WSJ The Ins and Outs of Cybersecurity Insurance

Policies are designed to help companies survive major cyberattacks. But knowing exactly what’s covered can be tricky.

The idea of cybersecurity insurance seems, on its face, pretty straightforward: Being hacked not only can disrupt business, it also can be extremely costly and hurt a company’s reputation. Businesses want to protect themselves against those losses.

But in practice, such insurance raises a lot of questions.

There’s no question that cyber insurance is on the rise, though growth in the U.S. slowed last year to 8% from 37% in 2017, according to Fitch Ratings.

These policies are designed to help companies survive major cyberattacks by offsetting the costs of recovery. But knowing exactly what’s covered can be tricky. The cyber insurance category is new, so there isn’t much standardization in the way insurers are determining risk or even defining attacks. Coverage gaps can be created by uninformed choices.

Here are some questions companies need to ask themselves.

What do we need to cover?

Companies first need to determine, with the help of a security specialist if necessary, what their biggest risk areas are and what they stand to lose if they experience an attack.That way, they can fine-tune their coverage as much as possible to fit their particular needs.

Among the areas companies need to assess are reputation damage, data-restoration costs and reimbursement for government regulatory fines in the wake of a data breach.

The National Institute of Standards and Technology, which is part of the U.S. Commerce Department, offers security guidelines that can help companies understand and assess their risk, says Gregory Touhill, a cybersecurity expert from Carnegie Mellon University‘s Heinz College who was the first U.S. federal chief information security officer. Knowing what kind of security provisions insurers expect to see from companies also can provide a helpful overview. Cybersecurity insurance applications can be downloaded that show the standard levels of security insurers expect and highlight other potential risk areas.

What’s the difference between first-party and third-party cyber liability insurance?

First-party insurance covers the policyholder’s own direct losses from cyberattacks such as data theft, denial of service and extortion. In addition to compensation for lost income, benefits sometimes include coverage for the cost of various steps companies take in the wake of an attack, such as figuring out how their networks were penetrated, notifying customers affected by an attack, restoration or repair of digital content and public-relations efforts to repair a company’s damaged reputation.

Companies that store customer credit-card information or other sensitive personal data typically buy first-party coverage.

Third-party insurance covers companies that allowed a data breach to occur on a client network. For instance, an IT contractor that was paid to build a secure website for a client could be liable for damages if there was a mistake or oversight that led to a network intrusion. Coverage could include reimbursement for legal fees, settlements, damages in court cases and fines that may be levied by government regulators.

What cyber incidents do insurers typically exclude from coverage?

Most standard cyber policies exclude preventable security failures that result from failing to maintain a minimum level of security—an improperly configured firewall, for example. The careless mishandling of sensitive information by employees generally isn’t covered. Malicious acts by employees also generally aren’t covered, or theft of trade secrets or intellectual property.

The most high-profile cyber-related exclusions happened after the 2017 NotPetya ransomware attack that affected companies around the globe. Some companies that filed for cyber-related claims under their business and property insurance policies had them denied—in at least one case due to a rarely used but common contractual clause that excludes “a hostile or warlike attack” by a state actor. The Central Intelligence Agency attributes NotPetya to the Russian military.

If the breach is the company’s fault, is the insurer always off the hook?

Not always. Many policies cover employee mistakes such as losing a laptop or falling for phishing scams. But every case is open to interpretation, says Brandon Hickey, president of Insureon Brokerage. If an employee accidentally lost a laptop on the train, for instance, that might be covered. But under the same policy, if that employee lost a laptop that contained sensitive information that wasn’t supposed to leave the office, that could be grounds for a claims denial.

How long after a breach occurs does a company have to report it to an insurer?There’s often a big difference between when the breach occurs and when it is discovered. On average, small businesses don’t discover that their network has been breached for 197 days, according to a survey by the Ponemon Institute. But once a company is aware of an attack, in general, insurance companies ask customers to inform them of any newly discovered cyber loss when practical. Insurers understand that companies will first want to settle immediate priorities such as securing the network against further intrusions.

Although “when practical” doesn’t mean immediately, sitting on the claim for too long might raise a few eyebrows that could affect a company’s settlement, says Bob Parisi, managing director at the Marsh brokerage unit of Marsh & McLennan Co s. It would be unusual for a company to file a claim, say, six months or more after it discovered an intrusion, he says.

An insurer’s requirement for notification could differ from a company’s legal obligations. All 50 states and the District of Columbia have enacted data-breach notification laws that require public and private organizations to notify all customers that are affected by data loss. Reporting times vary by state, but Colorado and Florida, for instance, have 30-day deadlines from the date of discovery, the shortest allowance for any state.

How do insurers price cyber insurance?

Pricing is based mainly on a company’s annual revenue—since more income amounts to higher risk exposure—and what industry it is in. The insurer wants to find out what sensitive data the company keeps that would make it a target to cyber criminals. A hospital would be more expensive to cover than a library, since the hospital stores a lot of patient medical records. Patient records are protected by strict state and federal privacy rules, so companies that expose that data could be subject to multimillion-dollar fines.

How much network security a company has can also influence premiums. Insurance companies will often ask companies to detail what kind of security they have during the application process, such as whether employees have been trained to recognize cyber fraud or if company software is routinely updated. Insurers also want to know how frequently companies change their passwords and how much network access third-party vendors and service providers have. They may also ask whether a company has had a third-party audit of its system or whether it has used a so-called external penetration tester, also known as ethical hacking, to root out any network weaknesses. MORE

Protecting client data is an ongoing obligation

Firms must perform due diligence on prospective providers

Redtail Technology's recent data leak is a reminder of the weighty responsibilities financial advisory firms face when it comes to cybersecurity. Redtail's customer relationship management system contained data about clients of advisory firms that use the CRM. When some of that information was inadvertently exposed, Redtail's problem also became the problem of the advisers who relied on its CRM.

The Redtail leak can't be blamed on hackers. The company captured personal information about advisory firm clients on an internal file, called a log file, that serves as a record for software developers, and that file was accessible via the internet.

It's becoming common for personal information to get an airing. Earlier this year, BlackRock exposed the data of about 20,000 financial advisers who used the company's iShares ETFs — advisers from firms including LPL Financial and Axa Equitable. Voya Financial Advisors also had a glitch on a page of adviser bios on its website that had the potential to expose advisers' Social Security numbers.

A recent report from Aite Group suggests the problem is widespread. The report looked at 30 mobile apps from various types of financial services firms and found vulnerabilities in 29 of them.

Assessing and monitoring the cybersecurity practices of their technology providers may seem far outside the comfort zone of financial advisers, but regulators have made it clear that advisory firms need to be on the case.

And they're stepping up enforcement to ensure firms do so. The Securities and Exchange Commission cited cybersecurity as one of its examination priorities this year, and the $1 million fine the agency imposed on Voya Advisors last fall, after hackers gained access to the personal information of thousands of its customers, was seen as a signal that the SEC is cracking down in this area.

A $50,000 fine the Financial Industry Regulatory Authority Inc. imposed on a small broker-dealer last year for having lax procedures that let hackers transfer money out of customers' accounts also was viewed as a warning to the industry.

Late last year, Finra updated its cybersecurity guidelines to include such topics as how to combat phishing attacks and mitigate insider threats.

So what's an advisory firm to do?

Finra guidelines for advisory firms using third-party vendors say firms should perform due diligence on prospective providers before they sign on the dotted line. Contracts should cover such topics as how the firm's information will be stored and transmitted, the vendor's obligations in the event of a breach and limitations on the vendor's employees' access to data.

Once the firm has hired a vendor, it must continue to monitor their efforts. And if a firm terminates the relationship, it should ensure that the vendor deletes all the data it had. Finra also notes that an advisory firm's risk assessments should include all of its vendors' systems and processes.

Last month, the North American Securities Administrators Association came out with a model rule that would require firms to have written policies and procedures in place regarding cybersecurity to protect client information.

Just discussing the work entailed in vetting fintech providers and preparing an advisory firm internally is enough to arouse nostalgia for the Underwriters Laboratories seal of approval on household electronics. If only it were that easy.

But when clients trust firms with their personal information, advisers must repay that trust by doing the work it takes to ensure the safety of that data. MORE

The Best Way to Prepare for a Data Security Audit

At the New York Junior League’s “Technology Talk: Data Security in the Nonprofit Environment,” Lena Licata, a director in EisnerAmper's Process, Risk, and Technology Solutions (PRTS) and Rhina Brito, a senior in PRTS, discussed how firms can prepare for a data security audit, addressing policies and procedures to have in place, how top-level management needs to set the tone, having the appropriate vendor risk management (VRM), how to perform a risk assessment using a framework such as the NIST Framework and finally, how to handle a breach.

Here are a few takeaways the duo mentioned relating to the above-mentioned points.

Policies & Procedures

  • Policies should come from top-level management, and be ‘built-to-last’ regardless of minor business changes.

  • Procedures should include step-by-step instructions.

  • Policies and procedures should be kept in an accessible place and also be kept simple.

  • Examples include Information Security Policy, Privileged User Policy, End User Compliance Policy and more.

Setting the ‘Tone at the Top’

  • An organization’s ‘tone’ is set by top-level management and leadership. It is paramount that they practice ethical behavior and set an example for their employees to follow.

Vendor Risk Management

  • VRM relates to how companies manage relationships with external parties they do business with.

  • It is imperative companies control vendor access to their systems and information.

  • Companies should protect information assets by assigning IT security to specifically monitor their activities when accessing network and hardware (i.e., hard drives) and, further, consider having an IT Risk Assessment performed that evaluates the controls and safeguards the vendor has in place to ensure that information assets are protected from unauthorized access.

  • VRM is a five-step process and companies need to: 1) identify a risk source the vendor can pose; 2) define risk assessment policies for vendors; 3) asses vendor risk; 4) remediate issues by working with critical vendors to ensure remediation and 5) maintain continued vendor compliance through scheduled periodic assessments.

NIST Cybersecurity Framework

  • Companies can perform a cybersecurity risk assessment using this Framework, which consists of 5 elements to 1) identify, 2) protect, 3) detect, 4) respond and 5) recover in cases they fall victim to cyberattacks.

How to Handle a Breach

  • If companies fall victim to a breach, they need to stop the bleeding and find out where the points of entry occurred.

  • In addition, companies need to investigate what was accessed and compromised over how great a period of time. MORE

    By Elana Margulies-Snyderman

NASAA Members Adopt Investment Adviser Information Security Model Rule Package

WASHINGTON, D.C. (May 21, 2019) – In a significant step toward enhancing the cybersecurity and privacy practices of state-registered investment advisers, the North American Securities Administrators Association (NASAA) today announced that its membership has voted to adopt an information security model rule package.

“The new model rule requires investment advisers to adopt policies and procedures regarding information security and to deliver its privacy policy annually to clients. I am pleased that the NASAA membership adopted this information security model rule package, which now is available for individual jurisdictions throughout the United States to implement through regulation,” said Michael S. Pieciak, NASAA President and Vermont Commissioner of Financial Regulation.

“Through this model rule package, NASAA seeks to highlight the importance of data privacy and security in our financial markets along with the related need for investment advisers to have information security policies and procedures,” Pieciak said. “The package also provides a basic structure for how state-registered investment advisers may design their information security policies and procedures, which we expect to create uniformity in both state regulation and state-registered investment adviser practices.”

“The reputational damage and loss of client trust that often follows an information security breach can be devastating to the bottom line of any business, especially small businesses. This is significantly important considering that 80 percent of the 17,500 state-registered investment advisers and one-to-two person shops,” said Andrea Seidt, Ohio Securities Commissioner and chair of NASAA’s Investment Adviser Section.


(a) Physical Security and Cybersecurity Policies and Procedures. Every investment adviser registered or required to be registered shall establish, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information.

The policies and procedures must be tailored to the investment adviser’s business model, taking into account the size of the firm, type(s) of services provided, and the number of locations of the investment adviser.

(1) The physical security and cybersecurity policies and procedures must:

  • (A) Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;

  • (B) Ensure that the investment adviser safeguards confidential client records and information; and

  • (C) Protect any records and information the release of which could result in harm or inconvenience to any client.

(2) The physical security and cybersecurity policies and procedures must cover at least five functions:

  • (A) Identify. Develop the organizational understanding to manage information security risk to systems, assets, data, and capabilities;

  • (B) Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;

  • (C) Detect. Develop and implement the appropriate activities to identify the occurrence of an information security event;

  • (D) Respond. Develop and implement the appropriate activities to take action regarding a detected information security event; and

  • (E) Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.

(3) Maintenance. The investment adviser must review, no less frequently than annually, and modify, as needed, these policies and procedures to ensure the adequacy of the security measures and the effectiveness of their implementation.

Privacy Policy. The investment adviser must deliver upon the investment adviser’s engagement by a client, and on an annual basis thereafter, a privacy policy to each client that is reasonably designed to aid in the client’s understanding of how the investment adviser collects and shares, to the extent permitted by state and federal law, non-public personal information. The investment adviser must promptly update and deliver to each client an amended privacy policy if any of the information in the policy becomes inaccurate.

State regulators release model cybersecurity rule

State securities regulators released a model cybersecurity rule package Tuesday, offering a regulatory framework that states can adopt to bolster protection of client data.

Under the model proposed by the North American Securities Administrators Association, state-registered investment advisers would have to establish written physical and cybersecurity policies and procedures designed to safeguard clients' records and information.

Advisers' policies must cover five functions — identifying, protecting, detecting, responding and recovering. In addition, advisers must review their cybersecurity policy annually and deliver it to clients.

Other parts of the rule package include an amendment to existing model record-keeping requirements and updates to NASAA's lists of unethical business practices and prohibited conduct to include cybersecurity safeguard failures. MORE

Cyber Liability Policies – Who Needs Them?

Cyber insurance appears to still be a mystery, although the first cyber liability policies appeared 20 years ago. What is covered? What is excluded? Why does the customer need it? Does the customer need it? All of these questions and more come to mind when we consider cyber liability.

One of the struggles comes from the fact that the policy forms are different from each other, and we don’t really know what’s in the forms. They look so different and don’t have the names that we’re used to.

Let’s look at a few coverages in a cyber liability policy that you should verify for your customer. As you know, you need to look at the policies that you’re dealing with to find out what’s covered for your customer. This might give you some direction as you have conversations centered on your cyber liability policies.

Privacy Regulatory Claims Coverage

“We” shall pay on “Your” behalf “Regulatory Fines,” “Consumer Redress Funds” and “Claim Expenses” that “You” become legally obligated to pay in excess of the applicable retention resulting from a “Regulatory Claim” first made against “You” and reported to “Us” during the “Policy Period” or “Extended Reporting Period,” arising out of a “Privacy Wrongful Act” occurring after the “Retroactive Date” and before the end of the “Policy Period.”

Can you imagine getting a call from a customer saying that not only did they suffer a data breach, but now a regulatory body called them, and they plan to levy some fines or penalties against them? This coverage is designed to pick up these expenses.

You see several defined terms here (because you already expect that every word in an insurance policy in quotation marks is defined in the policy). These defined terms will help us to understand what is covered by this coverage. This coverage applies to three distinct areas of financial responsibility.

“Regulatory Fines” means fines, penalties or sanctions awarded for a violation of any “Privacy Regulation”.

“Consumer Redress Funds” means any sums of money “You” are legally required to deposit in a fund for the payment of consumers due to a settlement of, or an adverse judgment in, a “Regulatory Claim.”

“Claims Expenses” means … We didn’t give the whole definition for claims expenses because it’s more important to realize that this is included in the coverage. Watch this language. In case you missed it as quoted, go back and read it. The paragraph listed “regulatory fines,” “consumer redress funds” and “claims expenses” within this coverage. Expenses are within the policy limits. That means that every dollar spent in investigation, adjusting, settling or defense comes out of what’s available to indemnify the customer.

These other two items that are covered here are meant to provide funds when a regulator deems the customer to have violated any regulation ‘… requiring “You” to limit or control the collection, use of, or access to, “Private Information” …’ this coverage picks up the costs as defined in the policy. You’ll notice that the costs include the fees, fines or penalties that the regulator assess. You’ve likely noticed that there isn’t mention of which regulator had to levy the fines. There aren’t those kinds of boundaries online. Your customers could have customers all over the world. This means that the regulator might not even be local to the insured.

They also include any sums that a settlement or judgment requires to be set aside for the satisfaction of injuries to the affected consumers. Why not simply pay the consumers affected by the breach? In these cases, the insured may not know immediately who was affected. You’ve seen stories where millions of users’ data was compromised. Those companies didn’t know whose data was compromised or what the impact of the compromise was. In truth, the injured parties may not know there is an issue for months or years down the road.

Let’s look at one more critical coverage in this policy.

Cyber Extortion

“We” shall reimburse “You” for the “Cyber-Extortion Expenses and Cyber-Extortion Payments” that “You” actually pay in excess of the applicable retention directly resulting from a “Cyber-Extortion Threat” that “You” first receive and report to “Us” as soon as practicable during the “Policy Period.”

We live in a time when someone can email your company and infect your entire network with ransomware. If you’re not aware, ransomware is a nasty little bit of computer magic that is described in the policy.

“Cyber-Extortion Threat” means a credible threat or connected series of threats made by someone other than a member of the “Control Group.”

To introduce “Malicious Code” into “Your” “Computer System,”

To interrupt “Your” “Computer System” or interrupt access to “Your” “Computer System,” such as through a “Denial of Service Attack.”

To corrupt, damage or destroy “Your” “Computer System;” or

To disseminate, divulge or improperly utilize any “Private Information” on “Your” “Computer Systems” taken as a result of a “Network Disruption.”

You’ll note that the only notice requirement is to let the company know as soon as practicable. They recognize that the need for coverage may be identified in short order before the event occurs. The insured might be contacted about a possible event and have only a short time before it occurs. Of course, you see that this definition is full of defined terms in the policy. Without diving into all of the specifics of this policy, you can see that the intent is to provide coverage when something bad is getting ready to happen (or already happened) to an insured’s computer system.

It’s also important to note that the payment is for “cyber-extortion expenses” and “cyber-extortion payments” that have been incurred. We would learn in the definitions of those phrases that the company maintains the right to approve the expenses before they are incurred. Paying attention to those kinds of details is the difference between a claim being fully paid quickly and fully denied quickly.

There are more coverages within this policy, including security breach response, security liability, privacy liability and business income. We come back to one of the original questions. Who needs a cyber policy? The answer simply is anyone that has a cyber exposure. Who has a cyber exposure? Any organization that has computers connected to the internet and to each other. This particular policy also includes coverage if the company’s employee’s data is compromised. What company today doesn’t have some employee data on their network? MORE

The cybersecurity defense advisors forget

LAS VEGAS — Wealth management firms are overlooking a crucial line of defense when it comes to cybersecurity: their own employees.

“Criminals will always go for the humans first, and we as businesses tend to fund the training of our humans last,” said John Sileo, CEO of Sileo Group, a data security think tank, at the Investments & Wealth Institute’s annual conference.

More than half of RIAs say cybersecurity was their biggest area of technology expenses last year, according to TD Ameritrade’s 2019 RIA Sentiment Survey.

But while advisors spend big bucks on technology, they may not be investing enough in arming their employees with the skills to recognize cyberattacks and wire fraud attempts.

“We’ve got to train our people to have a moment of skepticism — when they slow down, ask some questions and think through this,” said Sileo.

Many hackers use “spear-phishing” tactics — emailing a target ostensibly from a known sender after obtaining personal information that makes the ruse more believable. The phishers obtain this personal information by mining Facebook profiles, among other tactics.

Sileo noted one tech firm that fell prey to wire fraud after a hacker impersonated an employee. The finance department at the company, Ubiquiti Networks, erroneously transferred $46.7 million out of its accounts in 2015 as a result of the fraud, according to an earnings report.

Cautionary tales like this, Sileo said point to the necessity of investing in training so that staff is immediately skeptical and on the lookout for this sort of employee impersonation or any type of fraudulent request.

“Ninety-nine percent of the people inside your organization don’t know the simplest tool of detecting phishing,” Sileo said, noting that most employees fail to hover their mouse over links inside an email, which would reveal suspicious links or web addresses from other countries.

Firms also need to ensure their advisors and clients have two-factor authentication. “That takes cloud and account hacking so low it becomes almost insignificant,” Sileo said.

In order to train firm employees, advisors need to be strategic. “When you teach your employees in terms of layered security they fall asleep,” Sileo said, noting the importance of using real-life scenarios.

Incentives can work as well. “Reward your staff for not having a phishing incident,” Sileo said. “You’ve got to have it tied to positive metrics.”

Cybersecurity is not a one-time spend, according to Sileo.

“You should not be ignoring [cybersecurity], even if you spent the whole last year thinking about it. You have to constantly be thinking about what you are doing.”

Advisors should also see this heightened awareness about cybercrime as an opportunity to add value to client relationships, Sileo said, noting that clients face the same issues and similar cyberattacks.

“Using this information to deepen client relationships is one of the best practices I have seen,” Sileo said, adding that security is one of the most-requested education topics in the financial services industry. “They trust you more than they do their bankers, their credit cards and so forth. It’s a better source when it comes from you.”

Even if advisors don’t discuss the topic with clients, they need to recognize what could be at stake.

“When you are handling that wealth and personal information of your clients, you have to treat it like it’s your own and take it personally,” Sileo said. LINK

United States: New SEC Privacy And Cybersecurity Risk Alert Tells Broker Dealers And Investment Advisers Common Deficiencies To Avoid

Our Take - Morrison Foerster

Like prior OCIE risk alerts, this Risk Alert provides a road map for registered investment advisers and broker dealers to follow when developing or evaluating their data privacy and cybersecurity procedures. They now have additional insight as to the types of issues that OCIE staff will look for when conducting an examination. The Risk Alert also provides registrants, their CCOs and counsel with the raw materials to develop a thorough review program for a firm’s data privacy and cybersecurity policies and procedures. CCOs and compliance staff should ensure that their annual compliance reviews are updated to reflect these issues and should consult with counsel to help evaluate their written policies and procedures, and their implementation of them, in light of OCIE’s findings.

The SEC’s new Risk Alert provides valuable insight as to what the OCIE wants to see broker dealers and investment advisers accomplish with their privacy notices and their cybersecurity policies and procedures. The SEC wants this written documentation to be comprehensive, to accurately reflect the registrant’s practices, and to be implemented effectively throughout their business. Broker dealers and investment advisers can, and should, use this Risk Alert to benchmark their own specific practices against the SEC’s expectations.

In the April 16, 2019 Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) outlines privacy and cybersecurity compliance issues identified in their examinations of broker dealers and investment advisers over the last two years. They found that broker dealers and investment advisers did not have privacy notices that were both accurate and met Regulation S-P’s requirements. The procedures that were in place did not adequately protect customers’ nonpublic financial information in several specific ways. And registrants’ written policies and procedures were not customized for their business, did not comprehensively address cybersecurity and did not accurately reflect their practices.

The key takeaway by the OCIE is that registrants should review their written policies and procedures, including their actual implementation of them. In light of this, we recommend that broker dealers and investment advisers benchmark their privacy and cybersecurity written policies, and their implementation of such policies, against the SEC’s expectations set forth in the Risk Alert as well as the SEC’s various guidance on cybersecurity published since its first cybersecurity risk alert in 2014. This can be approached efficiently using a questionnaire that is designed with the SEC’s stated expectations in mind.

Compliance Deficiencies

The following are common deficiencies that the OCIE reported in its April 2019 Risk Alert. Broker dealers and investment advisers should review each of these, and evaluate whether their own practices in these areas are sound:

  • Personal devices. Policies and procedures were not reasonably designed to safeguard customer information stored by employees on their personal devices.

  • Encryption of email. Policies and procedures did not address the inclusion of customer personally identifiable information (PII) in electronic communications, in particular the encryption of emails that contain PII.

  • Employee training. Failure to provide adequate employee training to employees related to transmission of customer information in an encrypted, password-protected format, and failure to monitor if such policies were being followed by employees.

  • Controls in data loss. Failure to adopt policies and procedures prohibiting employees from sending customer PII to unsecure locations outside of a firm’s networks.

  • Third-party vendors. Failure to contractually bind outside vendors to protect customer information appropriately.

  • Inventorying. Failure to inventory all systems on which customer PII in maintained.

  • Data breach response. Incident response plans did not address important areas, such as role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.

  • Physical storage of PII. Storage of customer PII in unsecure physical locations, such as in unlocked file cabinets in open offices.

  • Need to Know. Dissemination of customer login credentials to employees who did not have a legitimate need to have them.

  • Departing employees. Failure to terminate system access of former firm employees.

SEC & FINRA: Shared Regulatory Priorities for 2019

Each year, both the United States Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) issue guidance concerning their regulatory priorities for the coming year. FINRA's 2019 Annual Regulatory and Examination Priorities Letter can be found here, and the SEC Office of Compliance Inspections and Examinations (OCIE)'s 2019 National Exam Program Examination Priorities can be found here.

Set forth below are topics on which the SEC's and FINRA's concerns overlap. Notably, FINRA took a unique approach this year in that its letter begins with materially new topics, then discusses areas of ongoing concern, with an emphasis on aspects of those topics not covered in prior letters. Unlike in previous years, FINRA declined to use its priorities letter to repeat topics that have been "mainstays" of its focus over the years. The SEC also took a new approach, emphasizing how it increasingly leverages technology and data analytics to fulfill its mission and citing its recently adopted Strategic Plan, which reiterates the importance of examinations to bolster regulatory requirements and protect investors.

This year, both of the annual priorities letters address a large number of diverse topics. Accordingly, in order to provide additional insight into the evolution of the SEC's and FINRA's regulatory and examination priorities, we have prepared detailed comparisons of FINRA's priorities between 2007 and 2019 and the SEC's priorities between 2013 and 2019. The comparison of the SEC's priorities is available here. The comparison of FINRA's priorities is available here.

Cybersecurity: The SEC places a particular emphasis on cybersecurity this year and states that it will continue to prioritize cybersecurity in each of its five examination programs. Specific to investment advisers, the SEC will emphasize cybersecurity practices at investment advisers with multiple branch offices, including those that have recently merged with other investment advisers. The SEC will also continue to focus on, among other areas, governance and risk assessment, access rights and controls, data loss prevention, and incident response.

FINRA also retains its emphasis on cybersecurity, although it does so primarily through its focus on regulatory technology or "RegTech." FINRA will engage with firms to understand how they are using a variety of innovative RegTech tools to make their compliance efforts more efficient and how they are addressing related risks, challenges, or regulatory concerns, including supervision and governance systems, third-party vendor management, safeguarding customer data and cybersecurity. MORE

SEC Issues Privacy and Data Security Risk Alert

Thursday, April 18, 2019

Following recent examinations of SEC-registered investment advisers and broker-dealers, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a privacy risk alert on April 16, 2019. OCIE is hoping to remind advisers and broker-dealers about providing compliant privacy and opt-out notices, and adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.

Privacy Notices. During the examinations, OCIE observed advisors and broker-dealers were not providing initial privacy notices, annual privacy notices and opt-out notices to their customers. When these notices were provided, many did not accurately reflect firms’ policies and procedures and/or notify customers of their right to opt out of having their nonpublic personal information shared with nonaffiliated third parties. OCIE’s risk alert, thus, reminds advisors and broker-dealers that Regulation S-P requires that they:

  • provide a clear and conspicuous notice to customers that accurately reflects privacy policies and practices generally no later than when a customer relationship is established,

  • provide a similar notice not less than annually during the continuation of the customer relationship, and

  • deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties.

Written Policies and Procedures to Safeguard Customer Information. OCIE also observed during these examinations that some advisors and broker-dealers had not adopted written policies and procedures as required under the Safeguards Rule. According to the risk alert, some firms simply:

restated the Safeguards Rule but did not include policies and procedures related to administrative, technical, and physical safeguards.

And, other policies

contained numerous blank spaces designed to be filled in by registrants.

Given the OCIE’s observations, purchasing sample privacy and data and security policies and procedures, perhaps online, without more, would likely be inconsistent with Regulation S-P. Data security compliance is more than simply having a policy document. OCIE explained that written policies and procedures under Regulation S-P must be “reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Thus, the general approach for advisors and brokers-dealers should be to assess the threats and vulnerabilities to customer records and information, and then craft administrative, physical, and technical policies and procedures to address those threats and vulnerabilities.

OCIE also detailed data security practices that it found troubling under Regulation S-P. Examples include:

  • Personal devices – employees storing and maintaining customer information on their personal laptops without policies and procedures address how to protect the information on those devices.

  • Electronic communications – the absence of policies designed to prevent employees from regularly sending unencrypted emails to customers containing PII.

  • Training and monitoring – a lack of training for employee about encryption, password-protection, and transmission of PII through company-approved methods.

  • Outside vendors – advisors and broker-dealers maintaining policies that required outside vendors to contractually agree to keep customers’ PII confidential, but not following their own policies.

  • PII inventory – not maintaining an inventory of all systems on which PII is maintained leaving advisors and broker-dealers unaware of the categories of customer PII that they maintain, and limiting the ability to adequately safeguard customer information.

  • Incident response plans – plans failed to address role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.

  • Departed employees – former employees of advisors and broker-dealers retained access to restricted customer information rights after termination of employment.

Many of the observations noted above are common gaps to data security policies and procedures, particularly for small and medium-sized enterprises in any industry. For advisors and broker-dealers, the consequences of compliance lapses could result in data breaches, enhanced scrutiny by the SEC and OCIE, and reputational harm. Thus, as OCIE suggests following its recent examinations, advisors and broker-dealers should review and update, as needed, their written policies and procedures to mitigate the issues identified by OCIE staff. MORE

Jackson Lewis P.C. © 2019

NASAA Proposes Investment Adviser Model Cybersecurity Rule

On September 23, 2018, the North American Securities Administrators Association, Inc. (“NASAA”) released a proposed model rule for state-registered investment advisers (“state RIAs”) that would impose new information security and privacy requirements (the “Cyber Proposal”).1 NASAA intends the Cyber Proposal to provide state RIAs with a basic structure for implementing information security policies, procedures and practices and to create uniformity in state regulation of investment adviser cybersecurity.

The Cyber Proposal is intended to build on existing NASAA cybersecurity efforts, such as the 2017 release of a security checklist to help state RIAs identify and remediate cybersecurity vulnerabilities.2

This Legal Update (i) describes the relevant scope of the Cyber Proposal, (ii) explains its substantive requirements, and (iii) highlights some takeaways for the investment adviser industry.


The Cyber Proposal is a proposed model rule, meaning that, even if it is adopted by NASAA, it will not be binding on any state RIAs unless and until state securities administrators formally adopt it through state administrative rulemakings. Additionally, the Cyber Proposal applies to state RIAs and generally would not apply to federally-registered investment advisers (“federal RIAs”), which are exempt from state registration under the National Securities Markets Improvement Act of 1996’s amendments to the Investment Advisers Act of 1940. However, as discussed below, the Cyber Proposal also would amend the model rules for unethical business practices and prohibited conduct, which apply to federal RIAs.  

Substantive Requirements

The Cyber Proposal has three components: (1) a new model information security and privacy rule that would require state RIAs to adopt policies and procedures, (2) an amendment to the existing model recordkeeping rule and (3) an amendment to the model unethical business practices and prohibited conduct rules (collectively, “UBP Model Rules”).

Information Security and Privacy Rule. The proposed model information security and privacy rule would contain two parts addressing (a) the implementation of Physical Security and Cybersecurity Policies and Procedures and (b) the delivery of a Privacy Policy. 

Physical Security and Cybersecurity Policies and Procedures: This part is based on longstanding information security concepts from the Gramm-Leach-Bliley Act’s (“GLBA”) Safeguard Rules3 and the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework and is not intended to create a new cybersecurity protocol. 

Under this part, a state RIA would be required to establish, implement, update and enforce reasonably designed, written physical security and cybersecurity policies and procedures to ensure the confidentiality, integrity and availability of physical and electronic records and information.

Consistent with the Securities and Exchange Commission’s (“SEC”) Reg. S-P, the Cyber Proposal would require a state RIA’s policies and procedures to:

  • Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;

  • Ensure that the investment adviser safeguards confidential client records and information; and

  • Protect any records and information the release of which could result in harm or inconvenience to any client.

The Cyber Proposal also would require the state RIA’s policies and procedures to cover the five cybersecurity functions from the Cybersecurity Framework. These functions are: 

  • Identify. Develop the organizational understanding to manage information security risk to systems, assets, data and capabilities; 

  • Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;

  • Detect. Develop and implement the appropriate activities to identify the occurrence of an information security event; 

  • Respond. Develop and implement the appropriate activities to take action regarding a detected information security event; and 

  • Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.

A state RIA would need to review and update these policies and procedures at least annually.

Privacy Policy Practices. This part would require a state RIA to deliver a copy of its privacy policy at onboarding and thereafter as it is updated, but at least annually.4

Amended Recordkeeping Requirement. The amendments to the model recordkeeping rule would require that state RIAs maintain copies of their policies and procedures and other compliance records related to the Information Security and Privacy Rule discussed above. The Cyber Proposal would expressly require that state RIAs maintain hard copies of their current policies and procedures to mitigate information security risks.

Amended UBP Model Rules. The proposed amendment to the UBP Model Rules would clarify that a failure to establish, maintain and enforce a required policy or procedure would be an unethical business practice and prohibited conduct. This amendment is intended to cover supervisions and business continuity in addition to the required policies and procedures. 

Given that the UBP Model Rules apply to federal RIAs, it is unclear why NASAA would include this amendment in the Cyber Proposal, which generally would not apply to federal RIAs. It is possible that NASAA is seeking to create an avenue for state securities administrators to take action against federal RIAs that lack cybersecurity policies or that the amended UBP Model Rules may be used to target non-compliance with the policies and procedures requirements of the SEC’s Safeguards Rule.


As noted above, the Cyber Proposal represents a significant effort by NASAA to develop cyber guidance and preparation standards for small advisory firms. However, because the Cyber Proposal is only a model rule, the versions adopted in each state may vary. 

Additionally, it is unclear how the Cyber Proposal will interact with other cybersecurity requirements, such as Colorado’s and Vermont’s cybersecurity regulations for broker-dealers and state RIAs providing services in those states or Massachusetts’s generally applicable cybersecurity regulation.5 State RIAs doing business in those states may need multiple variations of cybersecurity policy or to adopt the most restrictive requirements and apply them across all states.

1 NASAA, Request for Public Comment Regarding a Proposed IA Model Rule for Information Security and Privacy Under the Uniform Securities Acts of 1956 and 2002 (Sept. 23, 2018). The text of the Cyber Proposal is available at and public comments on the proposal are available at

2 NASAA, NASAA Releases Cybersecurity Checklist for RIA firms (Oct. 17, 2017); NASAA, Top 2017 NASAA RIA Compliance Deficiencies: Cybersecurity (Mar. 27, 2018). 

3 Specifically, the Cyber Proposal would implement concepts from the versions of the Safeguard Rules that have been promulgated by the Federal Trade Commission (“FTC”) and the Securities and Exchange Commission. However, the Cyber Proposal uses, but does not define, the term “client”, and it is unclear if NASAA intends for the Cyber Proposal to cover clients who would not be “customers” under GLBA.

4 NASAA recognized that an annual delivery requirement diverges from the requirements of GLBA but asserted that “privacy policies contain important information, and advisory clients should receive a copy of their investment adviser’s privacy policy every year.” 

See Colo. Code Regs. §§ 704-1:51-4.8, 4.14; 4-4 Vt. Code R. § 8:8-4; Mass. Gen. Laws ch. 93H, §§ 1 to 6, 175I, §§ 1 to 22; 201 Mass. Code Regs. 17.00 to 17.05.

Jeffrey P. Taft

Adam D. Kanter

Matthew Bisanz

Nicholas McCoy

Industry Regulator Issues Cybersecurity Guidance

Borden Ladner Gervais LLP

The Financial Industry Regulatory Authority (FINRA) is an independent, self-regulatory organization for brokerdealer firms doing business in the United States. FINRA is authorized by the United States Congress to protect American investors by making sure the broker-dealer industry operates fairly and honestly.

In 2015, FINRA issued a Report on Cybersecurity Practices to provide information about the following practices that broker-dealer firms should consider to strengthen their cybersecurity programs: (1) cybersecurity governance and risk management; (2) cybersecurity risk assessment; (3) technical controls; (4) incident response planning; (5) vendor management; (6) staff training; (7) cyber intelligence and information sharing; and (8) cyber insurance. The report explained FINRA’s expectation that broker-dealer firms would make cybersecurity a priority and would devote sufficient resources to understanding and preparing for current and evolving cybersecurity threats. 

In 2016, FINRA published a Checklist for a Small Firm’s Cybersecurity Program to help small broker-dealer firms with limited resources establish a cybersecurity program. The checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices (2015), and references the SANS Critical Security Controls for Effective Cyber Defense

The 2018 Report

FINRA’s Report on Selected Cybersecurity Practices – 2018 presents FINRA’s recommendations for effective practices regarding five important cybersecurity topics: (1) cybersecurity controls in branch offices; (2) phishing attacks; (3) insider threats; (4) penetration-testing programs; and (5) mobile devices. The Report reminds that the recommended practices should be part of a holistic cybersecurity program, as discussed in FINRA’s 2015 Report on Cybersecurity Practices. The Report also provides a list of core cybersecurity controls for small broker-dealer firms to be used in conjunction with FINRA’s Checklist for a Small Firm’s Cybersecurity Program. Following is a summary of some of the key recommendations in the Report.

Branch Controls 

The Report explains that effective cybersecurity controls in branch offices are especially important for firms with decentralized business models. The Report details four practices for addressing cybersecurity risks at branch offices: (1) develop comprehensive and easily referenced written supervisory procedures to define minimum cybersecurity requirements and to formalize oversight of branch offices; (2) create inventories of branch-level data, software and hardware assets, and related third party services, for use in conjunction with cybersecurity risk assessments to help identify critical assets and their cyber vulnerabilities; (3) establish and maintain branch technical controls to mitigate identified cybersecurity threats; and (4) implement a robust review program to ensure that branches consistently apply cybersecurity practices.


The Report explains that social engineering or “phishing” attacks, which try to convince a targeted individual to disclose sensitive information (e.g. personal information or credentials) or take harmful action (e.g. clicking on a malicious link or opening an infected attachment), are one of the most common cybersecurity threats to firms and their customers. The Report warns about the increasing sophistication and quality of phishing attacks, especially carefully planned attacks targeted to a specific individual (known as “spear phishing”) or to a senior executive (known as “whaling”) that can be difficult to distinguish from legitimate communications. The Report provides a useful summary of the characteristics of common phishing communications.

The Report details practices to mitigate phishing risks, including: (1) develop policies/procedures to specifically address phishing; (2) include phishing scenarios in risk assessments; (3) establish policies/procedures to confirm transaction requests; (4) implement email scanning and filtering to monitor and block phishing and spam communications; (5) train staff, including simulated phishing campaigns and remedial training for staff who demonstrate risky behaviour; (6) review processes/procedures to detect and remediate a successful phishing attack; (7) implement data loss prevention practices/procedures to reduce the impact of a successful phishing attack; and (8) provide customers with resources to protect themselves from phishing attacks. 

Insider Threats 

The Report warns that insider threats are a critical cybersecurity risk, because insiders (i.e. individuals with authorized access to firm systems and data) are often able to circumvent controls and cause material data breaches and other significant harm to an organization. The Report explains that an effective risk-based insider threat program typically includes the following components: (1) executive leadership and management support; (2) identity and access management policies and technical controls; (3) technical controls to help identify risky activities or anomalous behavior and detect potential attacks, and data loss prevention controls to prevent the inadvertent or malicious transmission of data to unauthorized recipients; (4) training for all insiders; (5) measures (based on people, processes and technologies) to help identify potentially malicious insiders and deter intentional misconduct, and to cultivate a strong culture of compliance; and (6) a comprehensive asset inventory.

Penetration Testing 

The Report explains that penetration (or “pen”) testing can be an important part of a cybersecurity program. A pen test simulates a malicious external or internal attack on a firm’s network to identify vulnerabilities and evaluate the effectiveness of preventative measures. The Report notes that firms often take a risk-based approach to determining the systems to be tested and test frequency. The Report encourages due diligence when selecting pen test service providers, and the use of appropriate contractual arrangements (including confidentiality obligations) with all pen test service providers. The Report notes that firms often follow established governance structures and procedures for determining when and how to address risks identified by a pen test.

Mobile Devices 

The Report explains that the increasingly widespread use of mobile devices by staff, customers and service providers can present significant cyber risks, including infected, cloned or pirated applications, operating system vulnerabilities, and phishing, spoofing or rerouting calls, emails and text messages. The Report details practices to mitigate risks presented by staff use of mobile devices, including: (1) develop policies/ procedures (e.g. “bring your own device” standards) for staff use of mobile devices and for the protection of sensitive data and information; (2) prohibit staff use of a mobile device unless the device has been approved and the user has agreed to comply with applicable policies/procedures; (3) train staff; (4) require all mobile devices to comply with technological requirements (e.g. mobile device management applications, password requirements, software restrictions, and encryption and transmission controls); (5) emphasize the importance of physically securing mobile devices and reporting lost devices; and (6) enforce compliance with mobile device policies/procedures with appropriate consequences for violations.

The Report details practices to mitigate risks presented by customers’ use of mobile devices, including: (1) customer education/information about mobile device risks; (2) require the use of multi-factor authentication and implement data loss prevention controls; (3) prohibit the use of mobile devices for certain activities (e.g. changes to account settings or contact information); (4) automatically terminate remote network access after a period of inactivity; and (5) secure development and testing of mobile applications.

Core Cybersecurity Controls for Small Firms 

The Report lists the following “core controls” for small firms’ cybersecurity programs: (1) patch maintenance; (2) secure system configuration; (3) identity and access management; (4) vulnerability scanning; (5) endpoint malware protection; (6) email and browser protection; (7) perimeter security; (8) security awareness training; (9) risk assessments; (10) data protection; (11) third-party risk management; (12) branch controls; and (13) policies and procedures. The Report cautions that an effective cybersecurity program requires that each of those controls be considered in the context of the firm’s particular business model and technology infrastructure, and in light of other relevant circumstances. The Report encourages small firms to consider other FINRA cybersecurity guidance.

Why states should push forward with cyber laws

The list of Democratic presidential candidates continues to grow, and three of those hopefuls offer backgrounds and legislative records that could help advance the issue of cybersecurity standards at the federal level.

Sen. Kamala Harris (D-Calif.) last year co-sponsored a bipartisan bill to improve cybersecurity at U.S. ports as well as the Secure Elections Act. Sen. Kirsten Gillibrand (D-N.Y.) teamed with Republican Sen. Lindsey Graham (R-S.C.) on legislation to push for a more rigorous investigation into Russian election interference. In addition, Sen. Elizabeth Warren (D-Mass.) introduced legislation in response to the Equifax data breach. Additionally, President Trump recently signed the SECURE Technology Act, which requires the Department of Homeland Security to establish a security vulnerability disclosure policy, a bug bounty pilot program, and set supply chain risk management standards.

In fact, according to The Washington Post, “all six U.S. senators that threw their hats in the ring for the Democratic nomination have co-sponsored bills aimed at protecting election systems against Russian hackers.”

At no other time has cybersecurity been at the forefront of so many federal legislative efforts and conversations. While it’s encouraging to see cybersecurity getting much-deserved attention from politicians seeking the highest office, it could be argued that these efforts are doomed to fail. MORE

Don’t Let Your Cybersecurity Policy Slip

The SEC has been clear on what it expects from advisors on data protection. Are you up to speed?

By now, every Securities and Exchange Commission-registered investment advisor should have a written cybersecurity policy. That was the first piece of advice Cary Kvitka, our cyber-security legal expert, gave me in a recent update on the topic, which included a review of SEC oversight.

The SEC’s Office of Compliance Inspections and Examinations issued Risk Alerts in 2014 and 2015, identifying cybersecurity as a critical concern and describing the nature of upcoming cybersecurity-focused examinations. In the process, OCIE identified the types of information it would be requesting in those examinations. In September 2015, for example, it announced that the upcoming round of examinations would focus on:

• Governance and Risk Assessment, which generally evaluates whether advisors: 1) have cybersecurity governance and risk assessment processes to address OCIE’s stated focus areas, 2) are periodically evaluating cybersecurity risks, 3) have implemented cybersecurity infrastructure and risk assessment processes tailored to business operations, and 4) engage in communications to and from senior management.

• Access Rights and Controls, that is whether advisors are at risk of a data breach resulting from the failure to implement basic controls to prevent unauthorized access to systems or information, and evaluation of the way in which they manage user credentials, authentication, and authorization methods.

• Data Loss Prevention, which would include analyses of how advisors monitor: 1) the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads, and 2) unauthorized data transfers.

• Vendor Management, including an assessment of an advisor’s due diligence, monitoring and vendor oversight process, in addition to an evaluation of relevant contract terms.

• Training, which could focus upon the ways in which advisors prevent data breaches resulting from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or downloading attachments from an unknown source.

• Incident Response, for which examiners would assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible data breaches.

Cary also mentioned that a critical footnote in the September 2015 OCIE Risk Alert references Regulation S-P, Rule 30(a), which requires advisors to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, must be reasonably designed to:

1. Insure the security and confidentiality of customer records and information; 2. Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and 3. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Within this Risk Alert, the footnote signals that RIAs that do not adopt written policies and procedures to address the risk of data breaches/unauthorized access through hacking or electronic means are potentially violating Rule 30(a).

When OCIE announced its 2019 examination priorities, it specifically indicated it will emphasize cybersecurity practices at investment advisors with multiple branch offices, including those that have recently merged with other investment advisors. Now advisors need to pay close attention to what their written cybersecurity policies require.

Generally, we recommend they conduct a review of cybersecurity policy at least annually. In the process, they should evaluate whether to update the cybersecurity policy, procedures, or infrastructure based upon the risks it faces. The annual review also should ensure that the firm has been compliant with all policy requirements, (such as maintaining inventories, sign-in sheets for education / review sessions, tracking access rights, etc.) and that the written cybersecurity policy reflects current information and practices.

In summary, the SEC has made its position clear. Have you kept pace?

Thomas D. Giachetti is chairman of the Securities Practice Group of Stark & Stark. He can be reached at

A Regulatory Tsunami Is Coming: Are You Prepared?

Compliance will be an increasingly challenging business issue in 2019. Consider the 'Office of Compliance' that Xerox already has to deal with the complexity.

Regardless of how any business leader personally feels about data-privacy regulations, they seem destined to grow stronger.

In December, a coalition of more than 200 banks, retailers and tech companies called on Congress to draft stricter privacy legislation. Coalition members said they believed that all companies should be subject to the same rules, regardless of their size or industry, and that there should be a national standard for data-breach notifications.

The fact that private industry was itself calling for legislation is significant. Companies are now acutely aware of the financial and public relations fallout from data breaches, so much so that they are actually asking lawmakers to hold them to higher standards. The public is equally anxious about data privacy.

Related: The Very Strong Business Case for Complying With the World’s Toughest Data Protection Regulation

And it's that combination that makes it extremely likely that tougher data regulations are headed down the pipeline.

All this comes on the heels of the General Data Protection Regulation's (GDPR) implementation in the European Union last spring, plus the passage of the California Consumer Privacy Act last summer. Congressional Democrats and Republicans are currently butting heads on the issue, with the GOP interested only in a federal law that would supersede any state regulations.

What does small business think of all this? Considering that California's law goes into effect in January 2020 and that nearly every other state has proposed various data privacy legislation, small businesses are obviously eager to avoid a potential patchwork of state laws. The regulatory waters are already choppy enough.

Some industries, like finance, are accustomed to data regulations. Considering the scope of potential new regulations, that finance sector experience won’t count for much, however. For the simple fact is that every company in America needs to prepare for new compliance challenges throughout 2019.

Have you thought about what compliance means to you?

The costs 

Most companies expect pending regulations to be modeled on the GDPR that now applies to every business serving customers in the European Union. GDPR levies fines for every single record that is exposed in a breach, meaning fines can run into the millions (or even billions) of euros (do the math for $U.S.).

If the size of those numbers is troubling, consider the likelihood of a fine. Forthcoming regulations will obligate companies to take a whole new approach to data and customer engagement. Adjusting to complex, wide-ranging new regulations won’t be easy. Companies may be eager to comply but find themselves in trouble because they’re unable.

The ever-increasing threat of cybercrime is another worry. Today’s hackers are both tenacious and sophisticated, making cybersecurity incredibly difficult to ensure. Following whatever regulations are released won’t make companies immune to attack or exempt from fines -- though it will make them better protected than they are today.

Making compliance simple and certain

We don’t yet know what form any new regulations might take or how they would affect individual companies. Luckily, the details are not necessary for businesses to begin building a better approach to compliance. The goal is to make managing compliance simultaneously easier and more consistent. Start with these steps:

1. Collect data from across channels. 

Don’t think of data as "regulated" versus "unregulated." All data is potentially sensitive, so instead of protecting some data, companies should begin protecting all data equally. That starts with busineses being able to collect data from as many sources as possible for storage on one platform that’s been standardized for compliance.

Related: The Feds and the States Are Embracing Privacy Law; What That Means to Your Business

Xerox recognized the value of standardization when, in 2017, it established an Office of Compliance, which strives to create a positive corporate compliance culture by helping employees do diligent work, and ensuring that senior leaders and all members of management send consistent messages. This office also constantly reviews and updates corporate policies to align with evolving regulatory and legal requirements.

Such top-down coordination will be essential once fast-moving data in multiple formats becomes subject to privacy laws. Think of it as a dedicated compliance team that's entrusted to stay abreast of each new development and respond accordingly.

Companies of all sizes should copy Xerox and make an effort to codify their compliance protocols -- the sooner, the better. Just make sure to stay open to the possibility of procedural changes, as forthcoming regulations will surely require flexibility as they are introduced and enacted.

2. Facilitate internal and external audits.

Audits are crucial for compliance. Complying with auditors often means turning over massive amounts of information. Alternately, conducting internal audits allows companies to find and correct issues before the regulators even arrive. In either case, companies need to have on-demand access to all their data; otherwise, any kind of audit is a burden.

Having all data on a platform accessible with unified search makes retrieval basically effortless. Nikon understands that a fast response is important -- so much so that it has developed independent systems. These systems enable the company's internal audit department to review compliance with laws and regulations, as well as with internal rules, without interference from operational divisions.

An overview of each department’s annual activities -- to determine primarily whether divisions' operations are being conducted in accordance with laws and regulations, as well as to create proposals for improvement -- is provided to the company’s executive committee and board of directors.

Picture how much easier external investigations will be to manage after your company performs numerous dry runs. Practice makes perfect. As regulations evolve over the course of 2019 and beyond, reacting and adapting fast will be key. Get a head start by instituting a system of internal audits as soon as you can.

3. Practice good governance.

Regulations dictate how a company must act both before and after a breach. Because of that increased scrutiny, companies must become hyperaware of data security. If, for instance, a breach went undetected, and therefore unreported, the resulting fine could be multiplied. Considering how unpredictable cybersecurity can be, companies need to have plans and policies detailing exactly how to act after a breach. MORE

SEC Cyber Enforcement Examination Initiative

SEC Examiners will gather information on cybersecurity-related controls and will also test to assess implementation of certain firm controls. In order to promote better compliance practices and inform the Commission’s understanding of cybersecurity preparedness, this Initiative will focus on the following areas:

• Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.

• Access Rights and Controls: Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.

• Data Loss Prevention: Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.

• Vendor Management: Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.

• Training: Without proper training, employees and vendors may put a firm’s data at risk. Some data breaches may result from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or opening messages or downloading attachments from an unknown source. With proper training, however, employees and vendors can be the firm’s first line of defense, such as by alerting firm IT professionals to suspicious activity and understanding and following firm protocols with respect to technology. Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.

• Incident Response: Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm. While these are the primary focus areas for the Cybersecurity Examination Initiative, examiners may select additional areas based on risks identified during the course of the examinations. As part of OCIE’s efforts to promote compliance and to share with the industry where it sees cybersecurity-related risks, OCIE is including, as the Appendix to this Risk Alert, a sample request for information and documents to be used in this Initiative. III. Conclusion In sharing the key focus areas for the Cybersecurity Examination Initiative and the attached document request, the NEP hopes to encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity. MORE

Will 2019 Be the Year of Blockbuster Cybersecurity Enforcement by the SEC?

Firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance.


The SEC has, in the past, largely taken a softer approach to encouraging compliance in the cyber-security arena, but the agency now appears ready to bring significant enforcement actions for cyber-related missteps. Public companies and entities registered with the SEC would do well to heed the SEC’s admonitions and take a close and careful look at their cybersecurity-related policies and procedures to ensure full compliance.

After years of admonishing financial institutions and public companies to take cybersecurity more seriously, the U.S. Securities and Exchange Commission (SEC) appears ready to back up its words with investigations and penalties. Starting with Jay Clayton’s confirmation as SEC Chair in 2017, the agency has enhanced its efforts to protect investors and markets from increasingly dangerous and costly cyber threats. Indeed, the SEC’s conduct over the past two years—including creating a dedicated Cyber Unit in its Enforcement Division and by bringing several first-of-their-kind cybersecurity enforcement actions—foretell that the agency is prepared to take an even more aggressive approach in addressing cybersecurity issues among the entities it supervises. As a result, firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance.

The SEC’s Focus on Cybersecurity

Since his confirmation as SEC Chair in 2017, Clayton has made cybersecurity one of the SEC’s main priorities. In 2017, Clayton formed the cybersecurity working group, an initiative to coordinate information sharing, risk monitoring, and incident response throughout the SEC. In discussing the working group, Clayton defined the SEC’s cyber focus as “identifying and managing cybersecurity risks and ensuring that market participants—including issuers, intermediaries, investors and government authorities—are actively engaged in this effort and are appropriately informing investors and other market participants of these risks.” See SEC Public Statement, Statement on Cybersecurity (Sept. 20, 2017).

In September 2017, the SEC also announced the creation of a Cyber Unit. The Cyber Unit was formed to consolidate the expertise of the SEC’s Division of Enforcement and enhance its ability to identify and investigate a wide-range of cyber-related threats, including (1) market manipulation schemes involving false information communicated electronically; (2) hacking to obtain material nonpublic information; (3) fraud involving blockchain technology and “initial coin offerings”; (4) hacking into retail brokerage accounts; and (5) cyber threats to trading platforms and market infrastructure. In commenting on the Cyber Unit’s launch, Stephanie Avakian, co-director of the SEC’s Enforcement Division, identified cyber-related threats as “among the greatest risks facing investors and the securities industry.” SEC Press Release 2017-176, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017).

Since its creation, the Cyber Unit has wasted little time in bringing cases. According to the Enforcement Division’s 2018 Annual Report, during 2018, the SEC brought 20 stand-alone cases related to cybersecurity and has 225 cyber-related investigations that it deems “ongoing.” See SEC Annual Report, Division of Enforcement (Nov. 2, 2018). In several cases, the enforcement actions were first-of-their-kind, as discussed below.

The SEC’s focus on cybersecurity also appears to be driven by its own experience with cybersecurity issues. The same month that the SEC announced the creation of its Cyber Unit, the SEC announced that it, too, has experienced data breaches. In an extended Statement on Cybersecurity that likely is also intended to serve as a model for public companies in discussing their own material cybersecurity risks and incidents, Clayton announced a number of cybersecurity risks and data incidents effecting the SEC, the most significant of which involved hackers gaining access to the SEC’s EDGAR filing database in 2016 to steal unreleased corporate filings that potentially contained material nonpublic information. See SEC Public Statement, Statement on Cybersecurity (Sept. 20, 2017).

Public Company Cybersecurity Disclosures

Cyber Disclosure Guidance. One of the centerpieces of the SEC’s enhanced cybersecurity strategy is in encouraging public companies and issuers to be transparent with the investing public about their material cyber risks and incidents. In September 2017, Clayton said that he is “not comfortable that the American investing public understands the substantial risks that we face systemically for cyber issues, and I’d like to see better disclosure around that.” C. Germaine, Clayton Says No Shift in Enforcement Priorities at SEC, Law360 (Sept. 6, 2017). Perhaps exemplifying the SEC’s concerns, that same month, credit reporting agency Equifax disclosed that an unknown attacker had stolen personally identifiable information of approximately 145 million consumers. K. Coen, Populist Pitchforks Come Out: Insider Trading and Equifax, Law360 (Nov. 6, 2017). Equifax faced immediate public criticism over the timeliness and adequacy of its disclosure, which came approximately six weeks after it discovered the breach. Further, questions were raised about potential insider trading by four Equifax executives, including the Chief Financial Officer, all of whom collectively sold $1.8 million of Equifax shares between the time the breach was discovered and when it was disclosed to the public. Id. An internal review ultimately cleared those executives of any wrongdoing.

In February 2018, and consistent with the SEC’s focus on disclosure—and perhaps in response to the Equifax breach—the SEC published revised guidance regarding public company disclosures about material cyber risks and incidents (2018 Guidance). See SEC Release Nos. 33-10459 & 34-82746, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 26, 2018). The 2018 Guidance consolidated and built upon the SEC’s prior guidance on disclosure obligations relating to cybersecurity, particularly the Division of Corporation Finance’s guidance from 2011. Among other things, the 2018 Guidance addresses topics such as: (1) the criteria for determining whether a cyber risk or incident is “material”; (2) how promptly companies must disclose material cyber incidents; (3) the level of specificity required when disclosing material cyber risks; and (4) the need to adopt policies and procedures to prevent insider trading on as-yet undisclosed cyber incidents.

Disclosure-Related Enforcement Actions. At the time the 2018 Guidance was released, it was still unclear whether the SEC would bring an enforcement action against an issuer that failed to disclose material cyber risks or incidents to the investing public. Previously, Stephanie Avakian said that she could “absolutely” envision a situation in which the SEC would bring an enforcement action for inadequate cyber disclosures. J. Hoover, SEC Suits Over Cyber Reporting Could Be on the Horizon, Law360 (April 20, 2017).

That uncertainty was resolved in April 2018, when the SEC announced its first-ever enforcement action against a public company for failing to disclose a breach. The enforcement action involved Yahoo, which the SEC alleged had misled shareholders by not disclosing in its public filings for nearly two years a data breach that affected hundreds of millions of its internet email subscribers. See SEC Press Release 2018-71, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (April 24, 2018). The Yahoo breach only came to light as a result of merger discussions with Verizon, which sought to purchase the company. According to the SEC, Yahoo’s senior management and legal staff allegedly “did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in [its] public filings or whether the breach rendered, or would render, any statements made by [it] in its public filings misleading.”

The SEC further noted that the company’s disclosures in its public filings were misleading to the extent they omitted known trends or uncertainties presented by the data breach. In addition, the SEC alleged the risk factor disclosures in the company’s public filings were misleading in that they claimed the company only faced the risk of potential future data breaches without disclosing that a data breach had in fact already occurred. The SEC noted that while immediate disclosure (such as in a Form 8-K) is not always necessary in the event of a data breach, the breach should have been disclosed in the company’s regular periodic reports. The company ultimately agreed to pay a $35 million fine.

In the case of Yahoo, the failure to disclose the breach had a clear effect on the company’s shareholders, who saw Verizon reduce its purchase price for Yahoo by $350 million after the breach was disclosed. In announcing the Yahoo enforcement action, Steven Peikin, co-director of Enforcement, observed that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.” Id.

It remains to be seen whether the SEC will take any actions with respect to Equifax for its six-week delay in disclosure of its 2017 breach. However, in March and June of 2018, the SEC charged two former Equifax employees with trading on material nonpublic information related to the Equifax breach. See SEC Press Release 2018-40, Former Equifax Executive Charged With Insider Trading (March 14, 2018) and SEC Press Release 2018-115, Former Equifax Manager Charged With Insider Trading (June 28, 2018). The U.S. Department of Justice also brought parallel criminal insider trading charges against these individuals. Notably, the two individuals charged were not included among the four Equifax executives who were initially suspected of engaging in potential insider trading.

The charges against these individuals highlight the challenge public companies face in managing information related to a breach among their employees prior to public disclosure. In Equifax’s case, neither defendant was told about the breach directly. Instead, Equifax provided them with a false cover story to explain the breach mitigation work they were asked to perform. Because the defendants were not told about the breach, they were not also expressly instructed that a blackout had been imposed on Equifax share sales. The defendants eventually pieced together the clues about the breach and sold their shares prior to the company’s public disclosure of the breach.

Data Security Safeguards

In addition to cybersecurity disclosures, the SEC has also reaffirmed its commitment to seeing registered entities such as broker-dealers and investment advisers implement appropriate data security programs to protect their systems and customer data.

For example, the 2019 examination priorities of the SEC’s Office of Compliance Inspections and Examinations (OCIE) again feature cybersecurity as a top priority. See SEC 2019 Examination Priorities, Office of Compliance Inspections and Examinations (Dec. 20, 2018). Among other things, OCIE continues to stress the importance of cyber risk assessments, access rights, vendor management, training, and data loss prevention for firms. The scope of focus, however, has sharpened over the last year to include the configuration of network storage devices, policies and procedures related to retail trading information security, and practices at investment advisers with multiple branch offices or that have recently merged with other investment advisers. Further, for entities that maintain critical market infrastructure, OCIE will examine compliance with SEC Regulation SCI, which requires such entities to maintain policies to protect their systems’ capacity, integrity, resiliency, availability, and security.

Given the SEC’s sharp focus on cybersecurity compliance issues for broker-dealers and investment advisers, one would expect to see a corresponding focus by Enforcement Division on these issues as well. And, in fact, in September 2018, the SEC brought another first-of-its-kind enforcement action that, notably, was based on a referral from an OCIE examination. See SEC Press Release 2018-213, SEC Charges Firm With Deficient Cybersecurity Procedures (Sept. 26, 2018). In that action, a mid-sized broker-dealer and investment adviser was fined $1 million for alleged cybersecurity lapses that allowed hackers to access client Social Security Numbers, account balances and details of client investment accounts. In additional to finding a violation of the Regulation S-P—the SEC’s Safeguards Rule—the SEC dusted off its “Identity Theft Red Flags Rule” to censure the firm. The Identity Theft Red Flags Rule—also called “Regulation S-ID”—requires designated financial firms to develop and implement a written identity theft prevention program “designed to detect, prevent, and mitigate identity theft” for investment accounts. The rule also requires board oversight of the identity theft program. Although the SEC had adoptedthe red flags rule five years ago, it has not been used in an enforcement action until now. MORE

2018 SEC Annual Report

Policing Cyber-Related Misconduct Since the formation of the Cyber Unit at the end of FY 2017, the Division’s focus on cyberrelated misconduct has steadily increased. In FY 2018, the Commission brought 20 stand alone cases, including those cases involving ICOs and digital assets. At the end of the fscal year, the Division had more than 225 cyber-related investigations ongoing. Thanks to the work of the Unit and other staff focusing on these issues, in FY 2018 the SEC’s enforcement efforts impacted a number of areas where the federal securities laws intersect with cyber issues. MORE

Reducing the greatest cyber security risk -- the one from within

NEW YORK(Thomson Reuters Regulatory Intelligence) - The greatest cyber security risk to an investment advisory firm may be its staff, therefore a training and education program that addresses relevant cyber threats is vital.

In 2019, investment advisers must, among its most important cyber security steps, train staff to identify phishing emails, secure and protect company devices and take steps to verify the movement of client funds. The increased use of automation and reliance on electronic communications can cause a firm employee to unknowingly allow an unauthorized party to access company systems and ultimately access client’s non-public information or funds. Therefore, a firm that includes the education of firm staff in the firm’s overall plan against cyber-attacks will be best prepared to keep the firm’s infrastructure intact.


Cyber security is one of the greatest risks currently facing the financial-services industry, and a perennial examination priority for the Securities and Exchange Commission.

The SEC has prioritized cyber security during adviser examinations with an emphasis on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.

Specifically, in the 2019 exam list, the SEC has added emphasis on the cybersecurity practices of investment advisers with multiple branch offices, including those that have recently merged with other advisers.


The forms of electronic communication have expanded; however, email continues to be the primary channel for most investment advisers. Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information. A firm’s email administrator or system may not always identify these types of emails, therefore firm associates must be able to recognize them before any action is taken. In many cases, once the sensitive information is given to the scammer, they will then have access and be able to use account numbers, passwords, usernames, and more to commit fraud.

A firm’s associates should be aware of suspicious emails that do not use the individual’s name, for example if a bank or brokerage firm was notifying an individual of an issue, the firm would know and use the customer’s name.

Also, the sending email name should match the sender. Therefore, ensuring the senders email in the header matches the display name is prudent.

In addition, a phishing email will often be unsolicited or unexpected and contain grammatical or spelling errors and unnecessary capitalization. A firm individual must be weary of attachments or links as well. An unexpected attachment or prompted download can inadvertently install malware or ransomware.

When a link is present, it’s always best policy to open a new browser tab and manually search and access the link in a personal browser.

Lastly, a firm individual must alert the compliance department or proper authority once a phishing email is identified and phishing attempts can also spill into social media, so diligence must expand beyond email. MORE

ADVISOR ARMOR FINRA/SEC/NYDFS Core Cyber Security Compliance Controls for Small and Multi-Branch Firms

The following list identifies core controls that are needed to be evidenced demonstrating a firms’ cybersecurity program. To establish an effective program, however, firms will need to consider these measures in the context of their business model and technology infrastructure.

Patch Maintenance. Enable the automatic patching and updating features of operating systems and other software to help firms maintain the latest security controls.

Secure System Configuration. When configuring systems and software, use vendor guidance or industry standards, such as those published by the Center for Internet Security (“CIS”)

Identity and Access Management. Limit access to confidential customer and firm information based on business need. Tightly restrict use of “admin” or highly privileged entitlements and regularly review user accounts and privileges to modify or delete those which are no longer necessary to achieve business objectives.

Vulnerability Scanning. Use Commercial Off-The-Shelf (“COTS”) software or third-party vendors to continuously scan for vulnerabilities and quickly address detected discrepancies.

Endpoint Malware Protection. Install COTS software on firm computers, servers and firewalls to detect and block viruses and other malware.

E-mail and Browser Protection. Install software or use services to block web-based e-mail programs and unsafe content received through e-mail (e.g., phishing attacks) or accessed via web browsers.

Perimeter Security. Use network access controls, such as firewalls, to block unnecessary connectivity between firm systems and outside systems. If feasible, incorporate an Intrusion Detection and Prevention.

Security Awareness Training. Provide cybersecurity training to all employees upon their employment and at least annually thereafter (but preferably more often) to ensure all users  are aware of their responsibilities for protecting the firm’s systems and information. Training should address common attacks, how to avoid becoming a victim and what to do if you notice something suspicious. Consider implementing an ongoing phishing awareness campaign.

Risk Assessments. Conduct annual risk assessments and testing of firm controls to verify effectiveness and adequacy. This assessment may be accomplished using third-party or firm security experts.

Data Protection. Encrypt critical data, back it up frequently and store copies of back-ups offline. Regularly test the firm’s ability to restore data. Consider blocking USB ports and use of all removable data storage devices, including CDs and flash drives

Third-Party Risk Management. Review System and Organization Controls (SOC) or SSAE 18 reports for third party vendors and other partners with access to confidential firm and customer data to ensure they have security controls commensurate with, or better, than the firm’s.  All contracts should have provisions to enforce controls to protect data, including prompt notification of any changes to those controls and vulnerabilities or breaches that may affect the firm.

Branch Controls. Ensure that branches apply and enforce relevant firm cybersecurity controls, which may include many of the controls identified in this list, as well as other relevant controls.

Policies and Procedures. Create policies and procedures that address each category of controls applicable to the firm, such as those identified in this list.