plans firms have implemented, many are too long to be of use in a critical situation when employees need to know exactly who is in charge of what part of the response, Stroz Friedberg Managing Director Chad M. Pinson said in a panel discussing cybersecurity at the SEC’s National Compliance Outreach Program for Broker-Dealers in July.

“All the IR plans I see look like a Stephen King novel where they were being paid by the word to write them,” Pinson said. “You cannot use those things in an emergency, they are completely unusable.”

Instead, firms need to draft simple plans that delineate which employees are responsible for which aspects of the response, and update the plan regularly to ensure details like contact information are accurate, said Erik Rasmussen, North American cyber practice leader for the cybersecurity and investigations practice at risk consulting firm Kroll.

They also need to define clearly when the response plan will be invoked. Triggering the plan in too many scenarios, Rasmussen said, could create “noise” and make it harder to respond efficiently to a larger crisis.

And while there’s no such thing as a perfect plan, Rasmussen said, firms can get closer by practicing incident responses regularly to simulate the real conditions of a breach or other attack.

“Everybody has a plan until they get punched in the face,” Rasmussen said.

Their Vendors Aren’t Vetted

As firms identify the weaknesses and vulnerabilities their cybersecurity policies need to address, experts said one area many overlook is the risk that lies outside their doors, with third-party vendors and service providers.

“A lot of investment firms, a lot of Wall Street firms, spend time on their own systems, but then give access to third-party providers who create vulnerabilities,” Paz said.

Paz noted that vendors and service providers like document review teams, outside counsel and consultants often have extensive access to their clients’ systems and the information therein. If an employee at a provider leaves their laptop on an Amtrak train, Paz said, whoever picks up that computer can then get full access to the firm they were advising.

Indeed, many hacks and breaches have occurred because a vendor providing some kind of access to another firm was hacked, Taft said.

“It’s imperative that companies do something with respect to those weak links,” he said.

The issue is especially important because broker-dealers and fund managers have legal and regulatory obligations to protect the types of client data frequently stored at outside service providers, Araneo said.

To safeguard that information, firms need to reach out to vendors to ensure they have standards in place that meet expectations — a conversation Araneo said has thankfully become easier in recent years.

“The industry as a whole and the vendor community now understand what the advisers and the broker-dealers are asking, so they’re sort of getting their own cybersecurity controls in a language that people can share,” Araneo said. “That part of vendor management has been made a lot easier to accomplish.”

Their Employees Aren’t Trained

Even if firms have secured and protected access points from all their third-party vendors, experts said they’ll still be vulnerable if their employees are clicking on every suspicious-looking message that lands their inbox.

“Employees are human, and as long as employees are human they’re going to make mistakes,” Taft said. “Clicking on links that they shouldn’t click on, sending money or responding to emails that they shouldn’t respond to.”

Araneo noted that the “human element” is typically the weakest link in an organization’s cybersecurity, especially in investment firms where regulatory transparency requirements can facilitate hackers. For example, Araneo said, the Form ADV filed by investment advisers with the SEC contains much of the information needed to begin a phishing campaign.

With the addition of social media, Araneo said, would-be hackers can use LinkedIn or Facebook to identify targets or discern when points in an organization might be vulnerable, for example if key employees are on vacation. Together, that information allows hackers to manipulate a firm’s employees with tailored phishing campaigns.

“We’ve seen a high sophistication and effective rate of those types of attacks,” Araneo said.

As part of that training, Rasmussen said, firms should be making security “run through the fabric of the company,” so that cybersecurity becomes an everyday thing and employees know they have an important role to play in keeping their company secure.

“It can be very daunting to people, or [they can be] very dismissive because they look at it as an inconvenience rather than a part of their daily routine,” Rasmussen said.

At the same time, Paz said, firms can’t focus on lower-level employees to the exclusion of the C-suite. He said that while the high tech aspects of cybersecurity are often handled by younger staff, executives need to also be aware of and trained in cybersecurity issues to set the right tone at the top.

“They need to give it high importance, if for no reason than the fact that their entire business could perish as a result,” Paz said.  MORE

SEC chief says cyber crime risks are substantial, systemic

NEW YORK (Reuters) - Regulators must do more to help mom-and-pop investors better understand the potential risks posed by cyber crime and new technologies used to commit fraud, U.S. Securities and Exchange Commission Chairman Jay Clayton said on Tuesday. 

Clayton, who was appointed to the commission earlier this year, said cyber security would be one of the top enforcement issues during his tenure at the head of Wall Street’s main regulator. 

“I am not comfortable that the American investing public understands the substantial risks that we face systemically from cyber issues,” he said during a panel discussion at New York University. “I’d like to see better disclosure around that.” 

One concern for the SEC relates to a rise in cases of information being stolen by hackers to gain some sort of market advantage, said Stephanie Avakian, co-director of the SEC’s enforcement division, who joined Clayton on the panel along with co-Director Steven Peikin. 

Other areas of focus include ensuring financial firms take the appropriate steps to safeguard sensitive information; cyber-related disclosure failures; and the growing prevalence of “initial coin offerings (ICOs),” Avakian said.  MORE

An Emerging Patchwork Of Cybersecurity Rules

With the recent adoption of cybersecurity regulations governing broker-dealers (BDs) and investment advisers (IAs) registered in Colorado and Vermont, the landscape of cybersecurity regulation continues to evolve in significant ways. For those businesses not yet covered by cyber regulations, these latest moves indicate that the day of reckoning may be coming, with both federal and state regulators actively expanding their reach.

Moreover, these latest regulations may further contribute to an emerging “cybersecurity standard of care,” leaving those who lag behind best practices more vulnerable before the courts. Finally, this emerging regulatory patchwork increasingly threatens to lead to inconsistent standards — although an important thread of consistency (or regulatory convergence) exists.

The Colorado and Vermont Rules

The Colorado[1] and Vermont[2] rules — applicable to BDs and IAs registered in those states (and certain other “securities professionals” in Vermont) — are very similar, which is both fortunate for the financial services industry and the product of an emerging regulatory consensus on the core elements of a sound or “reasonable” cybersecurity strategy.

Under the rules adopted by the Colorado Division of Securities and the Vermont Department of Financial Regulation, BDs and IAs subject to the rules are required to “establish and maintain written procedures reasonably designed to ensure cybersecurity.” The Colorado rules include an additional requirement to specifically protect confidential personal information, which is defined to include a person’s first name or first initial and last name in combination with at least one of the following data elements:

  •   Social Security number;

  •   Driver’s license number or identification card number;

  •   Account number or credit or debit card number, in combination with any required security code, access code, security questions or other authentication information that would permit access to an online account; Individual’s digitized or other electronic signature; or

  •   User name, unique identifier or electronic mail address in combination with a password, access code, security questions or other authentication information that would permit access to an online account.

    In determining the reasonableness of cybersecurity procedures, the Colorado and Vermont rules do not mandate specific practices as much as the New York rules do, but they do clarify that the following factors will be considered:

  •   The firm’s size;

  •   The firm’s relationships with third parties;

  •   The firm’s policies, procedures and training of employees with regard to cybersecurity practices;

  •   Authentication practices;

  •   The firm’s use of electronic communications;

  •   The automatic locking of electronic devices; and

  •   The firm’s process for reporting lost or stolen devices.

    Further, to the extent “reasonably possible,” the rules require cybersecurity procedures to provide for the following:

  •   An annual assessment by the firm or an agent of the firm of potential cybersecurity risks and vulnerabilities;

  •   The use of secure email, including the use of encryption and digital signatures;

  •   Authentication practices for employee access to electronic communications, databases and


  •   Procedures for authenticating client instructions received via electronic communication; and

  •   Disclosure to clients of the risks of using electronic communications.

    Comparison to New York’s Regulation

    As with the Colorado and Vermont rules, the New York Department of Financial Services cyber regulation (NYDFS rule), which has its first compliance deadline later this month, embraces a risk- and principles-based approach to cybersecurity; however, it also mandates certain specific practices.[3] For example, the NYDFS rule requires firms to conduct annual penetration testing and biannual vulnerability

assessments, and also insists on multifactor authentication (MFA) and encryption of certain nonpublic information. By contrast, the Colorado and Vermont rules simply require BDs and IAs to implement “reasonable” cybersecurity policies which could include the use of MFA and encryption.

It is possible that compliance with the NYDFS rule may satisfy the Colorado and Vermont requirements, but the reverse may not be true.

Another key difference between the NYDFS rule and the Colorado and Vermont rules concerns the entities subject to each rule. Whereas the Colorado rules apply generally to Colorado-registered BDs and IAs, and the Vermont rules apply only to Vermont-registered “securities professionals,” the NYDFS rule applies to a different assortment of businesses, covering insurance companies, insurance agencies and producers, banks and certain other “covered entities” regulated by NYDFS,[4] and also mandates that those covered entities implement written policies and procedures to ensure the security of information systems and nonpublic information that are “accessible to, or held by, Third Party Service Providers.”

Comparison with Federal Regulations

For those companies which the U.S. Securities and Exchange Commission regulates, Colorado's and Vermont’s rules, unlike New York’s specific mandates, likely do not represent a major change in cybersecurity programs.

As a practical matter, SEC regulation S-P, for example, requires SEC-regulated broker-dealers, investment companies and investment advisers to adopt reasonably designed written policies and procedures to safeguard customer records and information. SEC staff guidance issued in April 2015 recommends that investment advisers conduct “periodic” cybersecurity risk assessments and develop and maintain written policies to prevent, detect and respond to cybersecurity threats.[5] In addition, an SEC risk alert issued in August 2017 also reiterates that “cybersecurity remains one of the top compliance risks for financial firms,” and that the SEC will continue to focus on the prevention of cyberattacks.[6] The most recent risk alert also highlights certain firm best practices, including:

  •   Maintenance of an inventory of data, information and vendors;

  •   Detailed cybersecurity-related instructions;

  •   Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;

  •   Established and enforced controls to access data and systems;

  •   Mandatory employee training; and

  •   An engaged senior management.

    Additionally, the Colorado and Vermont rules align with Federal Trade Commission guidance regarding what constitutes “reasonable security” designed to protect personal information.

    That said, BD and IA firms doing business in Colorado and Vermont could nonetheless be faced with investigations and enforcement actions involving the adequacy of their cybersecurity procedures. This

increased risk may put a premium on documenting and explaining risk-based, proactive cybersecurity decisions in a way that will prove compelling to federal and state regulators.

Impact on Litigation

With Colorado and Vermont joining the chorus of regulators calling for “reasonable” cybersecurity programs, it is also increasingly likely that courts will look to regulatory standards to help determine the applicable standard of care in data breach cases. Falling behind in those standards — even if cybersecurity regulations do not directly apply to a particular company yet — may increase litigation risk.

On the other hand, keeping in good standing with the regulators may help fend off civil litigation. This benefit also could extend to senior management in their individual capacity, as scrutiny over the actions of officers and directors appears poised to increase.

Key Takeaways

With the adoption of cybersecurity regulations in Colorado and Vermont, the trend towards increasing cybersecurity regulation continues to pick up momentum. Even those firms not yet covered by cyber regulations may soon find themselves bound to certain minimum standards as a result of being a third- party provider for covered entities, or in order to keep pace with what may very well be an emerging standard of care. There are consistent elements across the varying cyber regulations, which largely accord with best practices for protecting against and mitigating the impacts of cyberattacks. However, compliance with one set of rules does not necessarily mean compliance with all sets of rules. 

10 tips for reducing insider security threats

Insider threats can pose greater risks to company data than those associated with external attacks. Here are some techniques to help you spot and mitigate them as quickly as possible.

A report recently released by the Institute for Critical Infrastructure Technology pointed out that most cybersecurity incidents (both intentional and accidental) are the result of some action by insiders.

Earlier this year, I covered some ways to reduce insider security risks. As a follow up, I want to look at further strategies which can assist system administrators in quickly detecting and reducing the threat of insider risk — a critical requirement given the fact some insider security breaches can go undetected for weeks, months or years.

Here are 10 more tips to reduce insider threats:

1. Establish a security incident and response team 

Even if it consists of one individual, a dedicated team is essential to security success. This team should be responsible for preventing, detecting and handling incidents and have documented plans and procedures for each. Provide them as well as general IT staff with security training to keep up on the latest tactics and threats is also a key factor in identifying insider threats as quickly as possible.

2. Use temporary accounts

Set up third-party employees such as contractors or interns with temporary accounts  MORE

The Good and the Bad from OCIE’s Cyber Examinations and What Firms Should Do Next

The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) released a National Examination Program Risk Alert (Risk Alert) on August 7, 2017 regarding observations from its cybersecurity-related examinations of 75 registered broker-dealers, investment advisers and investment companies (collectively, Firms).1 This OnPointdetails the National Examination Program Staff’s (Staff’s) positive and negative findings from OCIE’s 2015 Cybersecurity Examination Initiative (Cybersecurity 2 Initiative) and summarizes the elements that the Staff identified as hallmarks of “robust” policies and procedures. 

The Staff’s examinations, conducted in connection with the Cybersecurity 2 Initiative, focused on Firms’ written policies and procedures regarding cybersecurity, and specifically drilled down on the six areas of focus that OCIE had identified in its September 15, 2015 Risk Alert regarding cybersecurity:2

  • Governance and risk assessment;
  • Access rights and controls;
  • Data loss prevention;
  • Vendor management;
  • Training; and
  • Incident response.

The Staff conducted the examinations between September 2015 and June 2016 and, during that time, it examined a “different population” of Firms from those that it had examined in connection with its 2014 cybersecurity initiative (Cybersecurity 1 Initiative).3

Although the Staff found that Firms’ cybersecurity preparedness had generally improved in the time since it conducted the Cybersecurity 1 Initiative, the Staff made clear that there were still several areas in which Firms could improve their cybersecurity-related controls. The Staff also identified for Firms what it believes to be “elements of robust policies and procedures” regarding cybersecurity.

The Staff’s Positive Observations from the Cybersecurity 2 Initiative

The good news was that the Staff noted “an overall improvement in [F]irms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices since the Cybersecurity 1 Initiative.” The Staff explained that, “[m]ost notably, all broker-dealers, all funds, and nearly all advisers” had written policies and procedures regarding cybersecurity and the protection of customer records and information. For example, “nearly all” Firms had policies and procedures that addressed regular system maintenance, cyber-related business continuity planning, and the SEC’s Regulation S-P (Reg. S-P) and Regulation S-ID. Most Firms also “maintained cybersecurity organizational charts” and detailed the cybersecurity roles and responsibilities of Firm employees. In addition, “nearly all” Firms had plans in place that addressed incidents related to unauthorized access, and the “vast majority” of Firms had such plans for denials of service and unauthorized intrusions.

With respect to third-party service providers, the Staff found that “almost all” Firms either conducted their own risk assessments of vendors or required those vendors to provide their security reviews and certifications to the Firm. In addition, over half of the Firms examined required that their vendors update their risk assessment responses at least annually. These findings were particularly encouraging in light of the fact that, in the Cybersecurity 1 Initiative, the Staff reported that 84% of broker-dealers and a much lower percentage of investment advisers required cybersecurity risk assessments of such vendors with access to their Firms’ networks.

From a technical standpoint, the Staff reported that “nearly all” broker-dealers and the vast majority of investment advisers and funds periodically conducted risk assessments of their critical systems, and that all Firms had a tool or system in place to monitor data losses involving personally identifiable information. In addition, “nearly all” broker-dealers conducted penetration tests and vulnerability scans on their critical systems; however, less than half of advisers and funds did so, and a number of Firms did not “fully remediate” “high risk observations” identified via those tests and scans. Similarly, although the Staff explained that “all broker-dealers and nearly all advisers and funds” conducted regular maintenance on their systems and installed software patches to address vulnerabilities, a few Firms failed to install patches that included critical security updates. The Staff also identified these shortcomings related to the remediation of known vulnerabilities as “issues” in the Risk Alert.

Issues Observed During the Cybersecurity 2 Initiative 

But these positive findings were not all the Staff found: the Staff also identified issues that Firms should work on resolving as they seek to “assess and improve” their cybersecurity programs. The Staff explained that the majority of Firms’ written policies and procedures “appeared to have issues.” The Staff noted that some policies and procedures were “vague,” provided “only general guidance” and were “not reasonably tailored” to suit the Firms’ needs. They reported that some Firms did not actually enforce their policies and procedures, and that in some cases the policies and procedures depicted by Firms did not accurately describe their actual practices. For example, certain written policies might require annual “customer protection” reviews or the completion by employees of cybersecurity training, but, in practice, reviews were conducted either less frequently than annually or employee trainings did not occur at all. Furthermore, the Staff observed issues related to Reg. S-P violations, noting specifically that certain Firms did not properly conduct system maintenance because they failed to install security patches, timely update their operating systems or fully remediate high-risk findings they had identified when conducting penetration tests and vulnerability scans on their systems.

Best Practices Identified During the Cybersecurity 2 Initiative

The Staff identified certain elements that were included in certain Firms’ “robust” policies and procedures and that serve as examples of best practices for Firms to consider. The elements of these robust policies and procedures included:

  • Maintaining a complete “inventory of data, information and vendors;”
  • Delineating “detailed cybersecurity-related instructions” – for example, with respect to “access rights,” this could include tracking requests for access and having policies and procedures specific to the modification of certain access rights (such as when a new employee comes on board, a position is terminated or an employee’s role changes);
  • Maintaining “prescriptive schedules and processes for testing data integrity and vulnerabilities,” such as by testing a patch before deploying it Firm-wide and analyzing the risks related to and the effectiveness of the patch; 
  • Establishing and enforcing “controls to access data and systems,” through, for example, acceptable use policies and policies that require third-party vendors to log their network activities;
  • Requiring mandatory employee training at the time of hire and on a periodic basis thereafter; and
  • The vetting and approval of the cybersecurity policies and procedures by senior management.

The Staff encouraged Firms to review the enforcement actions brought against Firms for violations of the Safeguards Rule of Reg. S-P as an additional source for guidance regarding the Staff’s expectations.4

Takeaways from Staff’s Findings of Firms “At Risk” Regarding Cyber-Readiness

Despite the observed overall improvement in Firms’ awareness of cyber-related risks, the Staff’s findings demonstrate that a number of Firms have some way to go in order to achieve cyber-readiness. The specific shortcomings that the Staff identified involve elements that should be considered basic components of an effective cybersecurity program, meaning that the absence of those components in Firms’ policies and procedures may expose those Firms to increased cybersecurity risks.

For example, when a Firm’s policies and procedures are “not reasonably tailored” or a Firm relies on “form-of” policies, the Firm runs a risk of having a shell policy that provides little direction and does not encourage those responsible for the policy to effectively protect the Firm’s customer information or systems. Similarly, a Firm’s failure to “say what you do and do what you say” increases the likelihood that a policy exists only on paper, which can lead a Firm to take ad hoc approaches to cyber threats that are both inconsistent and ineffective, and can also lead a Firm to violate its compliance policies and procedures. 

As recent hacks have reminded companies, the failure to remedy and patch known system vulnerabilities may make a Firm a “sitting duck” target for hackers who seek to exploit those vulnerabilities, exposing customer information to theft and leaving the affected Firm without an argument that it could not have reasonably prevented the breach. In these situations, an affected Firm may be exposed not only to increased cybersecurity risks but also to regulatory risks, given the Staff’s expectation that registrants have in place and actually implement tailored cybersecurity policies that adequately protect their systems.


The improvements Firms have made since the Cybersecurity 1 Initiative are important and have not gone unnoticed by SEC Staff. Nevertheless, the “issues” and shortcomings identified by the Staff in the Cybersecurity 2 Initiative should not be taken lightly, as the deficiencies identified amount to key components of a basic cybersecurity program. 

All Firms – even those who have done so recently – should take a careful look at the written policies and procedures they have in place, and at how they implement their cyber controls in practice, to ensure that they do in fact have a tailored cybersecurity program that is actually implemented and works effectively to remediate known vulnerabilities and threats. Once a Firm is comfortable that it has those basic elements in place, it should look for ways in which it can further improve its processes and controls related to cybersecurity and, at the Staff’s suggestion, should use the examples of “robust” controls and findings from the Staff enforcement actions under Reg. S-P as a guide. The Staff’s summary shows that many Firms have more work to do in this space and that the Staff remains focused on what it has described as “one of the top compliance risks for financial [F]irms.” MORE