More Compliance Issues to Come

Financial advice firms face a growing list of compliance chores in 2018, including spillover effects of the Department of Labor’s now-delayed fiduciary rule, cybersecurity issues, advisor exam changes and tighter scrutiny of bad brokers, according to ThinkAdvisor.

 

Despite the 18-month delay the DOL put in place last year, the provisions of the rule purporting to require retirement account advisors to put clients’ interests first will still weigh on advisors’ time and resources, George Michael Gerstein, counsel with Stradley, Ronon Stevens & Young, tells the publication.

He says the DOL is likely to unveil a revised proposal this year, according to ThinkAdvisor. On the other hand, the delay of the final compliance date from Jan. 1, 2018 to July 2019 means the SEC could roll out its own version of a best-interest standard, Brian Hamburger, head of regulatory consulting firm MarketCounsel, tells the publication.

The SEC is likely to propose its fiduciary rule this year as well, David Tittsworth, counsel at Ropes & Gray and former CEO of the Investment Adviser Association, tells ThinkAdvisor. But SEC Chairman Jay Clayton said in October the SEC would not “supplant” the DOL’s rule, the publication writes. And varying standards from the SEC, the DOL and the states will cause “confusion and inefficient allocation of capital,” according to Gerstein.

Meanwhile, cybersecurity is now “a business imperative,” Tittsworth tells ThinkAdvisor. Cybersecurity is also one of the top priorities for Clayton, Tittsworth says, adding that one concern advice firms have is whether the SEC will bring enforcement actions against firms it deems haven’t taken appropriate steps to protect themselves against data breaches. 

The other objective topping Clayton’s list is cracking down on brokers with disciplinary records, according to the publication. Brad Bennett, a partner at Baker Botts and former head of Finra’s enforcement unit, suggests both advisors and broker-dealers watch the SEC’s Retail Strategy Task Force, ThinkAdvisor writes.  MORE

Advisers Are Apparently Ignoring Cybersecurity Threats

Only 27% of RIAs surveyed by TD Ameritrade suggest that “cybersecurity issues,” even when very broadly defined, are likely to impact client portfolios during 2018; experts suggest this is just wishful thinking.

TD Ameritrade this week provided a fresh cut of data from its 2018 RIA Sentiment Survey, in which independent registered investment advisers (RIAs) look ahead to 2018.

Likely surprising to few, the GOP tax cut plan is the top item expected to impact client sentiments and portfolios in the next year, say independent registered investment advisers (RIAs) polled by TD Ameritrade. Survey results suggest advisers are also “closely watching earnings and interest rates.”

The strong majority (70%) of RIAs expect to see economic growth in the U.S. and abroad this year, while roughly half are bullish on equities. According to the survey data, RIAs expect “financials, materials and industrials” to perform better in 2018, which is somewhat at odds with what various asset managers have projected.

“Their own optimism aside, RIAs say that money in retirement, taxes and estate planning also top clients’ biggest concerns,” TD Ameritrade reports. “To keep up 2017’s momentum, RIAs will look to marketing, not merger and acquisition activity.”

More than three-quarters of RIAs say firm assets will rise in 2018; nearly half expect assets to grow faster than 2017. That will be a pretty impressive feat, as RIAs ended 2017 with revenue growth averaging 15%, TD Ameritrade finds, and with full-service brokerage firms supplying a third of their new clients.

“Though M&A is not in the cards for most, RIAs who are considering it want to acquire or add to their firms, versus merge or sell. … RIAs say they will spend more on marketing in 2018, as they consider it the most important way to drive growth,” the research shows.

Turning to client satisfaction, RIAs say tech investments in 2018 will focus on improving client experience, a top strategic priority for many RIAs. “Regulations and lack of client awareness” are seen as the biggest threats to RIA growth, and only 1% are “extremely concerned” about the threat of robo-advisers.

Lack of concern on cybersecurity 

One finding that could be of note for PLANADVISER readers shows only 27% of RIAs surveyed by TD Ameritrade suggest that “cybersecurity issues,” even when very broadly defined, are likely to impact client portfolios during 2018. This lack of concern and action on cybersecurity challenges probably represents wishful thinking and potentially dangerous complacency on the part of RIAs, attorneys and other experts have warned.  

Indeed, on September 25, 2017, the Division of Enforcement at the Securities and Exchange Commission (SEC) announced the creation of a new cybersecurity unit. As pointed out by David Kaleda, principal in the fiduciary responsibility practice group at Groom Law Group, in Washington, D.C., the cyber unit is explicitly tasked with addressing concerns raised by the increasing use of technology by investors and advisers, as well as the growing risk of general market manipulation and other investor harm.

“The cyber unit will comprise SEC staff with expertise and experience in cyber issues,” he confirms. “Clearly, the creation of the dedicated unit signals that the SEC has a growing appreciation of the potential risks associated with cyber issues. Its concerns rightly include the use of technology to gain an unlawful market advantage, e.g., hacking to access material, nonpublic information, hacking of accounts in order to conduct manipulative trading, and disseminating false information through electronic publication; the failure by registrants to adequately secure customer data and ensure system integrity; and the failure by a public company to disclose, or adequately disclose, cybersecurity incidents that occur at the company.”

Advisers may just be surprised by how much they find themselves talking about and responding to cybersecurity issues during 2018, given the low concern measured on this point by TD Ameritrade.  

Full survey results can be downloaded here.

The Big Hack Attack

Rob is an advisor in Cincinnati at a firm with some half a billion in assets. He’s always thought his cybersecurity was pretty good and figured his firm would be a fairly unappealing target for thieves and hackers.

Still, he decided to go one step further and get a penetration test—paying professional good-guy hackers to try to break into his company’s systems and test his weak spots.

He felt confident. He had a brother who worked in IT security at a big company and felt he knew the risks pretty well. So he paid a security firm to have people camp out inside the back of his office; indeed they had trouble breaking into his computers.

But he wasn’t thinking about his copy machine and scanner, which might have high-value information like tax returns or investment statements. Like many other machines, copiers have default administrative passwords—easy hurdles for people who manage to get into the facility, with, say, the cleaning crews.

“Both of [the devices] could have been loaded with software to copy data or scans to an outside location,” Rob says. “What I’m going to do is inject this malware into any device, and every time something is scanned, it’s going to go to the person who has scanned it, but a copy of it is also going to me [the bad guy].”

Now that he’s bulked up his protection, he asked not to be identified by his full name for this article.

Cyber criminals have become increasingly sophisticated, and all financial services firms are ripe targets for frauds. In 2016, the FBI’s Internet Crime Complaint Center received almost 300,000 complaints for almost $1.3 billion in losses. According to the IBM X-Force Threat Intelligence Index, the financial services sector was attacked more than any other industry that year. The most pervasive scams involve phishing, ransomware, malware and denial-of-service attacks.

Diane Pearson of Legend Financial Advisors in Pittsburgh, says her IT person once told her that someone was trying to break through the firm’s firewall every night. Pearson knows of somebody at another firm who lost her job after succumbing to a phishing e-mail, wiring $50,000 from a client to a fraudster.

The scams don’t have to be terribly sophisticated. The biggest vulnerabilities of financial companies, say security experts, are perhaps not surprisingly their employees. Naïve staffers are most at risk of opening phishing e-mails that allow fraudsters to download malicious software into their machines, taking over their computers and breaking into networks.

The biggest risk is that a hacker will capture an employee’s credentials and then log in externally to third-party vendors, says Benjamin Gordon, the manager of advisory services at Rook Security in Carmel, Ind. “Employees just aren’t educated enough on security, to be perfectly blunt. It doesn’t matter what technology you have in place, what IT team you have in place. If somebody clicks on a malicious link, it’s a problem.”  MORE

Cybersecurity 2018 – The Year in Preview: Financial Institutions and the SEC

The U.S. Securities and Exchange Commission has made no secret about the gravity of the cybersecurity threat facing the investment community.  Since at least 2014, the SEC has made a point in emphasizing the cyber threat through enforcement actions, inspections and examinations, roundtables, and policy speeches.  While the change in administration brought new leadership to the Commission, that group has made clear at every possible opportunity that combatting the cyber threat will be a top SEC priority in 2018 and beyond.  For example, Enforcement Division co-director Steve Peikin, a former federal prosecutor and partner at Sullivan & Cromwell, referred to cyber attacks as the “greatest threat to our markets right now.”  His co-director Stephanie Avakian, an SEC Enforcement veteran, similarly called the cyber threat “among the greatest risks facing investors and the securities industry.”  The import of their message is clear – the investment community, and, in particular, SEC-regulated entities, should be on alert in the coming year.

Historically, the SEC has addressed the cyber threat through enforcement actions aimed at entities and individuals that threaten market integrity, either by failing to take necessary cyber precautions or engaging in cyber-related misconduct, and through regular cyber examinations of registered entities by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”).

SEC Cyber-Enforcement

On the enforcement front, the Commission’s Enforcement Division created a new Cyber Unit in September 2017.  This unit has a broad mandate to target all forms of cyber-related misconduct, including market manipulation schemes involving false information spread through electronic and social media, hacking to obtain material nonpublic information, violations involving distributed ledger technology and initial coin offerings (more on that to follow), misconduct involving the dark web, intrusions into retail brokerage accounts and cyber-related threats to trading platforms and other market infrastructure.  The Market Abuse Unit previously handed the SEC’s cyber investigations, but the Commission deemed the threat important enough to create a separate unit (the Enforcement Division’s first newly created unit since 2010).

Beyond press releases and policy statements, the Enforcement Division has offered some guidance on the Cyber Unit’s focus in 2018.  Focus areas include: (1) cyber-related misconduct that is used to gain an unlawful market advantage, (2) the failure of registered entities to appropriately safeguard information or ensure system integrity, and (3) cyber-related disclosure failures by public companies.

The first area – cyber-related misconduct – has historically been the SEC’s primary cyber enforcement focus area.   During the past year, SEC enforcement actions have targeted: (1) hacking to access material, nonpublic information in advance of a material announcement or event; (2) an account intrusion in order to conduct manipulative trading; and (3) disseminating false information electronically, including through EDGAR, in order to manipulate stock prices.

With respect to the second area – the failure of registered entities to appropriately safeguard information – the SEC has often handled such failures through the OCIE examination process.  Avakian has indicated that while the SEC will continue to do so in appropriate cases, it will consider enforcement action if warranted.  The final area identified by Avakian – the failure by a public company to make a cyber-related disclosure (i.e., disclosure of a cyber breach or other event in SEC reporting) – is a new area of enforcement for the SEC.  While the SEC will not look to second guess reasonable, good-faith disclosure decisions, it will take enforcement action if an appropriate case presents itself.  Regardless of whether the SEC ultimately takes enforcement action, the SEC’s message to regulated entities going forward is clear – closely guard confidential information from cyber attack, and if an attack happens, determine whether some form of public disclosure is required.

More recently, on December 11, 2017, the Cyber Unit directly confronted a new and growing cyber risk, halting an initial coin offering by California-based Munchee Inc.  Munchee was seeking $15 million in capital for its blockchain-based food review service.  In selling digital tokens, the company and promoters emphasized that the tokens could increase in value, which the SEC concluded could cause investors to reasonably believe that they could generate a return on investment.  The SEC thus determined that the coin offering constituted an unregistered securities offering.  Further emphasizing the SEC’s focus on this new technology, on the same day that the SEC announced the Munchee enforcement action, SEC Chairman Jay Clayton provided a statement on cryptocurrencies and initial coin offerings.  He offered warnings to both investors and market professionals.  This should serve as a clear signal that the SEC will not hesitate to conduct additional enforcement activity in this arena.

OCIE Cyber Exams

Outside of the Enforcement Division, OCIE continues to make cybersecurity a prominent aspect of its examinations of registered entities, including broker-dealers, investment advisers and investment companies.  OCIE conducted its first targeted cybersecurity sweep in 2014.  It followed up with a Cybersecurity 2 Initiative, the results of which were released in August 2017.

The exams focused on how written policies and procedures addressed: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.   The good news is that registered entities have made vast improvements since 2014.  In particular, of the 75 firms examined, almost all of them had adopted written policies and procedures concerning the protection of customer and/or shareholder data.  The bad news is that many of these policies were either not sufficiently robust or not routinely followed.

OCIE identified a number of common deficiencies, including: (1) policies and procedures provided employees only with general guidance rather than specific examples of safeguards; (2) firms either did not adhere to the policies or the policies did not reflect their actual practices; and (3) firms did not adequately conduct system maintenance, such as the installation of software patches to protect against vulnerabilities.

OCIE also provided guidance on best practices for developing and implementing appropriately robust policies and procedures.  These best practices include: (1) maintaining an inventory of all data, information and vendors, including a classification of risks regarding each; (2) detailed cybersecurity-related instructions for penetration tests, security monitoring and system auditing, access rights and reporting; (3) maintenance of schedules and processes for testing data integrity and vulnerabilities; (4) established and enforced controls to access data and systems; (5) mandatory information security employee training; and (6) vetting and approval of procedures by senior management.

The weaknesses and best practices identified by OCIE should provide clear guidance to registered entities on how to implement effective cyber policies going forward.  Like the SEC’s top officials, OCIE has made clear that cybersecurity is one of top compliance risks for financial firms, and, as a result, OCIE will continue to make it a key aspect of its annual examination process.  MORE

 

Why choosing a cybersecurity auditor may be tougher than you think

With its 2017 list of examination priorities, the Securities and Exchange Commission left little doubt about its zeal for having advisory firms focus their attention on cybersecurity measures. 

“We will continue our initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls,” the SEC said in the statement announcing its examination priorities. 

But advisory firms, which want to conduct cybersecurity audits to pre-empt any future SEC troubles, must reckon with a reality: Cybersecurity auditing is a less than fully developed science.

“Because of the recent focus on cybersecurity from the SEC, this has become a hot topic. Since firms expect this to be included in their next SEC exam, it certainly makes sense to perform an internal audit prior to that,” says Brent Everett, founder, chief investment officer and partner at Talis Advisors in Plano, Texas.

But, “most traditional IT firms don’t understand the complex requirements of our industry and the few that do are focused on servicing large enterprises, not the typical small to medium-sized RIAs,” he says.

Until more options develop, advisory firms must choose among the “service providers that have sprung up to address this area of the market,” Everett says.

It is an imperfect situation. 

“As the requirements are still rapidly evolving, there is still little standardization of the audit process, what is required and what is provided. This makes it quite difficult to compare services from different suppliers,” Everett says.

Caveat emptor rules apply. 

“It’s also quite obvious that many of the suppliers are in the start-up phase and don’t have particularly robust documentation of their processes. It’s an immature industry, and pricing varies wildly; you don’t always get what you pay for,” Everett says. MORE

Why Cybersecurity Matters To Your Business

You start a business. You grow your company from an idea to a fully functioning and profitable entity. With success comes clients and, as with most companies, you store personal information either to be used in marketing or from a purchase. As a result, you hold the keys to many of the things that your customers value and treasure in their lives and it is now your responsibility to protect your their personal information. Additionally, your company has a myriad of confidential and private information internally that needs to be protected.

The premise is simple: Protect your company's data along with your customers' data. But the execution is complex. Over the past several years we have learned this fact as companies -- from the retail giant Target to the credit reporting service Equifax -- have fallen victim to cyberattacks.

While cybersecurity tools, consultants, software and hardware are all handsomely expensive, none of them have the immediate positive impact on bottom lines that other technologically centered additions do. This means that it is just not as fun to invest in cybersecurity products and services as it is to outfit your team with lightening-fast laptops. Still, a sound cybersecurity plan and deft execution can be an amazing selling point for customers and clients as awareness grows across society at large. Here are a few ways to take control.

Understand Cybersecurity Applies To You

The first step to protecting your business is to understand that the threat is real. Many times when news of wide-scale data breaches flood Facebook feeds and media outlets, business owners take solace in the fact that while Target may have been hacked, their company is too small to be at risk. This is a false sense of security. According to Symantec, over 43 percent of cyberattacks in 2015 were targeted toward small businesses — and this number will only rise. Furthermore, only 14 percent of small business believe that their current ability to guard against cyberattacks is effective. Thus, cybersecurity is a small- and medium-sized business problem -- one most are not addressing properly.

Seek (Quality) Advice

No matter what type of business your company conducts, even if it is technology-based, your business can benefit from an outside set of eyes. The technology and data surrounding cybersecurity are constantly changing and evolving. This means that while you may have some of the most brilliant tech minds around grinding out your code, their focus is not necessarily security -- and the result is vulnerability.

Accordingly, it is totally acceptable, if not necessary, to work with a cybersecurity professional. A simple Google search for "cybersecurity services" will yield thousands of results. Not only will consulting a professional make your operations more secure, but this contact will go a long way. In the event that a cyberattack happens, the contact will fend off would-be lawsuits by showing that you took adequate measures for security.  MORE

SEC to Focus on Individual FAs Next Year

The latest enforcement actions report from the SEC suggests the regulator will likely go after advisors more often than firms, legal experts tell InvestmentNews.

The SEC brought 82 standalone cases in fiscal year 2017 compared to 98 the year prior, but advisors shouldn’t get too comfy, according to the publication. Eighty percent of the actions were against individuals, Todd Cipperman, a managing principal at Cipperman Compliance Services, tells InvestmentNews.

“Just because you’re paranoid doesn’t mean they aren’t after you,” Cipperman tells the publication.

The SEC is likely to continue prioritizing individual advisors over firms even though it’s more expensive “because of the fear and the deterrent effect,” he says, according to InvestmentNews.

In January, SEC chair Jay Clayton said much the same, according to the publication. Going after individuals and naming names also produces “more of a reputational effect,” Amy Lynch, founder and president of FrontLine Compliance, tells InvestmentNews.

The SEC is shifting staff to its new cybersecurity unit and its new Retail Strategy Task Force, launched in September, but it is also reducing the number of lawyers in its enforcement division by 100 through attrition, Deborah Meshulam, a partner at the litigation firm DLA Piper and a former assistant chief litigation counsel of the division, tells the publication. The cut isn’t likely to affect its enforcement brawn, however, according to Meshulam: the SEC will likely simply go after bigger fish, she tells InvestmentNews.  MORE

SEC Exam Priorities Said to Focus on Cybersecurity, Seniors in 2018

The new examination priorities list, usually released in January, would be the roadmap for OCIE activities for the year

 

Investments involving seniors and cybersecurity compliance are among the concerns expected to make the 2018 examination priority list now being developed by the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE), according to industry experts familiar with the process.

The list is likely to be released in January and will be the roadmap for OCIE activities for the year with an expected focus on market-wide risks and retail investor risks.

“Cybersecurity will be an expanded OCIE priority in 2018, as examiners look to whether sufficient cybersecurity policies, procedures and controls are in place to protect personal information,” Joseph Moreno, an attorney at Cadwalader, Wickersham & Taft, told ThinkAdvisor.

“With the one-two punch of the Equifax and EDGAR breaches still fresh in the headlines, it is hard to imagine cyber will not be front-and-center going forward. Chair [Jay] Clayton has stated that he views cybersecurity as a critical part of the infrastructure underlying the capital markets, and this emphasis will no doubt be borne out in OCIE priorities.”

James Fanto, a professor at Brooklyn Law School, agrees, saying, “There is simply so much activity in the cybersecurity space with the Equifax hack and the SEC’s own hack that they can’t ignore this subject. And there is always the worry that customer assets will be hacked into and taken.”

Similarly, Robert Plaze, an attorney at Proskauer Rose, also sees cybersecurity as an OCIE priority.  “It’s a real risk throughout the financial services industry – and a wide swath of other industries – and the SEC is vulnerable if it is not viewed as sufficiently vigilant because the SEC was itself hacked.”

Moreover, Denver Edwards, an attorney at Bressler, Amery & Ross, points out that the OCIE, in recent years, examined broker-dealers and investment advisors for compliance with cyber-security regulations.

“OCIE will continue to examine registrants for cyber compliance given that cyber breaches have become ubiquitous,” he adds.  “The Commission is concerned about hacking to access material, non-public information; account intrusions to conduct manipulative trading; and disseminating false information … to manipulate stock prices.”

Related to this, there has been a divide internally among the SEC staff on cybersecurity, a knowledgeable source told ThinkAdvisor. On one side, there are those who are more “militant” and want stricter standards and more enforcement actions, and want to make an example of a business or firm that has a cyber incident.

On the other side, are those who are not as militant, and they understand that companies and firms regulated by the SEC want to avoid cyber incidents and are spending money to mitigate risk and improve their cyber defenses. This side, too, may want to see information sharing and collaboration with the government — and does not want to be as aggressive. As 2018 progresses, the SEC may reveal where it stands among the factions.

Also, the SEC is concerned about savings by retirees and baby boomers. This involves those who saved money in a 401(k) or other retirement fund, and how financial service companies want them to put the money into their firm, which poses some risk.

“Last time, the list had an entire section on senior investors and retirement products. I just don’t see that focus going away, given the drumbeat on that topic as so many of us age and have to rely on retirement assets,” Fanto said. “This topic could include all sorts of things, such as products targeted to seniors.” 

Fanto says other issues could make the priority list for 2018 and may include:

  • Problem brokers who move from firm-to-firm or from broker-dealers to advisors.
  • Problematic retail products, such as initial coin offerings and anything related to Bitcoin.
  • Investment advisor practices.

Edwards suggest other possible categories may be included, such as: high fee mutual funds share classes; failure to disclose fees; robo-advisors; advertising; abusive practices; and anti-money laundering.

Also, given that OCIE Director Peter Driscoll had input into OCIE’s 2017 priorities, many of them could “carry over into the new year. There will continue to be a focus by OCIE on protections for retail investors, especially seniors, from abusive sales and marketing practices and improper fee structures,” Moreno said. “A continued emphasis on reviewing registered investment advisors – particularly those who have never been examined by OCIE – will mean fewer resources focused on broker-dealers.”

The list is not expected to change that much from 2017 priorities, and whatever is listed, the knowledgeable source said the priorities are likely the result of speaking with each SEC commissioner and each division. The list is worked on for months, and becomes a “strategic plan for the year,” the source said.

In fact, the source predicts the OCIE will dedicate three quarters of its time and resources to the listed priorities.

“The OCIE’s priorities list is of significance to compliance officers in broker-dealers and advisers because it tells them what to expect when the SEC’s examiners visit their firm,” Fanto adds.  MORE

Cyber attack response - What do you do?

A client database has been hacked – and personal details of individuals stolen. It’s every company’s nightmare, and now it’s happened. What steps should the firm take? And who needs to be notified?

In today’s world of cyber risk, a successful attack on a financial services firm’s systems is not a matter of “if”, but rather of “when”. While it makes sense to invest in the best cyberattack deterrence technology, and to put in place preventative policies and procedures, bad things can still happen to good cybersecurity programs. And when they do, it’s the firm’s reputation that is on the line.  

Firms need to have a plan of action ready to implement if they are hacked and data is stolen. Like a business continuity strategy, such a plan will help guide individuals as to the actions they should be taking – to limit further damage to systems, to mitigate reputational risk, and to ensure compliance with a growing number of regulatory requirements.

A key part of any plan must be managing the notification requirements. Firms usually will need to notify a regulator or other government body that it has been hacked. Sometimes there is also a requirement to notify impacted clients too – but if there isn’t, it is usually best practice to make them aware in any case. Failure to report a cyber breach to either a government body or to clients – if the breach comes to light later – can have a serious negative impact on a firm’s reputation. The internet is littered with companies who delayed reporting and have encountered supervisory censure as well as negative headlines and client lawsuits – Equifax is a recent example.

Many jurisdictions are putting formal notification requirements in place. For example, New York State’s March 2017 regulations now require financial services firms to notify the regulator within 72 hours of a breach taking place, and other US states are putting in place similar requirements. The US Securities and Exchange Commission (SEC) published some observations from its cybersecurity examinations in August which noted that firms need to have robust reporting frameworks.

In the EU and the UK, the General Data Protection Regulation (GDPR) will require firms to notify the correct regulator within 72 hours of a breach, and impacted individuals “without undue delay”. Failure to meet these notification requirements can result in a significant fine of up to 10 million Euros or 2% of global turnover.

There are good reasons why governments are asking firms to make a formal notification of a cyber breach. First, they are recognizing the need for more action on their part to combat hacking. Registration of incidents helps governments to understand the nature of the problem. Secondly, in some jurisdictions this information is shared in some way with other financial services firms – helping all firms to collaborate to prevent successful cyberattacks.

Thirdly, regulators are beginning to use this cyber breach reporting data in their pre-examination analysis. Supervisors can see which firms are having incidents and what kind of incidents they are having – perhaps to formulate good questions for discussion with the firm during the visit. On the flip-side, they can also see who is reporting below-normal levels of incidents. If the firm has some form of cybersecurity best-practice, then that is of interest. However, if the firm is simply not reporting cyber breaches, then more difficult questions will be asked.  

As a result of these new breach reporting regulatory requirements and client expectations, firms are advised to develop specific policies and procedures for when an incident occurs. This should include identifying what their breach reporting requirements are, developing reporting templates, and actually testing this part of the incident response plan. Specific elements of the communications plan could contain when and how to:

  • Notify investors 
  • Bring in the legal team 
  • Call law enforcement 
  • Report to the regulator if a requirement, or when to contact if no requirement
  • Communicate to employees 
  • Disclose to clients 

Best practice firms conduct table-top exercises using several different scenarios, such as ransomware, or an insider attack. If the firm outsources significant portions of its IT infrastructure, it’s important to conduct these exercises in partnership with the IT supplier. If the firm engages with third parties for other types of activities, and those activities involve use of client data, the firm should perform these table top exercises with these vendors – and ensure the vendor is aware of all reporting obligations the firm has to regulators.

If a firm is genuinely not subject to any cyber breach reporting requirements, it should nonetheless put a framework in place to document each incident and note why no reporting is required. This will help support the firm’s engagement with regulators in the future.

In short, it’s important for firms to understand the notification requirements that impact them, as well as how they wish to engage with clients – and to then formulate an incident response plan. For financial services firms, reputation and trust are of high importance, and so ensuring a solid approach can make a real difference to how well a firm weathers a cyberattack. 

FA: Is Your Firm Cyber Secure?

Last year, the SEC fined Morgan Stanley $1 million for failure to protect information in 730,000 client accounts, which were first stolen by an employee and transferred to a personal server and then hacked and offered for sale online. The SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure the security of clients’ personally identifiable information.

The case shines light on what the SEC expects from firms when it comes to their internal web applications and portals that give employees access to customers’ confidential account information.

To try to avoid future enforcement actions, broker-dealers and investment advisors should focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques.

Examiners are also looking at employee training and vendor relationships, Rubin said, adding that firms should have policies that show they’re actively training their employees and registered persons to try to ensure that each person understands her role and responsibility with regard to cybersecurity. Firms are also responsible for knowing what kind of cybersecurity system their vendors have.

State regulators have already found nearly 700 deficiencies during exams of 1,200 state-level investment advisors—in the first year state regulators reported on cybersecurity incidents.

The North American Securities Administrators Association (NASAA) used the data to generate a list of cybersecurity best practices for investment advisors: prepare and maintain records by backing them up; maintain client information; revise Form ADV and disclosure brochures; implement safeguards through cybersecurity policies and measures; and prepare a written compliance and supervisory procedures manual.

NASAA found policies and procedures to be adequate when firms require and enforce frequent password changes, lock devices, report lost devices, and create specific roles and responsibilities for people to frequently assess these requirements.

To minimize threats posed by data breaches, NASAA recommends that firms routinely back up devices and store the underlying data in a separate, remote location. And they should regularly test backup procedures to ensure their suitability. Similarly, firms should consider whether e-mail communications should be sent securely, especially where they involve identifiable information regarding a client.  MORE

Wealth Management: The Cybersecurity Problem Requires Human Solutions

Despite headlines all month showing the scope of compromised personal information in attacks on EquifaxYahoo and the SEC, many advisors still aren’t taking cybersecurity seriously.

An examination of more than 1,200 investment advisors by the North American Securities Administrators Association uncovered 698 deficiencies, including no or inadequate cybersecurity insurance, no testing of cybersecurity vulnerability, lack of procedures regarding securing or limiting access to devices, no technology specialist or consultant and a lack of procedures regarding hardware and software updates or upgrades.

Frank Quinlan, a counsel to law firm Newmeyer & Dillion who has a background in cybersecurity with the U.S. military, says that because of the amount and type of client information advisors hold, not to mention money and other assets, advisors have to understand that attacks are coming and they are targets, no matter how big or small their firms. Quinlan says advisors absolutely must spend some time understanding information security principles to protect themselves and clients.

He recommends advisors get the NASAA’s “Cybersecurity Checklist for Investment Advisors,” which Quinlan says is written to be easily understandable by advisors and will especially help independent RIAs and small firms get up-to-snuff. But for those worried about these headline-grabbing attacks and what they can do immediately to improve security, Quinlan recommends three key steps.

The first is to read through the National Institutes of Standards and Technology’s guide on the fundamentals of small business information security to have a baseline understanding of the terms and concepts. “[It is] your operational manual for securing a small business,” Quinlan said.  MORE

SEC’s Most Recent Cybersecurity Move: What Registered Investment Advisors Need to Know Friday, October 27, 2017

In a recent Risk Alert, the SEC stressed that its proposed measures were suggestions and not requirements at this point, although RIAs should be proactive and prepare for the possibility that new regulations could be on the way. 

The Office of Compliance Inspections and Examinations (OCIE) of the SEC recently released a Risk Alert that detailed its examination of the cybersecurity preparedness of 75 broker-dealers, investment advisers and investment companies in the United States. In comparison to prior cybersecurity examinations, this exam involved more active testing and validation of the firms’ procedures and controls related to cybersecurity. 

Common Weaknesses

The SEC found two overarching themes. First, it found that firms were better prepared during this examination than during the 2014 Cybersecurity Initiative exams. Second, the staff found that investment adviser firms tended to be less prepared than broker-dealers in some areas examined, such as penetration testing and data breach notification.

The staff noted three main areas of weakness across firms:

Cybersecurity policies too general or vague to be useful to the firm’s employees. Investment adviser firms should develop procedures that give specific, not merely general, guidance. To maximize employee comprehension and adherence, an investment adviser firm’s policies and procedures should include concrete examples and specific procedures tailored to the firm’s practices.

Failure to enforce or to tailor cybersecurity policies to the firm’s needs. This risk is not limited to an investment adviser firm’s cybersecurity practices; a firm without cybersecurity policies and procedures adequately tailored to its needs may also have similar deficiencies throughout its compliance program.

Inadequate maintenance of information technology systems. Some examinees were found to be using outdated operating systems or other software that was no longer supported with security updates by the manufacturer. Running software without security updates leaves an investment adviser vulnerable to otherwise avoidable cybersecurity losses. Furthermore, the staff found situations in which some examinees had identified vulnerabilities during cybersecurity testing but failed to take action to remediate their findings.

SEC Guidance

The SEC staff highlighted three main actions that an RIA firm could take to help address information technology security issues:

  • Conduct a periodic information technology security risk assessment.
  • Create and test a strategy that is created to “prevent, detect and respond to cybersecurity threats.”
  • Implement the strategy by creating written policies and procedures and training internal staff and possibly clients.

The staff further suggested that assessing information technology security risks should be a critical part of a firm’s annual compliance risk assessment. The logic of the argument is that it’s hard to successfully design a cybersecurity strategy without first taking a step back and identifying the key threats and vulnerabilities that are unique to a particular advisory firm.

When crafting an information technology security strategy, the staff noted that some of the key focus areas of that strategy may include:

  1. Access control to systems and sensitive data
  2. Encryption
  3. Restricting the use of removable storage media
  4. Having the ability to monitor network activity for unauthorized intrusions
  5. Data backup and retrieval
  6. Creation of an incident response and business continuity plan

Going Forward

Even though the SEC has not issued any regulations, it is clear that cybersecurity will remain a priority. It should be for RIA firms, too. The North American Securities Administrators Association is mulling a model cybersecurity rule for investment advisors and is currently developing cyber guidance and a “checklist” for small advisory firms to use to assess their cyber preparedness.

Firms can also incorporate the elements present in the policies and procedures of firms the SEC determined had the most robust cybersecurity programs. These include:

  • Keeping a detailed inventory of data, information and vendors
  • Giving specific instructions in the policies and procedures, including examples where helpful
  • Regularly testing technology systems and implementing cautious but timely security patch deployment to all machines
  • Establishing and enforcing controls for access to firm data or systems, such as acceptable use policies, mobile device management, vendor activity logs detailing use of the firm’s system and immediate elimination of system access for terminated employees
  • Mandatory employee training, both upon hire and periodically throughout the year
  • Active engagement by senior management  MORE

Scams to Look Out for After the Equifax Breach

It’s been a little over a month since news of the Equifax Breach first broke, and the incident is turning out to be the quite the gift to fraudsters. From gaffes made by Equifax and other credit bureausto the fact that the data breach was more extensive than initially thought, everything surrounding this incident has made it difficult for victims to quickly and thoroughly secure their information. While a credit freeze will protect your credit reports, it will not protect you from the other side effect of data breaches — scams. As time goes on, consumers should prepare themselves for the onslaught of opportunists who will use any leaked information and circumstances surrounding the Equifax breach to their advantage. Keep reading below as we detail the types of scams you should be watching out for in the near future.

How exactly does the Equifax breach benefit scammers?

Unfortunately for consumers, this breach will likely prove to be the gift that keeps on giving to identity thieves. That’s because this breach not only provides criminals with lots of personal information — most of which is probably now available on the dark web — but it also provides the perfect context for making fake phone calls and phishing emails. Essentially, scammers now have two solid choices for perpetuating schemes: they can either steal your information if it was captured in the breach, or they can use the details surrounding the incident to convincingly pull off social engineering scams. For example, scammers could pretend to be someone from Equifax who’s offering some form of assistance navigating the personal and financial fallout of the breach. How scammers target you will depend on what they want, but you should be prepared for any potential scam, given the size and scope of the Equifax breach.

What types of scams should I look out for?

Given that every week we seem to learn something new about the breach, the possibilities are potentially endless with regard to what exactly scammers might try to pull off. That said, based off of what we currently know, here are some of the more likely scams you can expect in the coming months and perhaps even years:

Scams offering assistance in dealing with the breach

The FTC and other organizations have already begun reporting on an emerging scam which involves fraudsters calling up consumers under the guise of being Equifax representatives. In the most common version of the scam, fraudsters ask for their victims to “verify” account information with their full name, social security number, home address, date of birth, etc. This type of scam has also expanded to phishing emails, though it could conceivably even spread to snail mail. It’s also possible that scammers could pose as attorneys and credit repair services to offer you legal and financial assistance.

To protect yourself from these threats, you should under no circumstances provide personal information to someone who contacts you and claims they’re offering any sort of assistance, as they are likely scammers. If you’ve personally vetted the owner of the phone number or email address and can confirm they’re legitimate, you can provide the information. For example, providing your credit card number over the phone to Experian (through the phone number listed on its site) is not the same as giving your credit card details to someone calling from a random number claiming that they’re affiliated with Experian. In one scenario, you’ve done the work needed to verify the identity of the party on the other side of the phone, so if your credit card is misused, you have some form of recourse. Essentially, there is no reason for you to respond to unsolicited messages or calls that purportedly come from organizations you may or may not be familiar with. If you feel compelled to respond, do not respond to the email or over the phone; instead, go to the service’s website (do not click on any links in emails or text messages) and contact them directly to get more information. The odds of a company or credit bureau legitimately reaching out to you randomly over the phone or via email without first notifying you are fairly low, especially now that we live in an era where organizations and businesses know these types of scams are common.

Scams promising compensation (especially from Equifax)

Someday down the line you might get a call (or email) from an Equifax representative or attorney who informs you that you’re entitled to compensation as a result of the breach. Should you believe them? Probably not. Although it sounds cynical, most experts suspect that Equifax won’t face punishment for the breach. This means there’s no reason to expect Equifax to offer any compensation beyond what it has already offered in the form of free identity monitoring and a temporary fee waive for credit freezes.

One of the few exceptions might perhaps come in the form of a successful class-action lawsuit. Although the possibility of such a lawsuit isn’t off the table, even then, you shouldn’t expect to be contacted out of the blue for a payout (assuming there is one), and if you are, follow our tips at the bottom of this post to confirm the legitimacy. Generally, you should take anyone claiming that you can receive compensation for this breach with the finest grain of salt possible, especially if they’re asking for your personal information over the phone or through a link in an email.

Scams involving your lender/creditor

With the information taken in the Equifax breach and previous breaches, it might be possible for scammers to learn of the companies and lenders you have open accounts or relationships with. From there, they can pretend to be a representative from one of these companies in an attempt to gather your personal information either over the phone or through email. As with the other scams, if you receive unsolicited contact from your creditor or lender asking for personal information, do not click on any links or provide any information. Instead, contact the creditor or lender directly using the legitimate phone number or website to avoid being phished or scammed.

IRS and tax scams

The big worry for many is that the treasure trove of information contained in the Equifax breach will inevitably lead to tax identity theft for years to come. While there will likely be many different types of scams deployed by fraudsters and hackers, you should predominately be on the lookout for scam calls or emails from “the IRS.” Remember that the IRS itself won’t contact you by phone or email, though debt collectors may call on behalf of the IRS for back-owed taxes. In addition, you should aim to file your taxes as early as possible to prevent someone from claiming your tax refund (or a phony refund) on your behalf.

Keep in mind, this list of scams is not conclusive, as hackers and other types of fraudsters might choose to go after the information that’s already available to sell it or to acquire credit or government benefits in your name. For more information about scams and how to protect yourself from them, read our scams blog. And to keep an eye on the latest details regarding Equifax, follow our Equifax breach blog.

Tune up your firm’s cybersecurity training program

There may have been a time when an annual employee training program on cybersecurity was enough to satisfy regulators that an advisory firm was taking the threats of hackers and other malicious actors seriously.

No longer.

The Securities and Exchange Commission has made no secret that it expects more from firms in the area of cybersecurity, identifying the issue in its recent exam priorities letters, conducting sweep exams focused on firms' cyber policies and procedures, and, most recently, announcing the establishment of a dedicated cyber unit.

TD Ameritrade recently launched a campaign to promote the message to its registered investment advisers that a strong, dynamic cybersecurity training program is an essential element of a modern practice. A key part of that effort is the notion that employee training must be ongoing, that policies to protect the firm's systems and information aren't just a set-it-and-forget-it proposition.  MORE

Tune up your firm’s cybersecurity training program

There may have been a time when an annual employee training program on cybersecurity was enough to satisfy regulators that an advisory firm was taking the threats of hackers and other malicious actors seriously.

No longer.

The Securities and Exchange Commission has made no secret that it expects more from firms in the area of cybersecurity, identifying the issue in its recent exam priorities letters, conducting sweep exams focused on firms' cyber policies and procedures, and, most recently, announcing the establishment of a dedicated cyber unit.

TD Ameritrade recently launched a campaign to promote the message to its registered investment advisers that a strong, dynamic cybersecurity training program is an essential element of a modern practice. A key part of that effort is the notion that employee training must be ongoing, that policies to protect the firm's systems and information aren't just a set-it-and-forget-it proposition.  MORE

Cybersecurity: How to satisfy regulators

NASAA Checklist

State securities regulators could put forward this year a model rule on cybersecurity, Joe Borg, Alabama securities director and president of the North American Securities Administrators Association, said in a recent interview.

If so, elements of the regulation may be drawn from NASAA’s cybersecurity checklist for investment advisers. Here are a few of the 89 items on the roster and what they might look like as provisions of a cyber rule.  MORE

SEC and States Are Upping Their Cyber Game, Are You Doing the Same?

September 2017 saw no respite from the relentless pace of cyber developments, not only from the perspective of rapidly evolving attacks, but also from the perspective of dynamic federal and state regulatory moves. In particular, on September 25, 2017, the Securities and Exchange Commission (SEC) announced a new enforcement initiative to address growing cyber-based threats and protect retail investors.1 The initiative established a Cyber Unit to target misconduct, a move that could place further pressure on broker-dealers and investment advisers already feeling the heat from an uptick in cyber-related exams and the relentless onslaught of cyber intrusion attempts. Second, a day earlier, the North American Securities Administrators Association (NASAA) announced that state securities examiners conducted over 1,200 coordinated examinations of state-registered investment advisers between January and June 2017, finding 698 cybersecurity-related deficiencies.2

Given the advancing threats and the increasing regulatory scrutiny, broker-dealers and investment advisers should consider acting with increased urgency to further prepare themselves, focusing in particular on having written cyber policies that are regularly updated to account for the latest threats. The severity and frequency of attacks are only growing, while the tolerance among regulators for failing to take sufficient preventive steps is only diminishing. Against both attackers and regulators, the best offense truly is a good defense, and regulators are strongly indicating that it is not enough to simply have a defense; but rather, that defense must also evolve to keep pace with the rapidly evolving offense. 

The SEC

What the Cyber Unit Will Do

With the creation of the Cyber Unit, the SEC is beefing up its technical expertise and demonstrating that it too will evolve and adapt as cybersecurity threats become more advanced. The agency is making it increasingly clear that it expects those it regulates to up their games as well. 

The unit will function as part of the SEC’s Enforcement Division to target misconduct along six cyber-related priority areas:

  • Market manipulation schemes involving false information spread through electronic and social media;
  • Hacking to obtain material nonpublic information;
  • Violations involving distributed ledger technology and initial coin offerings;
  • Misconduct perpetrated using the dark web;
  • Intrusions into retail brokerage accounts; and 
  • Cyber-related threats to trading platforms and other critical market infrastructure.

By examining each of these areas in depth, this Alert tries to discern the SEC’s key concerns and suggests issues that firms may want to consider addressing, before facing the SEC in an examination or in an enforcement action. 

Market Manipulation Schemes

With the spread and growing influence of “fake news” to manipulate political outcomes (and with further proof of intentional nation-state involvement in spreading such false stories),3 it is no surprise that the SEC is concerned about the use of targeted misinformation via social media to manipulate market outcomes. 

The SEC will likely be on the lookout for companies hoping to turn an illicit profit by creating or spreading known misinformation via the internet. The SEC could bring fraud cases against those who disseminate false information to manipulate the market, and aiding and abetting cases against those who negligently spread the false information. In fact, the SEC has already started. In 2015, the SEC filed securities fraud charges against a Scottish trader whose false tweets caused sharp drops in the stock prices of two companies and triggered a trading halt in one of them.4

In light of the growing prevalence of intentionally fake stories, it may be prudent for firms to have proactive policies in place that not only explicitly prohibit the dissemination of knowingly false information, but that also require some form of verification before sharing certain market-related news with clients and prospective clients. 

Hacking to Obtain Material Nonpublic Information

The SEC’s new enforcement unit will be on the lookout for hackers that infiltrate broker-dealers and investment advisors to trade on nonpublic information or try to manipulate the market, something from which even the SEC is not immune.5 While firms are victims of a cyberattack, the SEC may nonetheless bring “strict liability” enforcement actions against them if they had deficient proactive policies or procedures in place. While not a market manipulation case per se, in September 2015 the SEC brought an enforcement action against an investment adviser that had been breached, compromising the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients (although there was no evidence that any of the information was used).6 The SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure security of 100,000 individuals’ personally identifiable information. The “Safeguards Rule” in Rule 30(a) of Regulation S-P requires certain policies and procedures for financial institutions to put into place to ensure confidentiality of their client’s information.7 Similarly, in April 2016, the SEC brought an action against a dually registered broker-dealer/investment adviser that had an employee impermissibly access and transfer data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties.8 The SEC alleged that the firm failed to adopt written policies and procedures reasonably designed to ensure the security of customer records and information.

Accordingly, to try to avoid future enforcement actions, broker-dealers and investment advisors may want to focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques. Cyber is a dynamic, if not volatile, environment—the best laid plans of last year may not mean much this year.

Violations Involving Distributed Ledger Technology and Initial Coin Offerings

The SEC is signaling that it will not allow distributed ledger technology (DLT) or cryptocurrency to be used in a way that evades regulations, results in market manipulation, or is used to perpetrate frauds on investors. Unlike China, which has outright banned cryptocurrency—a move that has further a black market of cryptocurrency trading9—the SEC is indicating more of a desire to focus on regulating it. 

On September 29, for example, the SEC brought its first enforcement action involving two Initial Coin Offerings (ICOs) for “defrauding investors” by selling these “unregistered securities” purportedly backed by investments in real estate and diamonds.10  

At this juncture, however, it remains unclear whether the SEC will mandate that all or some ICOs be registered as securities.

Misconduct Perpetrated Using the Dark Web

As part of its effort to keep up with the rapidly evolving techniques to engage in insider training and market manipulation, the SEC is now putting potential bad actors on notice that it will be shining the light on the so-called dark web, where bad actors have traditionally gone to anonymously buy and sell improperly obtained information and tools to conduct nefarious cyber activity. Therefore, if firms are not periodically—either themselves or through third parties—monitoring the dark web for stolen firm information that could impact their business or clients, it is possible that the SEC may focus on that failure. 

Intrusions Into Retail Brokerage Accounts

The SEC is also calling out the practice of hacking retail brokerage accounts to manipulate markets. By making certain trades, the hacker can try to inflate the prices of holdings that he or she possesses or decrease prices to facilitate successful short selling. In 2016, the SEC charged a man from the UK with breaking into numerous accounts and placing unauthorized trades, ultimately leading to profits within minutes of trading the same stocks within his own account.11 While the broker-dealer was not charged in that case, it is possible that in future cases, the SEC could charge the firm for allowing the hack to take place. 

In another case, a dually registered broker-dealer/investment adviser had experienced a series of computer system security breaches in which an unauthorized person or persons had accessed and traded, or attempted to trade, customer accounts.12 The SEC alleged that the firm had failed to implement increased security measures and adopt policies and procedures reasonably designed to safeguard customer information as required by Regulation S-P. Thus, broker-dealers and investment advisers may want to consider assessing what the scope of their data is and adopt procedures to attempt to prevent intrusions, and to respond to an intrusion if one takes place.  MORE

Massive spike in deficiencies at smaller RIAs

SEATTLE — Deficiencies found by regulators during their examinations of state-registered RIAs jumped nearly 60% to 7,907 in the first half of the year, and agencies are signaling plans to make advisors accountable for shortcomings in cybersecurity, officials say.

While recordkeeping is the most frequently cited concern among RIAs with $100 million in assets under management or less, the new category of cybersecurity helped drive the growth in deficiencies, according to a survey released this week by the North American Securities Administrators Association.

State securities regulators examined 25 compliance areas, up from 22 in the last study by NASAA in 2015. State-registered RIAs that year showed only 4,983 deficiencies over six months. Regulators at the state level echoed SEC officials’ warnings about cybersecurity and their bulked-up exam capacity.

“Training and technology have combined to enable state examiners to conduct more examinations and better detect deficiencies,” NASAA Investment Adviser Section chairwoman Andrea Seidt said in a statement released at the group’s conference.  MORE

SEC Sharpens Cybersecurity, Boosts RIA Exams

The SEC has sharpened its focus on cybersecurity in recent days, with its chairman Jay Clayton releasing a statement identifying it as a priority, and announcing by the creation of a cyber unit that will focus on targeting cyber-related misconduct. Additionally, the watchdog will also focus on the fiduciary rule and boost its RIA examination capacity, Clayton has told lawmakers.  MORE

Top 10 companies that phishing attackers impersonated in the first six months of 2017:

Phishing attacks are on the rise, and show no signs of slowing down: Nearly 1.4 million new, unique phishing sites are created each month, according to the Webroot Quarterly Threat Trends Report, released Thursday. In May, this figure reached a high of 2.3 million sites created, the report found.

Today's phishing attacks are highly targeted, sophisticated, and difficult to detect, making them increasingly hard to avoid. The phishing sites being built each day appear to be realistic, and are almost impossible to find using web crawlers, the report stated. And instead of randomly targeting large groups of people, hackers now use social engineering to individualize attacks.

Here are the top 10 companies that phishing attackers impersonated in the first six months of 2017:

1. Google (35%)

2. Chase (15%)

3. Dropbox (13%)

4. PayPal (10%)

5. Facebook (7%)

6. Apple (6%)

7. Yahoo (4%)

8. Wells Fargo (4%)

9. Citi (3%)

10. Adobe (3%)

Users should be wary if they receive an email that appears to be from any of these sources that asks them to click on a link or download a file.  MORE