Advisor Armor Opinion: Crackdown showdown Serious cybersecurity enforcement is coming in 2019, but are advisers ready?

When clients ask what advisers are doing to protect their data, only the firms that can give a satisfying answer will build trust with investors

Advisor Armor Opinion

As the most tenured and largest provider of cyber security compliance in financial services our empirical evidence indicates ZERO correlation between information technology spending and technical controls with data security failures and successful compliance examinations.  

Governance procedures and technical controls must be reasonably tailored to conducted assessments.   Commonality certainly exists but one size does not fit all and controls must change to model current risks.

Jan 12, 2019 @ 6:00 am By Ryan W. Neal 

After spending most of a decade offering guidance and stern warnings, regulators are ready to put enforcement muscle behind cyber security rules.

A flurry of activity in 2018 at federal and state levels has many legal and security experts expecting 2019 to be a watershed year for holding firms accountable for clients' digital data. Penalties are coming for advisory firms that don't do enough to prevent a data breach or don't respond to a breach effectively.

The Securities and Exchange Commission is leading the charge. The agency took several actions in 2018 that should alert every adviser that any grace period in adopting data security controls has expired.

"The honeymoon phase is over," said Askari Foy, managing director of ACA Aponix's global regulatory cyber security practice and a former SEC associate director. "As they identify issues, they're less likely to be friendly, for lack of a better word. They tend to roll up their sleeves and really dig into the issues, particularly if they smell blood or sense potential harm to investors." 

Voya troubles

No alarm rings louder than the SEC's Sept. 26, 2018, announcement that Voya Financial Advisors would pay $1 million to settle charges relating to a 2016 scam that compromised the personal information of thousands of customers. It was the first time the SEC enforced its "identity theft red flags rule," which has been on the books since 2013.

Even though Voya had a cyber security policy in place and responded to the breach within a matter of hours, it wasn't good enough for the SEC. The regulator said Voya's cyber security policies and procedures were out of date and failed to do enough to ensure they applied to the entire workforce of financial advisers.

This issue of scant policies or ineffective effort is common throughout the industry and it's exactly what the SEC wants to eliminate. For many advisers, cyber security is just another compliance procedure — put a policy in place, do some basic training, check off the box and move on to more pressing business issues.

"Firms have cyber security policies, they get one from an attorney or compliance firm. The policy looks great, but it doesn't actually reconcile to reality in any way," said Sid Yenamandra, CEO and co-founder of cyber security firm Entreda.

For example, the policy may say advisers can only access the firm's network using a secure connection such as a virtual private network, but there are no checks that the policy is actually followed, he said.

Entreda's experts, who have provided data protection software and training services to thousands of advisers, see a lot of lip service paid to cyber security.

"People talk about having a good cyber security policy, but who is actually implementing it? Our view on this entire issue is we tend to see there is a false sense of security that a lot of firms have," Mr. Yenamandra said.

These firms are more vulnerable to an attack, and this year they also could face stiff fines and censure. Regulators' gloves are off, and they are ready to crack down.

Advisor Armor risk assessments and profiles create suitable policies and procedures which describe how firms manage and care for valuable information.  These policies are then tested and maintained by Penetration Testing, Endpoint Security Audits and Employee Awareness Training and Testing.  Our Assurance Service certifies and attests to the implementation of the described policies and procedures.

2018 warnings to heed

When the SEC first developed regulations regarding email communications, it gave firms a few years to acclimate to the new rules and get programs in place. As guidance became more detailed and rules more specific over time, that's when sanctions started coming. Regulators are following a similar pattern with cyber security, said Kim Peretti, co-chair of law firm Alston & Bird's national security and digital crimes practice and its cyber security preparedness and response team.

"Investment advisers and broker-dealers of all sizes may be under scrutiny and should expect more enforcement actions moving forward," she said. "For registered investment advisers and broker-dealers, the primary implication of this focus is that the SEC will continue to expect more mature cyber security programs that adapt to the changing threat environment and appropriately manage and communicate risks to investors."

The agency last year named cyber security as a priority in its examinations of investment advisers and brokers; asked Congress for an additional $52 million to expand personnel, including four people dedicated to cyber security; and issued new guidance on public companies' obligations to disclose cyber security risks and incidents, updating its previous guidance issued in 2011.

The SEC published a report last year detailing an investigation of nine undisclosed public companies that fell victim to cyberfraud and collectively lost nearly $100 million. Though no charges were filed, the report served as a stern warning to consider cyber security when implementing internal account controls and specified the exact rule — Section 13(b)(2)(B) of the Securities Exchange Act of 1934 — that holds firms accountable.

It isn't just the SEC getting tougher with cyber security. In August, the Financial Industry Regulatory Authority Inc. censured and fined a small broker-dealer $50,000 for having inadequate procedures for preventing hackers from transfering money from client accounts. In December, the self-regulatory organization updated its 2015 report on cyber security best practices for broker-dealers.

State regulators are making their own rules. Since New York issued rules requiring financial institutions to establish cyber security programs, the number of bills and proposals addressing cyber security at the state level has continued to grow. According to the National Conference of State Legislatures, 265 bills were introduced in 2018, up from 240 bills in 2017 and 104 in 2016. As of Nov. 6 (the latest data available), 52 of the bills proposed last year became law.

Advisor Armor Coverage models current state consumer data security protection expectations for All states including those recently instituted by New York, California, Oregon, Massachusetts, Florida, etc.

The increased activity provides a window into where regulators are focusing their energy and what future enforcement actions might involve.

For example, the SEC's February guidance on disclosure obligations and subsequent charges against Yahoo — $35 million for failing to disclose a cyber security breach — show how seriously the regulator wants firms to report data breaches. According to the New York Times, only 24 public companies (across all industries) reported breaches to the SEC in 2017, but researchers believe more than 4,000 breaches occurred.

The Voya charges reveal another common weakness, specifically for financial advisers. It's not enough to just have a cyber security plan in place. Regulators want to see firms continually testing, reviewing and updating cyber security policies and procedures to ensure they remain effective as threats evolve.

Business email

Another area of focus, as evidenced by the SEC's investigative report and Finra's updated best practices, is compromised business emails — an increasingly popular attack method in which hackers pose as corporate executives or third-party vendors and use emails to trick other employees.

"There's been an increasing focus on the nexus between cyberintrusion and cyberfraud," Ms. Peretti said.

Preventing harm due to phishing scams requires firms address human susceptibility to such scams in addition to the technology element itself, she said.

Finally, the Voya breach was caused by hackers impersonating an independent adviser and using the custodian's support line to reset passwords and gain access to the system, illustrating the vulnerability from third parties.

Regulators want advisers to have an inventory of everyone who can access their data, including both third-party technology vendors and independent contractors.

Advisor Armor provides Email Enticement (Phishing) Testing and Training.  Thousands of customized phishing emails, consistent with and relevant to financial services, provide a realistic challenge that builds practical resistance to the single largest intrusion threat facing financial firms today.

Where advisers can improve

The good news is that the financial services industry has done a pretty good job of adapting to new cyber security requirements, at least in comparison to other industries like retail, said Robert Cattanach, partner at law firm Dorsey & Whitney. 

Where it's most often falling apart is with the smaller registered investment advisers and broker-dealers.

"Modest-sized companies lack the resources to really make good on their paper policies," Mr. Cattanach said. "Someone can gin up the right-sounding IT governance policies and procedures. But it's a whole additional step to make sure they are followed."

At smaller firms, there can be a sense of fatigue and helplessness when it comes to cyber security, because even the largest companies get hacked.

"There is this general feeling of, 'Holy cow, how can I, this little RIA out here, protect [against a breach] if these large institutions can't?'" said Wes Stallman, provider of cloud-based cyber security for advisers. "I do think that causes some frustration."

Experts said the adviser mindset should not be fixed on trying to safeguard data 100% because, with attacks always evolving, it's less of a matter of "if" and more of "when" there's a breach.

Regulators understand this, and really just want firms to have checks and balances in place to ensure they are doing the best they can to prevent breaches. More importantly, regulators want firms to have an up-to-date and battle-tested plan for an effective and timely response to a breach.

Advisor Armor has managed hundreds of client data security incidents over the past 3 years. Our history with Red Flags/Identity Theft, allows us to efficiently navigate the murky regulatory requirements for physical and electronic breaches. And our incident response coverage satisfies the regulator requirement for tested procedures. 

Finra's December update to its best practices includes a new appendix to help small firms adopt and implement cyber security controls. When used alongside Finra's previously released small firm cyber security checklist, it should give smaller advisers an effective guide to remaining compliant.

The bigger challenge is how to get all financial advisers to move beyond the lip service and actually realize that cyber security is something more important than another compliance chore. The key to that may lie in thinking of cyber security as a competitive advantage, Mr. Yenamandra said.

Clients are going to increasingly ask what advisers are doing to protect data, and firms that can give a satisfying answer will build trust with investors.

"Cyber security needs to be viewed as not only an operational risk but also a strategic function," he said

 

Cyber Insurance Primer

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But, a substantial portion of organizations don’t carry coverage for data breaches despite numerous high profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal.

24%

Percentage of companies that had cyber-insurance.1

64%

Percentage of companies that believed their exposure to cyber risk would increase in the next 24 months.2

43%

Percentage of companies that did not plan to purchase cyber insurance in the next 24 months.3

Why is buying cyber insurance difficult?

  1. There is little standardization among competing policies; as a result it is hard to comparison shop.

  2. Policies’ exclusions often swallow coverage; as a result, assessing the value of a policy is difficult unless you have extensive experience with the types of liabilities that arise following data breaches.

  3. Policies often cover security but not privacy risks.

Items to review when shopping for cyber insurance:

  1. Do the sub-limits on coverage match the corresponding risks?

  2. Does the policy include sub-retentions (sub-deductibles) that are unlikely to be reached?

  3. Does exclusion prevent payment for the largest risks, g., charges that arise following a credit card breach, common theories alleged in class actions, etc.?

  4. Is voluntary notification of affected consumers covered?

  5. Will credit monitoring for affected consumers be covered?

  6. Who does the insurer have on panel for legal representation, forensic investigations, and/or crisis management?

2019 Examination Priorities of SEC Office of Compliance Inspections and Examinations are Announced

Next year’s examination priorities of the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission were announced on December 20, 2018, and cover six broad, albeit non-exhaustive, topics.1

  • Matters of importance for retail investors, including seniors and those saving for retirement;

  • Compliance and risks in registrants responsible for critical market infrastructure;

  • Matters related to the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board;

  • Digital assets, including cryptocurrencies, coins and tokens (a newly-added priority);

  • Cybersecurity; and

  • Anti-money laundering (AML) programs.

Many of the six broad topics remain the same as those included in the 2018 OCIE Examination Priorities. It is important to note, however, that the OCIE leadership team specifically indicated that the 2019 priorities reflect meaningful changes from the prior year, particularly as new risks have emerged and existing risks were either heightened or mitigated.

Retail Investors, including Seniors and those Saving for Retirement

The first identified priority is the protection of retail investors. OCIE emphasizes the following areas of focus, most of which continue and/or expand upon existing examination priorities:

  • Fees and Expenses: Disclosure of the Costs of Investing;

  • Conflicts of Interest;

  • Senior Investors, and Retirement Accounts and Products;

  • Portfolio Management and Trading;

  • Never-Before- or Not-Recently-Examined Investment Advisers;

  • Mutual Funds and Exchange-Traded Funds;

  • Municipal Advisors;

  • Broker-Dealers Entrusted with Customer Assets; and

  • Microcap Securities.2

Compliance and Risk in Registrants Responsible for Critical Infrastructure

The second identified priority is compliance and risks in critical infrastructure. In this area, OCIE will continue to focus examinations on:

  • “Systematically Important” Clearing Agencies;

  • Entities Subject to Regulations Systems Compliance and Integrity (SCI), including the effectiveness of the implementation of such entities’ compliance policies and procedures;

  • Transfer Agents, including “transfers, recordkeeping” and asset safeguarding; and

  • National Securities Exchanges, including exchanges’ internal audit and surveillance programs as well as funding for regulatory programs.

Focus on FINRA and MSRB

OCIE will continue to examine: (1) FINRA’s operations and regulatory programs and the quality of its examinations of broker-dealers; and (2) the effectiveness of particular MSRB operational and internal policies, procedures and controls.

Digital Assets

New to OCIE’s priorities is a focus on the examination of participants in the digital asset market (including broker-dealers, trading platforms, and investment advisers) and the associated risks presented by that market to retail investors. As part of its entry into examining the digital assets space, OCIE intends to “identify market participants offering, selling, trading, and managing these products or considering or actively seeking to offer these products and then assess the extent of their activities.” For those firms that are identified as “actively seeking” to offer digital assets, OCIE examinations will then focus on, among other things, “portfolio management of digital assets, trading, safety of client funds and assets, pricing of client portfolios, compliance, and internal controls.”

Cybersecurity

Cybersecurity will continue to be a focus of each OCIE examination program, especially registrants’ “policies and procedures related to retail trading information security” and, with respect to investment advisers, cybersecurity practices of advisers with multiple branch offices.

Anti-Money Laundering Programs

OCIE notes that examiners will continue to prioritize broker-dealer compliance with applicable AML requirements, including proper filing of suspicious activity reports and robust and independent testing of their AML programs.

Conclusion

While the priorities indicate where OCIE intends to focus resources in the coming year, registrants should not expect examinations to be limited to the issues highlighted above. It is important to note that the 2019 OCIE priorities not only reflect Chairman Jay Clayton’s prior emphasis on Main Street investors, technological changes and cybersecurity, but also continue to reflect a considerable degree of continuity with the priorities of the SEC under prior Chair Mary Jo White. With this in mind, firms may want to review their policies and procedures and conduct internal compliance reviews.

Finra updates cybersecurity best practices report

Though brokers say cybersecurity is one of their top priorities, the Financial Industry Regulatory Authority Inc. says it still sees a lot of problematic practices at firms.

To help them improve, Finra on Thursday updated a 2015 report on cybersecurity that details best practices for broker-dealers.

The "Report on Selected Cybersecurity Practices – 2018" covers five topics addressing the evolving threat of cybercrime and the most frequent findings from its examination program.

"Securities firms rate cybersecurity as one of their top operational risks, and our new report addresses areas that firms tend to find most challenging," David Kelley, surveillance director of member supervision in Finra's Kansas City office, said in a statement.

The topics include cybersecurity controls in branch offices; methods of limiting "phishing" attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintain controls on mobile devices.

The report addresses several critical issues firms are often unfamiliar with, said Bart McDonough, CEO and founder of Agio, a hybrid cybersecurity and managed IT firm. For example, Finra describes the best way of contacting the FBI in the event of a breach.

However, Mr. McDonough said the report could have been presented by simply to increase understanding, especially for firms who don't have a cybersecurity expert who can decipher technical language.

"The report misses an opportunity to highlight the critical need for threat intelligence, where firms have insight into what's happening at other, similar companies," Mr. McDonough said in an email.

"Another shortcoming of the report is that it buries the importance of executive leadership and management support in the middle of the analysis. That has to be a starting point and a tone-setter for the entire firm."

The updated report goes into greater depth and detail than the 2015 report. Finra describes more than 30 specific practices for branch controls that cover written supervisory procedures, asset inventories, technical controls and branch review programs.

Mark Brown, president of cybersecurity compliance firm Advisor Armor, said firms with a "hub and spoke" structure are of particular interest to Finra and the Securities and Exchange Commission, and the additional detail on branch office cybersecurity isn't surprising.

"Finra and [broker/dealers] have been late to this, and registered reps are in a tug a war with who pays for it," Mr. Brown said in an email. "But in the end, the right controls, evidence and auditing of cybersecurity need to be in place."

Finra also highlights how firms can detect phishing attacks, even if they appear to come from trusted sources.

The report includes an appendix covering core cybersecurity controls for small firms, which, in addition to the "Small Firm Cybersecurity Checklist," can help smaller businesses identify possible cybersecurity controls.

"There is no 'one-size-fits-all' approach to cybersecurity, so Finra has made a priority of providing firms with reports and other tools to help them determine the right set of practices for their individual business," said Steven Polansky, senior director of member supervision in Finra's Washington office.

Shan Dagli, head of intermediary solutions at Envision, an IT provider, suspects the increased guidance means Finra's 2018 exams revealed a wide disparity in what firms were doing from a cybersecurity standpoint.

"So Finra is taking it upon themselves to provide more guidance," Mr. Dagli said. "With increased guidance, it could lead to more scrutiny. Or it could simply be a manner of wanting to provide clearer guidance/best practices.


For the Average Hacker, Your Small Business Is an Ideal Target

Headlines are full of cybersecurity breaches, and big businesses like Google and Facebook are some of the latest to fall victim to outside attacks. A vulnerability in Google+ is at least partially responsible for the company’s decision to shut down the platform for good, and a recent breach of Facebook’s network security may have compromised the personal information of almost 50 million users.

Of course, for such enormous companies, a breach is an embarrassing blip on the radar. Google is mostly terminating its social platform because no one uses it (the company reported that 90 percent of user sessions last less than five seconds), and the even the notorious Cambridge Analytica scandal cost Facebook a mere $644,000 in fines imposed by British regulators -- peanuts for a company bringing in almost $100,000 in revenue every minute. But what would a $600,000 fine do to your small businesses? MORE

5 Must-Read Resources for Compliance and IT Leaders in Investment Firms

Regulated investment firms use the web to gather market intelligence, to access data aggregation tools and business apps, and to communicate via webmail and social media.

While many (if not most) business functions have shifted to the web and cloud apps, including IT security, the primary tool used by research analysts and investment managers remains stuck in IT’s past: the locally installed browser. A holdover from the 1990s, the local browser’s inherent weaknesses make it notoriously difficult to manage, monitor, and secure against web-borne exploits.

This has created a growing compliance blindspot for buy-side and sell-side firms. At the same time, the pressure from federal and state regulators is steadily increasing. Registered investment advisers are one example. By subjecting 17% of firms to OCIE examinations in FY 2018, the SEC already exceeded its own ambitious goal (15%) in this group alone for this year.

Chief Compliance Officers, CISOs and CTOs in the industry have been put on notice. One simple page view request on an infected website can result in malware or spyware spreading through the firm’s network, resulting in data breaches and financial and reputational damages. One post on a social media platform or in a chat room may invite the scrutiny of regulators.

How can firms ensure oversight and governance when team members go online? In this post, we highlight surveys, reports and whitepapers that provide useful facts and actionable insights to help practitioners answer this question:

*

1) SEC Enforcement: More Pressure for Investment Firms

The Securities and Exchange Commission’s Enforcement Division has published the FY 2018 Annual Report of its ongoing efforts to protect investors and market integrity.

The report presents the activities of the division from both a qualitative and quantitative perspective. In FY 2018, the SEC continued to bring enforcement actions relating to a wide variety of market manipulations, misconduct and compliance violations. It obtained judgments and orders totaling more than $3.945 billion in disgorgement and penalties.

Policing “Cyber-Related” Misconduct

The report also documents the Division’s increasing focus on misconduct in the digital realm. In FY 2018, the SEC brought 20 standalone cases, including such involving ICOs and digital assets. At the end of the fiscal year, more than 225 cyber-related investigations were underway. 2018 saw the SEC’s first enforcement action charging violations of Regulation S-ID, known as the Identity Theft Red Flags Rule, which is designed to protect customers from the risk of identity theft.

While an agency-wide hiring freeze since late 2016 led to a 10% staff reduction since, this seems not to have resulted in less pressure on regulated securities investment firms. The Division’s annual report documents significant continued enforcement-related activities.

From a compliance perspective, one item in the “Other Noteworthy [Enforcement] Actions” section of the report may deserve more attention than it received so far: it points to “13 registered investment advisers who repeatedly failed to provide required information that the agency uses to monitor risk.”

Our Take:

When regulators request such information from entities under investigation, disparate data sources and a lack of compliance-ready IT tools may prevent firms to “promptly produce” (SEC lingo) the data and documents. The use of local browsers, in particular, can become an audit impediment, because it prevents a unified view into a firm’s activities on the web, for example when team members post on social media or pull research data from third-party aggregators.

A compliance-ready browser built in the cloud, provided as a service offsite and centrally managed by IT, removes such hurdles. With Silo, the cloud browser, all user actions are logged and encrypted, to facilitate at-a-glance compliance reviews and post-issue remediation.

Read / download:

Division of Enforcement of the U.S. Securities and Exchange Commission: Annual Report 2018 [PDF]

*

2) Vigilant Regulators, Weak Policy Implementation

In November, international law firm Proskauer Rose LLP released its 2018 Proskauer Annual Review and 2019 Outlook for Hedge Funds, Private Equity Funds and Other Private Funds.

The yearly report provides a summary of significant regulatory changes and developments that occurred in the past year in the private equity and hedge funds space. It also includes an overview of SEC examination priorities and enforcement developments impacting the private funds industry.

“SEC’s Enforcement Program Remains Robust”

The SEC brought 821 enforcement actions in 2018, “the second highest total ever,” the authors point out. This included more than 100 enforcement actions involving advisers and investment companies, a 32% increase from 2017 and the second largest category of actions brought by the SEC in 2018.

Noteworthy in particular from the compliance and IT perspective is the extensive review in this report of a $1 million settlement with the SEC by broker-dealer and adviser Voya Financial Advisors (VFA). Following a data breach that compromised the personal information of 5,600 customers, the SEC had alleged failures in the firm’s cybersecurity policies and procedures.

The firm had over a dozen policies and procedures in place governing cybersecurity, the Proskauer report explains. It lays out in detail why “[t]he SEC found that these policies were not reasonably designed to apply to the systems that independent contractors used.”

Clayton slims down SEC agenda, looks for more wins

In a speech on the SEC's priorities for 2019, Clayton also signaled cybersecurity will remain at the top of the agenda, promising that examiners will press advisors and brokers on areas such as risk governance, access controls and data protection.

The SEC is on track to finalize its standards of conduct for investment advisors and brokers next year, Chairman Jay Clayton indicated on Wednesday, calling those rules "a very important and long overdue initiative."

Clayton is also warning advisors and other financial professionals to brace for market turbulence that could emerge from the U.K.’s exit from the European Union and the upcoming abandonment of the Libor benchmark that underlies many of the popular funds advisors rely on as a staple of their portfolio construction.

In a speech on the SEC's priorities for 2019, Clayton also signaled cybersecurity will remain at the top of the agenda, promising that examiners will press advisors and brokers on areas such as risk governance, access controls and data protection.

Clayton called the advisor and broker regulations "a key priority," touting the seven town-hall meetings commissioners and staffers held to gather input from the everyday investors the rules are intended to protect.

QuoteTaking a step back from the SEC's regulatory agenda, Clayton is also cautioning advisors to keep in mind three macro risks to the market that he expects to dominate the years ahead: cybersecurity, Brexit and Libor.

"It is clear, based on these discussions, that we have the right perspective, namely, that the core obligations of investment professionals — and mandatory plain language disclosures —should match reasonable investor expectations," Clayton said in prepared remarks.

Under Mary Jo White, his immediate predecessor, Clayton said that the commission's regulatory agenda had become too "aspirational." In 2016, 32 rules appeared on the agenda, but fewer than a third were ultimately adopted. Many of those initiatives stemmed from legislative directives included in the Dodd-Frank bill, Clayton acknowledged. But he is staking out an approach marked by fewer novel rulemakings. And those initiatives that do appear on the commission's docket, he aims to complete. In the coming year, Clayton says that he is hoping to conclude 80% of the items presently on the regulatory agenda.

Some of the sharpest criticism of the SEC's investment advice proposal has come from consumer advocates who see the provisions relating to brokers continuing to permit conduct that they say is harmful to investors. So instead of applying an advisor-like fiduciary duty to broker-dealers, the proposed Regulation Best Interest would do little to enhance the existing suitability standard that governs the brokerage sector. An advisory panel to the commission has recommended that it revise the regulation to encompass more of the spirit — if not the letter — of the fiduciary standard. MORE

Cybersecurity tips for advisors, and clients

Cyberattacks are growing in volume and sophistication and the need for the wealth management business to safeguard clients, portfolios and industry has never been greater.

In 2017 alone, more than 143 million Americans were affected by cybercrimes, a jump of 30% from 2016. As threats increase and fraudsters become more sophisticated, financial advisors and their clients must be proactive in protecting themselves and sensitive data. The process begins with education. Today’s cybercriminals use common, effective methods to acquire personal information. Malware (malicious software) can be delivered to devices via suspect websites, public Wi-Fi networks, and communal charging stations, presenting common hazards that might be sidestepped with the right information.

Below are helpful tips advisors can use to start a conversation with their clients about cybersecurity and help avoid potential catastrophe.

Software and online security

Keep your software, operating system and browser up to date. Companies continuously add security updates with every software upgrade they release. Installing updates immediately can help clients prevent a malware infection. 
Set up multi-factor authentication to login to any website or application clients use for financial transactions that contain personal data. 
Run a reputable, American anti-virus product on a home PC or laptop. This will help prevent a device from becoming infected with malware and may clean up an existing infection

As threats increase, the need to safeguard clients, portfolios and industry has never been greater, writes Rachel Wilson, head of cybersecurity for Morgan Wealth Management Technology.

Cybersecurity in public environments

Avoid using public Wi-Fi hotspots — such as the ones at coffee shops, airports, or hotels. If a client does use a public Wi-Fi hotspot, advise them to use a virtual private network (VPN) so that others cannot intercept their communications. As an alternative, clients can stick to the mobile network and create a personal Wi-Fi hotspot with their phone.
Don’t use public charging cords or USB ports to charge a device. Publicly available power outlets are generally fine, but avoid using publicly available cords and ports. These can be used to deliver malware or silently steal data.

If you’re a broker-dealer, you must be compliant with SEC Rule 17a-4. Make sure you know the regulations for Electronic Storage Media (ESM), and why it’s necessary to work with a Designated Third Party (D3P) to safeguard your electronic records.

Daily online activities

Don’t click on links or open attachments in unsolicited emails or text messages. Doing so may install malware on a device. 
Don’t reuse the same or similar username and password across multiple websites and applications. If clients reuse the same username and password and a hacker gains access to just one of the accounts, the hacker may be able to access their other client accounts as well.
Use a password manager. These apps create unique, complex passwords for clients and then store those passwords in a cryptographically sound way. 
Create and save bookmarks for the important banking and brokerage websites that clients visit often to avoid inadvertently entering credentials on a fraudulent site. 
Only download applications from Google Play or the App Store and never from a third-party app store. Third-party app stores, or apps that pop up and encourage a download, are much more likely to contain malware. 
Only give applications the permissions they really need. Granting an application access to photos, location, camera, contacts, makes data and information available to the application owner.
Limit how much information is shared on social media, and lock down the privacy settings on social media accounts. The information clients share online could be exploited to gather information for fraud schemes.

Tools to combat cybercrime

Use a current and reliable email provider that has basic, built-in security features. Using an older email account that has not incorporated security protections will greatly increase the likelihood of your email account being taken over and used to impersonate you or to spam your contacts.

Shred financial documents before discarding them, as these contain valuable information that could be used by fraudsters. Leverage online statements and paperless options, like eSign, eDelivery and eAuthorizations and Digital Vault, as these include important security features. Leverage online statements and paperless options. Additionally, clients should secure sensitive documents within their home.

These basic tips can help avoid some of the most common cybersecurity threats, but the need for vigilance and continued education is paramount. Advisors should maintain an ongoing dialogue with their clients to ensure their personal data, wealth information and financial transaction data are properly safeguarded.

SEC Enforcement’s Annual Report Prioritizes Retail Investors, Cryptocurrency, Cybercrime, and Individual Accountability

The Enforcement Division of the United States Securities and Exchange Commission (“SEC”) recently released its annual enforcement report(“Report”) for fiscal year 2018. The Report reflects an increased focus on retail investors, cryptocurrency, cybercrime, and individual accountability. Further, it showcases that SEC enforcement continues to be robust under the Trump administration, despite industry and media expectations to the contrary.

Cybercrime is also a growing area of concern for the SEC, with more than 225 active investigations this past year. Notably, in many of these investigations, companies that were victims of cyberattacks are now under investigation for how they responded to the attacks. The Enforcement Division brought proceedings against companies based on failures in those companies’ cybersecurity policies and procedures related to cyber intrusions. MORE

How to Choose a Cyber Liability Insurance Policy

As more and more data breaches and ransomware attacks make headlines around the world, the need for digital asset protection has become top of mind for many financial advisors and business owners. In yesterday’s post, I outlined some cyber liability insurance basics, including what may and may not be covered if your RIA–broker/dealer has its own policy. Today, I’ll dig a bit deeper into the topic, including how you can assess your risks to determine what coverage you may need so you can choose the right cyber liability policy.

Scenario: Cyberattack!

It’s 6:00 A.M. on a Monday morning. You hit snooze a few times before sitting up and grabbing your smartphone. A notification catches your eye. No, you’re not dreaming. Your business has been hit by a cyberattack.

How did this happen? You’ve put considerable effort into mitigating the risk of cyberthreats—staff education, encryption, and password polices, to name a few. Unfortunately, even with such protections in place, you can still become the victim of a cyberattack.

But hang on! You have cyber liability insurance. There’s no need to worry, right? That depends. Do you know the extent of the damage? Do you know what your policy covers? The answers to those questions will determine how concerned you should be.

What Went Wrong?

First, you’ll need to find out what information was involved in the cyberattack to determine if any confidential data was compromised. You’ll also want to look into how the breach happened. Was it because a scammer gained access to your firm’s data following a phishing attack? Was one of your employees the weak link?

If the incident occurred at your broker/dealer, which has its own cyber liability insurance policy, your B/D would likely cover data forensic expenses, extortion, notification costs, and credit monitoring for the affected individuals. If the breach happened on your end, however, you would be liable for the damages. If your firm is at fault, you will need to prove that your business did everything possible to prevent the breach and help minimize risk, such as taking proactive measures to ensure that proper security policies are in place and up to date.

Whether you are at fault or not, cyber liability insurance can’t mend a broken reputation. It can, however, help neutralize some of the costs associated with a cyberattack and help restore your business operations.

How to Choose the Right Coverage

Given everything we’ve discussed here and in yesterday’s post, you may be leaning toward purchasing a cyber liability policy. But how much coverage should you purchase? Following the three-step process described below can help you arrive at the best decision for your firm.

1) Assess your risk. If your office collects, transmits, stores, views, or interacts with personal information that hackers could use to identify a client, you are at risk for a cyberattack and need to ensure that your business is protected from what could go wrong.

Begin your assessment by getting a handle on your vulnerabilities. Do you, for example, have a hardware firewall and up-to-date antimalware and antivirus protection? Do you encrypt your hard drives and portable media? Do you regularly train your staff to be aware of information security issues? Have you enabled multifactor authentication, where possible, for all of your devices?

Answering no or I’m not sure to any of these questions means your—and your clients’—information may be at risk and you could benefit from cyber liability coverage. But even with the most robust information security programs, there’s always the chance that something might slip through the cracks. Taking a good look at scenarios that could leave your business vulnerable to attack can help you determine which coverage plans may be best for your firm.

For the second part of your assessment, you’ll want to evaluate whether you’ve done as much as possible regarding:

  • Governance and risk assessments: This includes creating an inventory of all the software and hardware in your office, as well as any device that’s connected to your network; developing policies for bringing devices to work and displaying information on screens or desks; and maintaining a data-retention policy.

  • Access rights and controls: This includes encryption, firewalls, password policies, and the like.

  • Data loss prevention: This includes verifying the identity of clients who request asset transfers and regularly updating your software.

  • Vendor management: This includes doing appropriate due diligence on potential vendors and signing contracts that govern data usage.

  • Training and awareness: This includes regular training on information security concerns for you and your staff, as well as training and best practices for your clients.

  • Incident response: This includes having an appropriate backup system in place, along with formal business continuity and incident response plans.

By understanding the controls you already have in place and the areas where you may be at risk, you can look to purchase a cyber liability policy that focuses on the coverage you need.

2) Research carriers and policy options. According to the 2017 Cost of Data Breach Global Study, the average cost of a data breach is $225 per client. So, although you may be reluctant to pay the premiums for yet another insurance policy, that cost is minimal compared with the out-of-pocket expenses your office could incur if it experiences a cyberattack.

Policy cost varies depending on the depth of coverage you select and the carrier you choose. When speaking to a potential insurance carrier, ask about the types of incidents covered and whether any “events” are specifically excluded from coverage. Because each financial services office is different and cyber liability insurance coverage varies from vendor to vendor, be sure to vet multiple policy options. You’ll also want to get the best value and price for what your business needs, so discuss pricing in detail with the carriers and inquire about deductibles.

3) Apply for your top choices. Once you have vetted a few insurance carriers, fill out an application with the companies whose quotes best fit your office’s needs. Ensure that the applications have been completed correctly, answering questions based upon the cybersecurity protocols your office employs. Once you are approved for a few policies, you can choose the right cyber liability policy for your needs based on the deductible, premiums, and coverage with which you are most comfortable.

A Plan for Prevention and Recovery

In today’s increasingly digital world, having a top-notch information security program in place is essential for protecting your business’s assets and your clients’ personal data. But as the threat of a cyberattack or breach grows, it’s best to be prepared not only to prevent an attack, but to make a full recovery from one as well. If you follow the steps outlined above and choose the right cyber liability policy for your business’s needs, you’ll be well equipped to handle any threat that comes your way. Posted by Rachel Sonia


SEC RIA Enforcement Actions Increased 31.7% in the 2017 Fiscal Year

On November 2, 2018, the Securities and Exchange Commission ("SEC") released its 2018 enforcement report which highlights the 821 enforcement actions pursued during its most recent fiscal year. This latest annual report shows continued focus from the SEC "on the Main Street Investor" and it seems likely that such focus is unlikely to change in the coming years. During the 2018 fiscal year, the SEC filed 490 stand alone enforcement actions, 210 follow-on administrative proceedings, and 121 enforcement actions related to delinquent filings. Stand alone enforcement actions pursued against investment advisers or investment companies totaled 108 which represents a 31.7% annual increase compared to the 82 stand alone enforcement actions filed in the 2017 fiscal year. The SEC Division of Enforcement also notes that its been forced to operate efficiently as total headcount for the division is down roughly 10% compared to the 2016 fiscal year. As such, the division has "paid careful attention to case selection, attempting to open and pursue investigations that are likely to have the most meaningful impact for investors and the markets." 

Increased Enforcement Actions Against RIA Firms

As seen in the recently released 2018 North American Securities Administrators Association ("NASAA") enforcement report which looks at enforcement activity at the state level, the number of registered investment adviser ("RIA") and investment company enforcement actions is increasing:

Source: 2017 and 2018 SEC Division of Enforcement Annual Reports

Given the increasing number of SEC-registered RIA firms and increasing SEC RIA examination frequency, it's possible this trend may continue in future years. Since 2012, the number of SEC-registered investment advisory firms has increased 13.7% from 11,658 firms to 13,250 firms as of October 31, 2018. In addition, the volume of federally-registered investment adviser examinations has increased 117.0% from 974 audits conducted in the 2012 fiscal year to 2,114 audits performed in the 2017 fiscal year. However, it is important to note that the percentage of examined firms referred to the Enforcement Division has actually declined from 13% in the 2013 fiscal year to 7% in the 2017 fiscal year.

Focus on the Share Class Selection Disclosure Initiative

On February 12, 2018, as part of its focus on protecting the "main street investor," the SEC Division of Enforcement announced the Share Class Selection Disclosure Initiative ("SCSD Initiative"). As part of the initiative, RIA firms had until June 12, 2018 to self-report potential violations related to mutual fund share class recommendations. The 2018 report states "scores of investment advisers participated in the SCSD Initiative, which will result in charges against them." 

This latest enforcement focus on mutual fund share recommendations follows a series of previous guidance issued by the SEC Office of Compliance and Inspections ("OCIE") including a July 13, 2016 risk alert noting "the staff will focus on the adviser’s practices related to share class recommendations and compliance oversight of the process." Furthermore, SEC OCIE staff has continually listed mutual fund share class selection and broader disclosure related to the costs of investing as a top examination priority in recent years including in 2017 and 2018.

Mutual fund share class selection is and will remain in the SEC spotlight. Any RIA firm in a position to choose between different share classes for its clients needs to fulfill its fiduciary obligation and continue to stay focused on ensuring proper regulatory compliance.

Cyber-Related Misconduct

For a number of years, the SEC OCIE Division has continued to discuss its concern and focus on RIA information security which has included a series of cybersecurity-focused examination sweeps. These efforts have led the OCIE division to issue a series of risk alerts on February 3, 2015September 15, 2015, and August 7, 2017. In addition, the OCIE Division has continually listed cybersecurity as a top examination priority in recent years including in 2017 and 2018.

While the SEC Enforcement Division notes it presently has "more than 225 cyber-related investigations ongoing," to date there have not been a large number of investment adviser cybersecurity-related enforcement actions. However, this is likely to change moving forward given the continued examination focus and large volume of ongoing investigations. In addition, the enforcement report notes that during the 2018 fiscal year, the SEC Enforcement Division took its "first action charging violations of Regulation S-ID, known as the Identity Theft Red Flags Rule, which is designed to protect customers from the risk of identity theft." 

Be sure to check back soon as we continue to provide more detailed data and information on RIA regulatory compliance enforcement focus areas and trends. As always, the Chief Compliance Officer ("CCO") of every investment advisory firms needs to continue to ensure that compliance programs and are being designed and implemented to help prevent activity which could lead to potential enforcement action. In particular, CCOs should continue to pay close attention to new and emerging regulator focus areas. MORE

Can your small business afford to risk the imminent threat of a cyber incident?

Cybersecurity incidents are occurring on a daily basis and at an increasingly growing rate. Yet, many small businesses still have not obtained adequate (or any) cyber insurance to address these risks and the costly impacts to the business that will result. In a recent study completed by the Insurance Information Institute1, only about a third of all small businesses polled responded that they have cyber insurance in place, with 70% of respondents replying that they have no plans to purchase a cyber insurance policy in the next 12 months. Most of the businesses indicated that they do not believe they have any need for cyber insurance, yet almost half of those same companies stated they are unprepared to handle cyber threats. A main reason for not purchasing cyber insurance was a lack of understanding about this type of insurance and coverages available.

The Risks for Small Businesses

These statistics are alarming considering that the average cost of a cyber-related loss for a small business has increased 250% in the past two years, and now totals $188,400. In determining whether insurance coverage should be purchased, companies typically assess the perceived risks to the company, the likelihood of such risks occurring, as well as any costs or expenses that may result. For example, most companies regularly obtain a property policy to cover a fire or other casualty that may damage its business location even though such an event is unlikely or unexpected. Yet, cyber incidents are just as likely, if not more likely to occur, and the impacts to a company in the event of an incident are far worse. Many incidents result in a complete suspension of the daily operations of the company for several days or longer.

In addition to financial loss, companies may face the following as a result of a cyber incident:

  • Theft, breach or loss of information and data;

  • Damage to the company’s reputation, brand or image; and

  • Regulatory, governance and legal issues.

How Cyber Insurance Can Help

Cyber insurance policies can be obtained to address the losses related to a data breach and may include costs for investigating a breach, notifying people affected by a breach of personally identifiable information, managing the potential damage to reputation and other crisis-management expenses, recovering lost or corrupted data, and related legal expenses. More importantly, well-drafted policies can afford coverage for business interruption losses; i.e. those expenses and lost revenue resulting from a breached system and a company’s inability to continue its usual operations. Coverage may also be obtained for “cyber extortion”, which covers costs resulting from an extortion event such as ransomware or fraudulent wire transfers.

It is important to keep in mind that cyber insurance is only one component to consider when developing and implementing an overall risk management strategy to prevent cyber incidents. However, taking into account the exposure to a company if and when a cyber incident occurs, it is highly advisable to have this coverage in place.

Ohio Gives Breach Safe Harbor for Companies with Written Data Security Program

Putting it Into Practice: Unlike other states which require companies to have a written security programs in place (Alabama, Massachusetts, and Oregon), Ohio’s new law seeks to provide a strong incentive to companies to put into place a similar a program without actually making having a written program a requirement.

Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, and that failure resulted in a breach. The definition of breach (and personal information that if impacted gives rise to a duty to notify) is identical to Ohio’s existing breach notification law. The defense is available if the company has a written program in place, and that program conforms to “industry-recognized frameworks” like the National Institute of Standards and Technology’s Framework, ISO 27000, FedRAMP, PCI Standards, the Security Rule of the Health Insurance Portability and Accountability Act, or the Safeguards Rule of the Gramm-Leach-Bliley Act. Anticipating that these frameworks may be amended from time to time, the law gives companies a year to modify their programs to get into compliance with the amended law. Programs must meet minimal criteria to qualify. This includes (1) protecting the security and confidentiality of the information, (2) protecting against anticipated threats or hazards, and (3) protecting against unauthorized access to and acquisition of the information. The program would be right-sized to take into account the size of the business, nature of its business, type of information, cost of protection tools, and resources available to the company. The drafters emphasized that this provision does not give rise to a private right of action. MORE

For first time, state regulators pursue more cases against RIAs than broker-dealers

In its 2018 enforcement report, the North American Securities Administrators Association said that, for the first time, state regulators pursued more registered investment advisers in disciplinary cases than broker-dealers.

In 2017, there were 377 RIA firms and investment advisers named in enforcement actions, a 32% increase over 2016, and 270 brokerages and their registered representatives named, an 11% decline. The 2018 NASAA report reflects 2017 results.

The crackdown on RIAs makes sense, given that the the total number of RIA firms has grown by 20% — from 25,073 in 2008 to 30,193 in 2017 — while the number of brokerage firms has declined by 24% — from 3,969 to 3,132 — over the same period, according to an analysis by the consulting firm RIA in a Box based on an industry snapshot by the Financial Industry Regulatory Authority Inc.

Growth of the RIA sector probably won't slow down, and neither will RIA enforcement.

"This is unlikely to be a one-year anomaly, but more likely a continuing trend," said GJ King, president of RIA in a Box.

The migration of RIAs from registration with the Securities and Exchange Commission to the states has also contributed to the increase in enforcement cases, according to Christopher Gerold, chief of the New Jersey Bureau of Securities and chairman of the NASAA enforcement committee.

The number of state-registered advisers grew from 13,799 in 2008 to 17,534 in 2017. The biggest jump came from 2011 to 2012, when about 3,000 RIAs switched from SEC to state registration due to a Dodd-Frank law requirement that advisers with less than $100 million in assets under management move to state oversight. Previously that threshold was $25 million.

"States are catching up with their examination programs and bringing more actions," Mr. Gerold said. "State regulators are taking their examinations very seriously."

In putting together its enforcement report, NASAA did not survey states on the types of actions filed against RIAs. But in his practice, one compliance lawyer said the primary compliance problem he sees with small RIAs is conflicts of interest.

"A good number of IAs tend to have the same conflicts they had as B-Ds, and they're not really mitigating those conflicts," said Brian Hamburger, president of MarketCounsel. "Just because you're smaller, it doesn't give you a pass on mitigating conflicts."

An emerging problem area for state-registered RIAs is senior financial abuse. The NASAA model rule to combat senior exploitation has been adopted by 18 states. Texas opened 24 such cases in 2017.

"You're going to see more enforcement actions on senior protection at the state and federal level," Mr. King said. "RIAs can be vulnerable given the amount of retirement business a lot of them do."

As more RIAs are subject to enforcement and more brokers become RIAs, the debate over whether RIAs or brokers are more heavily regulated is likely to heat up.

"Another contributing factor is that broker-dealers tend to have more robust internal compliance departments with policies and procedures in place that prevent securities violations and subsequent enforcement actions," Eleonora Zlotnikova, a securities attorney at Sam P. Israel, wrote in an email.

Mr. Gerold said the increase in state RIA enforcement reflects the fact that states are the only regulator with responsibility for small RIAs.

"I'm not saying that IAs are better or worse than B-Ds or vice versa," he said. "It's a product of who is the primary regulator of the segment of the financial market." MORE

SEC Does Not 'Dictate' Cyber Controls, Cyber Chief Says

The SEC is more focused on preparedness, cyber chief Robert Cohen said at a NASAA Cybersecurity Roundtable.

n assessing firms’ cyber preparedness, the Securities and Exchange Commission is “looking for firms that have significant risks that they aren’t disclosing,” Robert Cohen, head of the agency’s cyber unit, said Monday.

Speaking on a panel at the North American Securities Administrators Association’s cyber roundtable in Washington, Cohen stated that it’s not the “SEC’s approach to dictate specific [cyber] controls” on regulated entities. “I don’t know that that’s the most effective way to ensure compliance. We do more, especially for the financial industry, through exams, to see what they’re doing and see if they’re prepared.”

“For the commission to dictate you must do this, you must do that, sometimes we’ll publicize best-practice issues … but generally, if the commission dictated something, I’d be concerned that it gets out of date really quickly.”

The best source of expertise in the cyber realm, he added, “is within the industry and the consultants they employ.”

What does the SEC look for when assessing firms’ preparedness?

“Really you can learn a lot just by asking firms what they do to prepare” for cyber breaches, Cohen said.

Cohen cited the recent charge against Voya Financial Advisors Inc. for violating Regulation S-P or the Safeguards Rule and the Identity Theft Red Flags Rule, as “a classic mistake that we see.”

Des Moines-based broker-dealer and investment advisor Voya, which agreed to pay $1 million to settle charges for cybersecurity failures that led to a cyber intrusion that compromised thousands of customers’ personal information, “had policies and procedures and controls, but really didn’t enforce it across the board,” Cohen said.

The Voya case was the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. “This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Cohen, when the complaint was filed in late September. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

FBI Has Doubled Agents in Cyber Program

Meanwhile, Supervisory Special Agent Matthew Floyd of the FBI stated at the roundtable that cybercrime causes “billions of dollars of losses every year,” and is the FBI’s third priority behind counterterrorism and counterintelligence.

“We’re continually banging our heads against a wall to try to figure out how we can better combat this,” he said, adding that over the last several years the FBI has doubled the number of agents in its cyber program.

“As we look into cybercrime, very rarely does it not cross international borders,” he added.

Business email compromise continues to be one of the top scams, with an average loss of $130,000.

Also “synthetic ID” is becoming a more prevalent scam against financial institutions, he said.

“An actor will take a real Social Security number and changing some of the variants of the personal identifying information and creating a ‘synthetic ID’ — a nonexistent person — they apply to some different credit lines, they had no credit to begin with … but then once you get denied credit, it actually creates a credit file. … Once they have that credit file established, they will attach it to someone else’s credit — someone with good credit — … and over the course of six months that score will go from 300 up to 750, they’ll detach it, and then they’ll start opening bank accounts, credit cards…”

Financial institutions are “really struggling with this,” Floyd said.

NASAA Initiatives

NASAA President-elect Frank Borger-Gilligan, who also serves as the assistant commissioner of the Tennessee Securities Division, within the state Department of Commerce & Insurance, noted at the roundtable that “last year, more than half of the adult online population in the U.S. were victims of cybercrimes,” according to a 2017 Norton Cybersecurity Insights report.

Globally, cybercriminals stole $172 billion from 978 million consumers in over 20 countries in 2017. Cybercriminals, it was estimated, cost the world economy more than $600 billion last year, Borger-Gilligan said.

More alarming, he continued, financial services firms were “three hundred times more likely to be targeted than traditional American companies.”

Last year, 61% of cyber victims were small businesses — which continue “to be the low-hanging fruit for cybercriminals,” Borger-Gilligan said. “Smaller companies often lack the IT resources, the robust network defenses, and they mistakenly assume that they’re too small to be targeted.”

Couple this with the fact that 78% of nearly 18,000 state-registered investment advisors are one to two person shops, he added. “So it is clear how important the issue of cybersecurity is for our regulators.”

More work is planned in the year ahead. This year, Borger-Gilligan said, NASAA is considering whether to adopt a model rule, which will provide “more direction to advisors and baseline protection for investors.”

He noted that NASAA’s Investment Adviser Section also recently published a model rule for public comment, which would require advisors to “adopt policies and procedures regarding information security,” and will require them to deliver the policy annually to clients.

The comment period closes on Nov. 26. MORE

Practice What You Preach: Having Cybersecurity Policies and Procedures That Don’t Do What They Are Supposed To Do Can Result in Fines

In the first enforcement of the Identity Theft Red Flags Rule, the U.S. Securities and Exchange Commission (SEC) fined Voya Financial Advisors, Inc. $1,000,000 for failing to provide training on and reasonably design its written policies and procedures to mitigate identity theft. On September 26, 2018, the SEC announced a settled enforcement action against Voya, a dually registered broker-dealer and investment advisor, arising from a cyber intrusion that compromised personal information of thousands of customers.

The SEC’s order describes a six-day period in 2016 during which cyber intruders impersonated Voya contractors by calling Voya’s support line and requesting that their passwords be reset. With the new temporary passwords, the intruders obtained access to the personal information of 5,600 Voya customers. From there, they were able use that information to create new online customer profiles and get access to account documents for three customers. There were no unauthorized transfers of funds or securities from Voya customer accounts.

The SEC alleged that Voya had violated the Safeguards Rule, which requires broker-dealers and investment advisers adopt written policies and procedures that provide for the protection of customer records and information, and the Identity Theft Red Flags Rule, which requires them to develop and adopt a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft.

Voya had written policies and procedures, but the SEC alleged that in light of Voya’s business model and risk profile, they were not reasonably designed to: “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Significantly, several of Voya’s cybersecurity policies and procedures were not reasonably designed to be applied to its contractor representatives or to their remote systems, and they were not updated to reflect changes in risks to customers from identity theft. Moreover, Voya failed to provide training specific to preventing identity theft. Accordingly, the intruders were able to obtain access because of Voya’s weaknesses in those procedures, some of which had been exposed by previous fraudulent activity. The SEC order includes a detailed description of how the intruders obtained access, and should be required reading for everyone who establishes or oversees a cybersecurity program. MORE

New NASAA president Michael Pieciak puts cybersecurity at top of agenda

It's often the smallest investment advisory firms that are the most vulnerable to online threats, and that's why it's natural for rule-making to start at the state level, according to a top state regulator.

The North American Securities Administrators Association last week released for public comment a proposed cybersecurity rule. It would require advisers to adopt policies and procedures to safeguard information physically and online and to inform clients about their privacy policies annually.

The potential model rule is a top priority of new NASAA president Michael Pieciak. The Vermont commissioner of financial regulation was inaugurated for a one-year term on Sept. 25 at the organization's annual conference in Anchorage, Alaska.

State regulators are responsible for overseeing approximately 18,000 investment advisers with less than $100 million in assets under management. Many of them are one- and two-person operations, which can be juicy targets for online predators. But they also lack the cyber defense resources of major financial firms, Mr. Pieciak said.

"I'd like to see a model rule in place that does a good job of right-sizing the need to secure firms' important data," he said. "I don't see this as an issue where it's regulators versus industry. I see it as an issue where it's regulators and industry versus the cybercriminal."

The comment period lasts until Nov. 26. After digesting the feedback, NASAA could propose a model cyber rule for state legislatures to consider. There are cyber regulations in New York, but a model rule could expand the number of states with cyber oversight.

If NASAA proceeds, it could launch a cyber rule before the Securities and Exchange Commission and the Financial Regulatory Authority do. The SEC and Finra examine for cyber deficiencies.

"Maybe it makes sense that we're first," Mr. Pieciak said. Small advisers regulated by states "are some of the most vulnerable shops. The SEC and Finra have a different contingency they're trying to protect."

NASAA will host a cybersecurity roundtable in Washington on Oct. 15.

First millennial to lead NASAA

Mr. Pieciak, 35, is the first millennial president of NASAA, giving him a perspective that will influence both his leadership style and his regulatory agenda.

He said that his generation is often mislabeled. He has found his cohorts to be independent, detail-oriented and collaborative. That last trait will be helpful as the head of NASAA, a group in which the president is just "first among equals."

"That collaborative decision-making style is something I think is a hallmark of the millennial generation and something I hope to bring to this position," Mr. Pieciak said.

Millennial investors also pose a regulatory challenge given that they are often saddled with big student loans, put off buying homes and saving for retirement, and are attracted to online investments that may pose threats, such as cryptocurrencies.

"We see a lack of financial literacy and basic financial skills among the younger generation, particularly when it comes to thinking about some of the big life decisions like buying a home, which is usually someone's most important asset," Mr. Pieciak said. "We're going to have a specific millennial focus on our investor education and outreach initiative to educate and also protect millennial investors."

Other items on Mr. Pieciak's agenda include working on programs related to financial technology and cryptocurrency, leading a NASAA strategic planning process and fighting to preserve state regulatory authority.

Voya cybersecurity blunder should serve as a wake-up call to the entire industry

The stakes are high: Procedures have to be reviewed and tested on a regular basis

By nowanyone responsible for cybersecurity at a financial advisory firm is probably tired of hearing about the subject. But the recent $1 million fine levied against Voya Financial Services should serve as a wake-up call to everyone in the industry for several reasons.

Cybercrime details

For one, it describes in detail an actual cybercrime and how it occurred — and how the firm failed not only to prevent it, but to shut it down adequately once being alerted that the breach was happening.

The Voya story also represents the first time the Securities and Exchange Commission has fined a company under its Identity Theft Red Flags rule, and puts all firms on notice that the regulator is ramping up cybersecurity enforcement. In other words, expect more fines in the future.

Procedures in place

Like most other firms, Voya had security procedures in place that should have guarded against the breach that occurred back in 2016. In this case, cybercriminals posing as advisers asked for and received usernames and new passwords from Voya support personnel, giving them access to the personal information of 5,600 customers.

Even after one of the real advisers who had been targeted in this identity theft scam reported that he had not requested a new password, the scheme was not thwarted. Over the next several days, two more advisers were impersonated. In fining Voya, the SEC said the breach occurred, in part, because its personnel did not have a full understanding of how its own portal worked.

Prevention and response

One hard lesson Voya learned is that having procedures and protocols in place is not enough. Procedures have to be reviewed and tested on a regular basis to make sure personnel are trained and are following protocols correctly — and that the procedures and protocols in place are still effective in both preventing and responding to cyberattacks.

(More: How a hacker led to Finra censuring and fining a broker-dealer)

Companies also need to be more proactive in anticipating cyberattacks. Thieves can be creative. If you stop them from breaching your systems one way, they will try to get their hands on your protected data using different methods. They won't stop, so companies can't let down their guard.

Need for review

It is not enough simply to draw up a cybersecurity plan and put it on the shelf to show regulators when they ask for it during an exam; it must constantly be updated using the latest information on what cyberthieves are up to.

That brings us to yet another lesson. Cybersecurity comes with a cost. But it is a cost that cannot be ignored. The SEC's regulations apply to all firms in the industry, no matter their size. And remember, the stakes are high.

Clients and investors will usually forgive a security breach one time. But if it reoccurs, they will flee to a competitor with a better record on security. And who can really blame them? MORE

Financial Advisors Should Question Tax Preparers About Protecting Data

CPAs continue to be tempting targets for cybercrooks looking to steal data to file tax returns and steal identities. High-net-worth clients’ information is especially prized, and the IRS and other tax agencies have made recommendations and established electronic requirements for tax preparers to protect that data.

“In addition to the obvious financial information handled by tax oriented CPAs and other practitioners, practitioners often serve as advisors to client businesses and other financial affairs,” said Dr. Sean Stein Smith, a CPA and assistant professor at the department of economics and business at Lehman College in New York. “Data security and protecting information is a high profile issue, and clients -- especially HNW individuals -- certainly understand the value that comprehensive security policies provide.” MORE

SEC charges Voya Financial Advisors with deficient cyber-security procedures

In the Securities and Exchange Commission's first enforcement action for violations of the Identity Theft Red Flags Rule, Voya Financial Advisors has agreed to pay $1 million to settle charges for having deficient cyber-security policies and procedures concerning a cyber intrusion that compromised the personal information of thousands of customers.

The SEC on Sept. 26 charged the broker-dealer and investment adviser with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. According to the SEC’s order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.

The SEC’s order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. The order also finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cyber-security procedures, some of which had been exposed during prior similar fraudulent activity.

According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA’s workforce. “This case is a reminder to brokers and investment advisers that cyber-security procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, Chief of the SEC Enforcement Division’s Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1 million penalty and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.