Ransomware, Data Breaches Expose Gaps in Cyber Insurance Market

As U.S. companies grapple with cyber crime costs, indiscriminate ransomware attacks, and hundreds of millions of dollars in data breach fines, many seek protection in a normally predictable bet—insurance.

But some companies have discovered the hard way that policies can be filled with gaps and exclusions. Some don’t cover all regulatory fines and penalties. Others may cover ransom payments made to end certain attacks, but not all the long-term damage to systems caused by the attack. 

And in two ongoing court cases, insurers are contending that “war’’ exclusions allow them to not cover cyber attacks linked to Russian state actors. 

“It’s not like car insurance and house insurance and the flood industry,” Scott Shackelford, law professor and cybersecurity program chair at Indiana University Bloomington, said. “It’s too early for an industry standard.” 

Reports from insurance broker Marsh and the Council of Insurance Agents & Brokers indicate that at least one third of companies have adopted cyber liability policies in 2018, up from around a quarter in 2016. Cyber insurance can shield companies from millions in losses if a plan is purchased with attention to each aspect of coverage, insurance experts and brokers said. 

As cyber liability policies continue to develop, insurers globally see technology and cybersecurity as the first and second largest risks facing the industry in the next two to three years, according to a July report from the Centre for the Study of Financial Innovation and PriceWaterhouseCoopers. 

“Really the issue now is that making sure the policies they are buying is mapping up to the risks they face legally should the incidents occur,” Ryan Sulkin, a cybersecurity attorney and partner at Michael Best & Friedrich LLP, said. 

AXA US and and American International Group Inc. are among those leading the market in direct premiums written for pure cyber insurance, accounting for $488 million in premiums last year, according to a June report from credit-rating agency A.M. Best Co. Inc. The top policy writers for all types of cyber coverage are The Hartford Financial Services Group Inc., Liberty Mutual Group Inc. and Farmers Insurance Group. 

Cyber premium volume exceeded $2 billion for the first time in 2018, and the total number of cyber insurance claims surpassed 10 million last year, according to the report.

So far, it’s been a highly profitable business. While losses have risen, the ratio of claims payments and related costs was less than 25 percent in 2018, though those margins aren’t expected to last, according to Best. READ

SEC Tells Firms to Stop Missing the Basics on Cybersecurity

The SEC’s Office of Compliance Inspections and Examinations (OCIE) reported in a recent Risk Alert that many investment advisers and broker-dealers are failing to comply with basic aspects of Regulation S-P, which requires registered firms to provide customers with privacy notices and to safeguard customers’ records and information. The observed deficiencies are especially notable as they are basic flaws already discussed in previous SEC guidance; failure to correct them may lead to fines or even significant consequences in private suits by investors. Faced with such deficiencies, a court might conclude that a firm has not taken reasonable measures to safeguard customer information.

Regulation S-P requires that firms provide customers with initial notices regarding their privacy policies and practices when they sign up, with annual notices throughout the customer relationship, and with “opt-out” notices describing customers’ right to forbid disclosure of nonpublic personal information to nonaffiliated third parties. But OCIE observed in recent examinations that many firms did not provide such notices, and that when they did, the notices did not always accurately reflect firms’ policies and procedures.

OCIE also noted that firms failed to implement a host of basic policies and procedures designed to ensure the confidentiality and integrity of customer information. Deficiencies included:

  • lack of policies and procedures to prevent employees from regularly sending unencrypted emails containing personally identifiable information (PII);

  • lack of training on the use of encryption;

  • failure to create an inventory identifying all systems on which the firm maintained customer PII;

  • failure to revoke the system access rights of departed employees;

  • contracts with outside vendors where the vendors did not agree to keep customers’ PII confidential, even though such agreement was mandated by the firm’s policies and procedures; and

  • incident response plans that omitted “role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.”

Especially because the SEC staff has now provided multiple warnings, such deficiencies deserve more attention. MORE

New York Passes SHIELD Act Amending Data Breach Notification Law - The SHIELD Act significantly amends New York's data breach notification law and data protection requirements.

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") amending New York's data breach notification law. This adds to the growing list of states enacting privacy and data security laws. The SHIELD Act introduces significant changes, including.

  • Broadening the Definition of "Private Information." The Act broadens the definition of "private information" to include biometric information and username/email address in combination with a password or security questions and answers. It also includes an account number or credit/debit card number, even without a security code, access code, or password if the account could be accessed without such information.

  • Expanding the Definition of "Breach." The Act expands the definition of "breach of the security of the system" to include unauthorized "access" of computerized data that compromises the security, confidentiality, or integrity of private information, and it provides sample indicators of access. Previously, a breach was defined only as unauthorized acquisition of computerized data.

  • Expanding the Territorial Scope. The Act expands the territorial application of the breach notification requirement to any person or business that owns or licenses private information of a New York resident. Previously, the law was limited to those that conduct business in New York.

  • Imposing Data Security Requirements. The Act requires companies to adopt reasonable safeguards to protect the security, confidentiality, and integrity of private information. A company should implement a data security program containing specific measures, including risk assessments, employee training, vendor contracts, and timely data disposal.

The breach notification amendments take effect on October 23, 2019, while the data security requirements take effect on March 21, 2020.

Governor Cuomo also signed Senate Bill S3582, which requires a credit reporting agency that suffers a breach containing Social Security numbers to offer consumers identity theft prevention and mitigation services.

New York is strengthening enforcement of consumer privacy and data protection. Companies should review their information security programs to assess the private information they collect and implement data security requirements specified in the SHIELD Act. Given the number of new and proposed state laws, this process can be time consuming and complex. READ

New York SHIELD Act Expands Privacy and Cybersecurity Obligations

New York’s new SHIELD Act:

  • Adds additional information types that may trigger a breach notification.

  • Requires notification upon unauthorized access to (not just acquisition of) protected information.

  • Imposes new cybersecurity obligations on persons maintaining private information about New York residents.

Privacy and data security law continues to evolve, and once again, new state laws are driving the change. On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act, which significantly expands the state’s data breach notification law and adds new cybersecurity requirements. While the new law does not create a private right of action, it specifically authorizes the state’s attorney general to seek significant civil penalties for noncompliance.

Expansion of Data Breach Notification Law

The SHIELD Act expands the scope of the state’s breach notification law by broadening the types of covered personal information that trigger notification obligations and modifying the circumstances under which notification is required.

Existing New York law requires notification if an individual’s Social Security number, driver’s license or identification number, or financial account number (coupled with a security code or password), together with any personally identifiable information, is compromised. The SHIELD Act adds to this list biometric information (like fingerprints or retina scans) as well as user names and email addresses, if they are coupled with passwords or other information allowing access to online accounts. The new law also removes the requirement that a financial account number be coupled with a security code or password, if the account could be accessed without such credentials.

Importantly, the law previously only required notification of an unauthorized acquisition of computerized data. The SHIELD Act broadens this requirement by also mandating notification of an unauthorized access to protected information, a change that will undoubtedly result in more data incidents qualifying as reportable breaches. For example, it will sweep in situations where user credentials were exposed but not necessarily used, or where hackers were able to delete or lock files (such as through a ransomware attack) without actually acquiring the data. The new law also provides specific factors that businesses may use (such as indications that the information was viewed or altered) to determine whether there was unauthorized access. Interestingly, it provides an exception to the reporting obligation for inadvertent disclosures by authorized persons where there is little risk of harm, and it provides specific procedures that a company must take before using the exception. Notably, the new law does not change the time requirement for consumer notification – breaches must still be reported “in the most expedient time possible and without unreasonable delay.”

New Data Security Obligations 

The SHIELD Act also imposes new obligations on persons maintaining private information about New York residents to “develop, implement and maintain reasonable safeguards” to protect the security of such information in both its use and disposal. In some cases, determining whether a company’s safeguards are sufficient will be relatively easy, as the SHIELD Act provides a safe harbor for organizations already covered by and complying with certain regulations, such as financial firms covered by the Gramm-Leach-Bliley Act, health care companies covered by the Health Insurance Portability and Accountability Act, and financial service providers covered by the New York Department of Financial Services cybersecurity rule. For organizations unable to take advantage of the safe harbor, the new law provides a detailed list of factors to determine whether a company has instituted sufficiently reasonable administrative, technical and physical safeguards.

Next Steps 

A company subject to the SHIELD Act should adopt and maintain a written information security program that complies with its requirements, including addressing cybersecurity protocols, providing for employee training and designating an individual responsible for administering the program. MORE

This is What Hundreds of RIA Compliance Officers are Worried About

Cybersecurity is still the biggest compliance threat to RIAs.

An overwhelming percentage of RIAs — 83% — surveyed by the Investment Adviser Association and ACA Compliance Groupsingled out cybersecurity as their top concern for the sixth straight year.

Last year, cybersecurity was the top concern for 81% of the respondents.

“Among the many key takeaways of this year’s survey — beyond the continued importance of cybersecurity — is that firms continue to strengthen their compliance programs,” says IAA president and CEO Karen Barr.

IAA (a lobby group for the RIA community) and ACA (a compliance services and solutions provider) surveyed 369 RIAs.

The majority of the respondents have at least $1 billion AUM and have been in business for at least five years.

A high percentage of survey respondents reported conducting cybersecurity compliance checks, including cybersecurity risk assessments, network penetration testing and phishing testing.

A majority (66%) reported having cyber insurance.

Around 87% said they have “formal, written” cybersecurity programs; 4% have “informal, unwritten programs;” while the rest have “no standalone cybersecurity programs” but instead incorporate them into other policies and procedures.

In Finra’s 2019 Risk Monitoring and Examination Priorities Letter, released in January, the self-regulator said cybersecurity is an important focus area.

Finra has said it continues to see “problematic” cybersecurity practices in its examination and risk monitoring program. In December, Finra published a report of select cybersecurity practices where it offered guidance on cybersecurity controls in branch offices; methods of limiting phishing attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintaining controls on mobile devices.At Finra’s annual conference in Washington, D.C. in May, Morgan Stanley’s regulatory exam head said cybersecurity was among the key threats keeping him awake at night.

When it comes to cybersecurity and technology concerns, Andrew Lipton, executive director and head of Americas market/conduct regulatory relations group at Morgan Stanley, said one of the key solutions is finding people who “know the law and technology,” which is “an interesting skillset.”

Meanwhile, a distant second and third to cybersecurity compliance concerns for the RIAs surveyed by IAA and ACA are advertising/marketing and data privacy.

The most common controls used by RIAs for advertising/marketing compliance are the requirement of formal pre-approvals by chief compliance officers (71% of respondents) and the logging and tracking of materials as they are prepared (64%). The majority of RIAs surveyed reported having related written policies and procedures (93%) for advertising/marketing compliance. MORE

CNBC Cybersecurity blind spot is putting financial advisors and their clients at risk

It’s an email every financial advisor should expect to receive at least once.

Financial advisor Charles Failla recalls receiving an email from a client asking for about $5,000. She was vacationing in the Caribbean and claimed the hotel where she was staying didn’t accept credit cards.

“She needed cash,” said Failla, certified financial planner and principal at Sovereign Financial Group in New York.

“I said, ‘I know you’re on vacation, but call me collect. I need to confirm it’s you before I send money to a Caribbean island.’”

After several emails, the client was able to track down a phone and confirm her identity.

“She understood and appreciated it,” Failla said. “It’s definitely a policy at our firm: You get an email asking for money? Verify it with the client via telephone.” MORE

Cybersecurity Threats Are Top RIA Concern In 2019, IAA Survey Says

For the sixth year in a row, cybersecurity remains the biggest compliance concern at registered investment adviser firms, with 83 percent calling it the “hottest” compliance topic and more than 70 percent indicating that they increased compliance testing in this area over the past year, a new survey says.

More than 80 percent of advisors reported testing to see if hackers could penetrate their systems, compared with 73 percent last year, and 75 percent conducted email phishing testing, up from 66 percent last year. A majority reported having cyber insurance, according to the joint survey of 369 RIA firms by the Investment Advisers Association (IAA) and and ACA Compliance Group. MORE

The Advisor Compliance Issue That's Bigger Than Reg BI

Longtime compliance chief Beth Haddock talks to ThinkAdvisor about cybersecurity, Reg BI and making compliance training less boring.

Beth Haddock

The biggest compliance issue facing advisors isn’t Reg BI. It’s cybersecurity. Protecting clients’ and firms’ confidential information from a nightmare breach is critical — and urgent, says attorney and compliance expert Beth Haddock in an interview with ThinkAdvisor.

A 20-year-plus veteran of running big firms’ compliance departments, she has helmed her own compliance consultancy, Warburton Advisers, in New York City since 2014.

Haddock’s fresh views breathe life into the essentially juiceless area of financial services compliance: For instance, the frequent industry speaker argues that by delivering a return on the firm’s investment, a compliance department can change from being a cost center to something of a profit center.

In the interview, Haddock, whose clients include fintech companies, BDs and financial advisors, discusses, among other issues, her take on Reg BI and Warburton’s Hollywood-produced training that employs virtual reality to teach compliance regs.

ThinkAdvisor recently interviewed Haddock, on the phone from New York. The author of “Triple Bottom-Line Compliance” (Advantage Media Group 2018), she was chief compliance officer at AXA, Brown Brothers Harriman and Guggenheim Investments. In our conversation, the attorney stresses why advisors need to become more involved with the crucial issue of cybersecurity.

Here are highlights of our interview:

THINKADVISOR: What’s the biggest compliance issue facing financial advisors and firms today?

BETH HADDOCK: Data security, and data ethics and governance: How you collect data, how you use and store it, the parade of regulatory requirements. It’s everything from privacy, the security of advisors’ business information and investor information to using the information you collect in order to grow your business.

What differentiates data security from the concept of data ethics and governance?

Data security is chiefly about the nuts and bolts from an IT perspective. Data ethics and governance is about making a good business judgement as to, for example, how much in the way of resources you’re going to put toward [the tech and data security].

What’s part of that decision?

Will you have a personal server? Are you going to trust the cloud? These are the issues advisors have to decide about. It’s: How much risk do you want to take, and how much do you want to protect your clients, your reputation and your brand — because if you have a breach, it’s pretty disruptive to your business.

This is a whole additional area that RIAs and FAs have to worry about beyond being an advisor to their clients, isn’t it?

Yes — because it’s new and because it’s technical. If you’re an experienced advisor, you didn’t grow up having to think about this for your practice.

What’s the solution?

RIAs have to be educated on the technology rather than outsourcing it 100% and not really thinking about it. They need to be aware and make sure it’s on their radar. Second, they have to consider multiple sources for getting help. One of those would be having an IT person on retainer or, when they’re hiring a COO, making sure that person has a tech background. That will [provide] in-house expertise.

So is that all there is to it?

No. This isn’t a one-and-done. You have to look at data governance the same way you [tend] the investments in an investment portfolio.

What’s a big obstacle to acquiring technology and data security?

If, for example, you’re an independent RIA, you may not have the wherewithal to acquire excellent smart technology when it comes to cybersecurity or IT expertise. It’s really hard for advisors to be at the same level as big financial institutions.

But they need to make some sort of commitment. What should they do?

There are lots of vendors out there. It’s a matter of getting smart and figuring out what makes sense from a resource perspective. And it’s doing due diligence so you know that the tech vendor [you decide on] will protect your information from a breach and isn’t going to share it. You need to know that the whole infrastructure is safe. MORE

WSJ The Ins and Outs of Cybersecurity Insurance

Policies are designed to help companies survive major cyberattacks. But knowing exactly what’s covered can be tricky.

The idea of cybersecurity insurance seems, on its face, pretty straightforward: Being hacked not only can disrupt business, it also can be extremely costly and hurt a company’s reputation. Businesses want to protect themselves against those losses.

But in practice, such insurance raises a lot of questions.

There’s no question that cyber insurance is on the rise, though growth in the U.S. slowed last year to 8% from 37% in 2017, according to Fitch Ratings.

These policies are designed to help companies survive major cyberattacks by offsetting the costs of recovery. But knowing exactly what’s covered can be tricky. The cyber insurance category is new, so there isn’t much standardization in the way insurers are determining risk or even defining attacks. Coverage gaps can be created by uninformed choices.

Here are some questions companies need to ask themselves.

What do we need to cover?

Companies first need to determine, with the help of a security specialist if necessary, what their biggest risk areas are and what they stand to lose if they experience an attack.That way, they can fine-tune their coverage as much as possible to fit their particular needs.

Among the areas companies need to assess are reputation damage, data-restoration costs and reimbursement for government regulatory fines in the wake of a data breach.

The National Institute of Standards and Technology, which is part of the U.S. Commerce Department, offers security guidelines that can help companies understand and assess their risk, says Gregory Touhill, a cybersecurity expert from Carnegie Mellon University‘s Heinz College who was the first U.S. federal chief information security officer. Knowing what kind of security provisions insurers expect to see from companies also can provide a helpful overview. Cybersecurity insurance applications can be downloaded that show the standard levels of security insurers expect and highlight other potential risk areas.

What’s the difference between first-party and third-party cyber liability insurance?

First-party insurance covers the policyholder’s own direct losses from cyberattacks such as data theft, denial of service and extortion. In addition to compensation for lost income, benefits sometimes include coverage for the cost of various steps companies take in the wake of an attack, such as figuring out how their networks were penetrated, notifying customers affected by an attack, restoration or repair of digital content and public-relations efforts to repair a company’s damaged reputation.

Companies that store customer credit-card information or other sensitive personal data typically buy first-party coverage.

Third-party insurance covers companies that allowed a data breach to occur on a client network. For instance, an IT contractor that was paid to build a secure website for a client could be liable for damages if there was a mistake or oversight that led to a network intrusion. Coverage could include reimbursement for legal fees, settlements, damages in court cases and fines that may be levied by government regulators.

What cyber incidents do insurers typically exclude from coverage?

Most standard cyber policies exclude preventable security failures that result from failing to maintain a minimum level of security—an improperly configured firewall, for example. The careless mishandling of sensitive information by employees generally isn’t covered. Malicious acts by employees also generally aren’t covered, or theft of trade secrets or intellectual property.

The most high-profile cyber-related exclusions happened after the 2017 NotPetya ransomware attack that affected companies around the globe. Some companies that filed for cyber-related claims under their business and property insurance policies had them denied—in at least one case due to a rarely used but common contractual clause that excludes “a hostile or warlike attack” by a state actor. The Central Intelligence Agency attributes NotPetya to the Russian military.

If the breach is the company’s fault, is the insurer always off the hook?

Not always. Many policies cover employee mistakes such as losing a laptop or falling for phishing scams. But every case is open to interpretation, says Brandon Hickey, president of Insureon Brokerage. If an employee accidentally lost a laptop on the train, for instance, that might be covered. But under the same policy, if that employee lost a laptop that contained sensitive information that wasn’t supposed to leave the office, that could be grounds for a claims denial.

How long after a breach occurs does a company have to report it to an insurer?There’s often a big difference between when the breach occurs and when it is discovered. On average, small businesses don’t discover that their network has been breached for 197 days, according to a survey by the Ponemon Institute. But once a company is aware of an attack, in general, insurance companies ask customers to inform them of any newly discovered cyber loss when practical. Insurers understand that companies will first want to settle immediate priorities such as securing the network against further intrusions.

Although “when practical” doesn’t mean immediately, sitting on the claim for too long might raise a few eyebrows that could affect a company’s settlement, says Bob Parisi, managing director at the Marsh brokerage unit of Marsh & McLennan Co s. It would be unusual for a company to file a claim, say, six months or more after it discovered an intrusion, he says.

An insurer’s requirement for notification could differ from a company’s legal obligations. All 50 states and the District of Columbia have enacted data-breach notification laws that require public and private organizations to notify all customers that are affected by data loss. Reporting times vary by state, but Colorado and Florida, for instance, have 30-day deadlines from the date of discovery, the shortest allowance for any state.

How do insurers price cyber insurance?

Pricing is based mainly on a company’s annual revenue—since more income amounts to higher risk exposure—and what industry it is in. The insurer wants to find out what sensitive data the company keeps that would make it a target to cyber criminals. A hospital would be more expensive to cover than a library, since the hospital stores a lot of patient medical records. Patient records are protected by strict state and federal privacy rules, so companies that expose that data could be subject to multimillion-dollar fines.

How much network security a company has can also influence premiums. Insurance companies will often ask companies to detail what kind of security they have during the application process, such as whether employees have been trained to recognize cyber fraud or if company software is routinely updated. Insurers also want to know how frequently companies change their passwords and how much network access third-party vendors and service providers have. They may also ask whether a company has had a third-party audit of its system or whether it has used a so-called external penetration tester, also known as ethical hacking, to root out any network weaknesses. MORE

Protecting client data is an ongoing obligation

Firms must perform due diligence on prospective providers

Redtail Technology's recent data leak is a reminder of the weighty responsibilities financial advisory firms face when it comes to cybersecurity. Redtail's customer relationship management system contained data about clients of advisory firms that use the CRM. When some of that information was inadvertently exposed, Redtail's problem also became the problem of the advisers who relied on its CRM.

The Redtail leak can't be blamed on hackers. The company captured personal information about advisory firm clients on an internal file, called a log file, that serves as a record for software developers, and that file was accessible via the internet.

It's becoming common for personal information to get an airing. Earlier this year, BlackRock exposed the data of about 20,000 financial advisers who used the company's iShares ETFs — advisers from firms including LPL Financial and Axa Equitable. Voya Financial Advisors also had a glitch on a page of adviser bios on its website that had the potential to expose advisers' Social Security numbers.

A recent report from Aite Group suggests the problem is widespread. The report looked at 30 mobile apps from various types of financial services firms and found vulnerabilities in 29 of them.

Assessing and monitoring the cybersecurity practices of their technology providers may seem far outside the comfort zone of financial advisers, but regulators have made it clear that advisory firms need to be on the case.

And they're stepping up enforcement to ensure firms do so. The Securities and Exchange Commission cited cybersecurity as one of its examination priorities this year, and the $1 million fine the agency imposed on Voya Advisors last fall, after hackers gained access to the personal information of thousands of its customers, was seen as a signal that the SEC is cracking down in this area.

A $50,000 fine the Financial Industry Regulatory Authority Inc. imposed on a small broker-dealer last year for having lax procedures that let hackers transfer money out of customers' accounts also was viewed as a warning to the industry.

Late last year, Finra updated its cybersecurity guidelines to include such topics as how to combat phishing attacks and mitigate insider threats.

So what's an advisory firm to do?

Finra guidelines for advisory firms using third-party vendors say firms should perform due diligence on prospective providers before they sign on the dotted line. Contracts should cover such topics as how the firm's information will be stored and transmitted, the vendor's obligations in the event of a breach and limitations on the vendor's employees' access to data.

Once the firm has hired a vendor, it must continue to monitor their efforts. And if a firm terminates the relationship, it should ensure that the vendor deletes all the data it had. Finra also notes that an advisory firm's risk assessments should include all of its vendors' systems and processes.

Last month, the North American Securities Administrators Association came out with a model rule that would require firms to have written policies and procedures in place regarding cybersecurity to protect client information.

Just discussing the work entailed in vetting fintech providers and preparing an advisory firm internally is enough to arouse nostalgia for the Underwriters Laboratories seal of approval on household electronics. If only it were that easy.

But when clients trust firms with their personal information, advisers must repay that trust by doing the work it takes to ensure the safety of that data. MORE

The Best Way to Prepare for a Data Security Audit

At the New York Junior League’s “Technology Talk: Data Security in the Nonprofit Environment,” Lena Licata, a director in EisnerAmper's Process, Risk, and Technology Solutions (PRTS) and Rhina Brito, a senior in PRTS, discussed how firms can prepare for a data security audit, addressing policies and procedures to have in place, how top-level management needs to set the tone, having the appropriate vendor risk management (VRM), how to perform a risk assessment using a framework such as the NIST Framework and finally, how to handle a breach.

Here are a few takeaways the duo mentioned relating to the above-mentioned points.

Policies & Procedures

  • Policies should come from top-level management, and be ‘built-to-last’ regardless of minor business changes.

  • Procedures should include step-by-step instructions.

  • Policies and procedures should be kept in an accessible place and also be kept simple.

  • Examples include Information Security Policy, Privileged User Policy, End User Compliance Policy and more.

Setting the ‘Tone at the Top’

  • An organization’s ‘tone’ is set by top-level management and leadership. It is paramount that they practice ethical behavior and set an example for their employees to follow.

Vendor Risk Management

  • VRM relates to how companies manage relationships with external parties they do business with.

  • It is imperative companies control vendor access to their systems and information.

  • Companies should protect information assets by assigning IT security to specifically monitor their activities when accessing network and hardware (i.e., hard drives) and, further, consider having an IT Risk Assessment performed that evaluates the controls and safeguards the vendor has in place to ensure that information assets are protected from unauthorized access.

  • VRM is a five-step process and companies need to: 1) identify a risk source the vendor can pose; 2) define risk assessment policies for vendors; 3) asses vendor risk; 4) remediate issues by working with critical vendors to ensure remediation and 5) maintain continued vendor compliance through scheduled periodic assessments.

NIST Cybersecurity Framework

  • Companies can perform a cybersecurity risk assessment using this Framework, which consists of 5 elements to 1) identify, 2) protect, 3) detect, 4) respond and 5) recover in cases they fall victim to cyberattacks.

How to Handle a Breach

  • If companies fall victim to a breach, they need to stop the bleeding and find out where the points of entry occurred.

  • In addition, companies need to investigate what was accessed and compromised over how great a period of time. MORE

    By Elana Margulies-Snyderman

NASAA Members Adopt Investment Adviser Information Security Model Rule Package

WASHINGTON, D.C. (May 21, 2019) – In a significant step toward enhancing the cybersecurity and privacy practices of state-registered investment advisers, the North American Securities Administrators Association (NASAA) today announced that its membership has voted to adopt an information security model rule package.

“The new model rule requires investment advisers to adopt policies and procedures regarding information security and to deliver its privacy policy annually to clients. I am pleased that the NASAA membership adopted this information security model rule package, which now is available for individual jurisdictions throughout the United States to implement through regulation,” said Michael S. Pieciak, NASAA President and Vermont Commissioner of Financial Regulation.

“Through this model rule package, NASAA seeks to highlight the importance of data privacy and security in our financial markets along with the related need for investment advisers to have information security policies and procedures,” Pieciak said. “The package also provides a basic structure for how state-registered investment advisers may design their information security policies and procedures, which we expect to create uniformity in both state regulation and state-registered investment adviser practices.”

“The reputational damage and loss of client trust that often follows an information security breach can be devastating to the bottom line of any business, especially small businesses. This is significantly important considering that 80 percent of the 17,500 state-registered investment advisers and one-to-two person shops,” said Andrea Seidt, Ohio Securities Commissioner and chair of NASAA’s Investment Adviser Section.


(a) Physical Security and Cybersecurity Policies and Procedures. Every investment adviser registered or required to be registered shall establish, implement, update, and enforce written physical security and cybersecurity policies and procedures reasonably designed to ensure the confidentiality, integrity, and availability of physical and electronic records and information.

The policies and procedures must be tailored to the investment adviser’s business model, taking into account the size of the firm, type(s) of services provided, and the number of locations of the investment adviser.

(1) The physical security and cybersecurity policies and procedures must:

  • (A) Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;

  • (B) Ensure that the investment adviser safeguards confidential client records and information; and

  • (C) Protect any records and information the release of which could result in harm or inconvenience to any client.

(2) The physical security and cybersecurity policies and procedures must cover at least five functions:

  • (A) Identify. Develop the organizational understanding to manage information security risk to systems, assets, data, and capabilities;

  • (B) Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;

  • (C) Detect. Develop and implement the appropriate activities to identify the occurrence of an information security event;

  • (D) Respond. Develop and implement the appropriate activities to take action regarding a detected information security event; and

  • (E) Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.

(3) Maintenance. The investment adviser must review, no less frequently than annually, and modify, as needed, these policies and procedures to ensure the adequacy of the security measures and the effectiveness of their implementation.

Privacy Policy. The investment adviser must deliver upon the investment adviser’s engagement by a client, and on an annual basis thereafter, a privacy policy to each client that is reasonably designed to aid in the client’s understanding of how the investment adviser collects and shares, to the extent permitted by state and federal law, non-public personal information. The investment adviser must promptly update and deliver to each client an amended privacy policy if any of the information in the policy becomes inaccurate.

State regulators release model cybersecurity rule

State securities regulators released a model cybersecurity rule package Tuesday, offering a regulatory framework that states can adopt to bolster protection of client data.

Under the model proposed by the North American Securities Administrators Association, state-registered investment advisers would have to establish written physical and cybersecurity policies and procedures designed to safeguard clients' records and information.

Advisers' policies must cover five functions — identifying, protecting, detecting, responding and recovering. In addition, advisers must review their cybersecurity policy annually and deliver it to clients.

Other parts of the rule package include an amendment to existing model record-keeping requirements and updates to NASAA's lists of unethical business practices and prohibited conduct to include cybersecurity safeguard failures. MORE

Cyber Liability Policies – Who Needs Them?

Cyber insurance appears to still be a mystery, although the first cyber liability policies appeared 20 years ago. What is covered? What is excluded? Why does the customer need it? Does the customer need it? All of these questions and more come to mind when we consider cyber liability.

One of the struggles comes from the fact that the policy forms are different from each other, and we don’t really know what’s in the forms. They look so different and don’t have the names that we’re used to.

Let’s look at a few coverages in a cyber liability policy that you should verify for your customer. As you know, you need to look at the policies that you’re dealing with to find out what’s covered for your customer. This might give you some direction as you have conversations centered on your cyber liability policies.

Privacy Regulatory Claims Coverage

“We” shall pay on “Your” behalf “Regulatory Fines,” “Consumer Redress Funds” and “Claim Expenses” that “You” become legally obligated to pay in excess of the applicable retention resulting from a “Regulatory Claim” first made against “You” and reported to “Us” during the “Policy Period” or “Extended Reporting Period,” arising out of a “Privacy Wrongful Act” occurring after the “Retroactive Date” and before the end of the “Policy Period.”

Can you imagine getting a call from a customer saying that not only did they suffer a data breach, but now a regulatory body called them, and they plan to levy some fines or penalties against them? This coverage is designed to pick up these expenses.

You see several defined terms here (because you already expect that every word in an insurance policy in quotation marks is defined in the policy). These defined terms will help us to understand what is covered by this coverage. This coverage applies to three distinct areas of financial responsibility.

“Regulatory Fines” means fines, penalties or sanctions awarded for a violation of any “Privacy Regulation”.

“Consumer Redress Funds” means any sums of money “You” are legally required to deposit in a fund for the payment of consumers due to a settlement of, or an adverse judgment in, a “Regulatory Claim.”

“Claims Expenses” means … We didn’t give the whole definition for claims expenses because it’s more important to realize that this is included in the coverage. Watch this language. In case you missed it as quoted, go back and read it. The paragraph listed “regulatory fines,” “consumer redress funds” and “claims expenses” within this coverage. Expenses are within the policy limits. That means that every dollar spent in investigation, adjusting, settling or defense comes out of what’s available to indemnify the customer.

These other two items that are covered here are meant to provide funds when a regulator deems the customer to have violated any regulation ‘… requiring “You” to limit or control the collection, use of, or access to, “Private Information” …’ this coverage picks up the costs as defined in the policy. You’ll notice that the costs include the fees, fines or penalties that the regulator assess. You’ve likely noticed that there isn’t mention of which regulator had to levy the fines. There aren’t those kinds of boundaries online. Your customers could have customers all over the world. This means that the regulator might not even be local to the insured.

They also include any sums that a settlement or judgment requires to be set aside for the satisfaction of injuries to the affected consumers. Why not simply pay the consumers affected by the breach? In these cases, the insured may not know immediately who was affected. You’ve seen stories where millions of users’ data was compromised. Those companies didn’t know whose data was compromised or what the impact of the compromise was. In truth, the injured parties may not know there is an issue for months or years down the road.

Let’s look at one more critical coverage in this policy.

Cyber Extortion

“We” shall reimburse “You” for the “Cyber-Extortion Expenses and Cyber-Extortion Payments” that “You” actually pay in excess of the applicable retention directly resulting from a “Cyber-Extortion Threat” that “You” first receive and report to “Us” as soon as practicable during the “Policy Period.”

We live in a time when someone can email your company and infect your entire network with ransomware. If you’re not aware, ransomware is a nasty little bit of computer magic that is described in the policy.

“Cyber-Extortion Threat” means a credible threat or connected series of threats made by someone other than a member of the “Control Group.”

To introduce “Malicious Code” into “Your” “Computer System,”

To interrupt “Your” “Computer System” or interrupt access to “Your” “Computer System,” such as through a “Denial of Service Attack.”

To corrupt, damage or destroy “Your” “Computer System;” or

To disseminate, divulge or improperly utilize any “Private Information” on “Your” “Computer Systems” taken as a result of a “Network Disruption.”

You’ll note that the only notice requirement is to let the company know as soon as practicable. They recognize that the need for coverage may be identified in short order before the event occurs. The insured might be contacted about a possible event and have only a short time before it occurs. Of course, you see that this definition is full of defined terms in the policy. Without diving into all of the specifics of this policy, you can see that the intent is to provide coverage when something bad is getting ready to happen (or already happened) to an insured’s computer system.

It’s also important to note that the payment is for “cyber-extortion expenses” and “cyber-extortion payments” that have been incurred. We would learn in the definitions of those phrases that the company maintains the right to approve the expenses before they are incurred. Paying attention to those kinds of details is the difference between a claim being fully paid quickly and fully denied quickly.

There are more coverages within this policy, including security breach response, security liability, privacy liability and business income. We come back to one of the original questions. Who needs a cyber policy? The answer simply is anyone that has a cyber exposure. Who has a cyber exposure? Any organization that has computers connected to the internet and to each other. This particular policy also includes coverage if the company’s employee’s data is compromised. What company today doesn’t have some employee data on their network? MORE

The cybersecurity defense advisors forget

LAS VEGAS — Wealth management firms are overlooking a crucial line of defense when it comes to cybersecurity: their own employees.

“Criminals will always go for the humans first, and we as businesses tend to fund the training of our humans last,” said John Sileo, CEO of Sileo Group, a data security think tank, at the Investments & Wealth Institute’s annual conference.

More than half of RIAs say cybersecurity was their biggest area of technology expenses last year, according to TD Ameritrade’s 2019 RIA Sentiment Survey.

But while advisors spend big bucks on technology, they may not be investing enough in arming their employees with the skills to recognize cyberattacks and wire fraud attempts.

“We’ve got to train our people to have a moment of skepticism — when they slow down, ask some questions and think through this,” said Sileo.

Many hackers use “spear-phishing” tactics — emailing a target ostensibly from a known sender after obtaining personal information that makes the ruse more believable. The phishers obtain this personal information by mining Facebook profiles, among other tactics.

Sileo noted one tech firm that fell prey to wire fraud after a hacker impersonated an employee. The finance department at the company, Ubiquiti Networks, erroneously transferred $46.7 million out of its accounts in 2015 as a result of the fraud, according to an earnings report.

Cautionary tales like this, Sileo said point to the necessity of investing in training so that staff is immediately skeptical and on the lookout for this sort of employee impersonation or any type of fraudulent request.

“Ninety-nine percent of the people inside your organization don’t know the simplest tool of detecting phishing,” Sileo said, noting that most employees fail to hover their mouse over links inside an email, which would reveal suspicious links or web addresses from other countries.

Firms also need to ensure their advisors and clients have two-factor authentication. “That takes cloud and account hacking so low it becomes almost insignificant,” Sileo said.

In order to train firm employees, advisors need to be strategic. “When you teach your employees in terms of layered security they fall asleep,” Sileo said, noting the importance of using real-life scenarios.

Incentives can work as well. “Reward your staff for not having a phishing incident,” Sileo said. “You’ve got to have it tied to positive metrics.”

Cybersecurity is not a one-time spend, according to Sileo.

“You should not be ignoring [cybersecurity], even if you spent the whole last year thinking about it. You have to constantly be thinking about what you are doing.”

Advisors should also see this heightened awareness about cybercrime as an opportunity to add value to client relationships, Sileo said, noting that clients face the same issues and similar cyberattacks.

“Using this information to deepen client relationships is one of the best practices I have seen,” Sileo said, adding that security is one of the most-requested education topics in the financial services industry. “They trust you more than they do their bankers, their credit cards and so forth. It’s a better source when it comes from you.”

Even if advisors don’t discuss the topic with clients, they need to recognize what could be at stake.

“When you are handling that wealth and personal information of your clients, you have to treat it like it’s your own and take it personally,” Sileo said. LINK

United States: New SEC Privacy And Cybersecurity Risk Alert Tells Broker Dealers And Investment Advisers Common Deficiencies To Avoid

Our Take - Morrison Foerster

Like prior OCIE risk alerts, this Risk Alert provides a road map for registered investment advisers and broker dealers to follow when developing or evaluating their data privacy and cybersecurity procedures. They now have additional insight as to the types of issues that OCIE staff will look for when conducting an examination. The Risk Alert also provides registrants, their CCOs and counsel with the raw materials to develop a thorough review program for a firm’s data privacy and cybersecurity policies and procedures. CCOs and compliance staff should ensure that their annual compliance reviews are updated to reflect these issues and should consult with counsel to help evaluate their written policies and procedures, and their implementation of them, in light of OCIE’s findings.

The SEC’s new Risk Alert provides valuable insight as to what the OCIE wants to see broker dealers and investment advisers accomplish with their privacy notices and their cybersecurity policies and procedures. The SEC wants this written documentation to be comprehensive, to accurately reflect the registrant’s practices, and to be implemented effectively throughout their business. Broker dealers and investment advisers can, and should, use this Risk Alert to benchmark their own specific practices against the SEC’s expectations.

In the April 16, 2019 Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) outlines privacy and cybersecurity compliance issues identified in their examinations of broker dealers and investment advisers over the last two years. They found that broker dealers and investment advisers did not have privacy notices that were both accurate and met Regulation S-P’s requirements. The procedures that were in place did not adequately protect customers’ nonpublic financial information in several specific ways. And registrants’ written policies and procedures were not customized for their business, did not comprehensively address cybersecurity and did not accurately reflect their practices.

The key takeaway by the OCIE is that registrants should review their written policies and procedures, including their actual implementation of them. In light of this, we recommend that broker dealers and investment advisers benchmark their privacy and cybersecurity written policies, and their implementation of such policies, against the SEC’s expectations set forth in the Risk Alert as well as the SEC’s various guidance on cybersecurity published since its first cybersecurity risk alert in 2014. This can be approached efficiently using a questionnaire that is designed with the SEC’s stated expectations in mind.

Compliance Deficiencies

The following are common deficiencies that the OCIE reported in its April 2019 Risk Alert. Broker dealers and investment advisers should review each of these, and evaluate whether their own practices in these areas are sound:

  • Personal devices. Policies and procedures were not reasonably designed to safeguard customer information stored by employees on their personal devices.

  • Encryption of email. Policies and procedures did not address the inclusion of customer personally identifiable information (PII) in electronic communications, in particular the encryption of emails that contain PII.

  • Employee training. Failure to provide adequate employee training to employees related to transmission of customer information in an encrypted, password-protected format, and failure to monitor if such policies were being followed by employees.

  • Controls in data loss. Failure to adopt policies and procedures prohibiting employees from sending customer PII to unsecure locations outside of a firm’s networks.

  • Third-party vendors. Failure to contractually bind outside vendors to protect customer information appropriately.

  • Inventorying. Failure to inventory all systems on which customer PII in maintained.

  • Data breach response. Incident response plans did not address important areas, such as role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.

  • Physical storage of PII. Storage of customer PII in unsecure physical locations, such as in unlocked file cabinets in open offices.

  • Need to Know. Dissemination of customer login credentials to employees who did not have a legitimate need to have them.

  • Departing employees. Failure to terminate system access of former firm employees.

SEC & FINRA: Shared Regulatory Priorities for 2019

Each year, both the United States Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) issue guidance concerning their regulatory priorities for the coming year. FINRA's 2019 Annual Regulatory and Examination Priorities Letter can be found here, and the SEC Office of Compliance Inspections and Examinations (OCIE)'s 2019 National Exam Program Examination Priorities can be found here.

Set forth below are topics on which the SEC's and FINRA's concerns overlap. Notably, FINRA took a unique approach this year in that its letter begins with materially new topics, then discusses areas of ongoing concern, with an emphasis on aspects of those topics not covered in prior letters. Unlike in previous years, FINRA declined to use its priorities letter to repeat topics that have been "mainstays" of its focus over the years. The SEC also took a new approach, emphasizing how it increasingly leverages technology and data analytics to fulfill its mission and citing its recently adopted Strategic Plan, which reiterates the importance of examinations to bolster regulatory requirements and protect investors.

This year, both of the annual priorities letters address a large number of diverse topics. Accordingly, in order to provide additional insight into the evolution of the SEC's and FINRA's regulatory and examination priorities, we have prepared detailed comparisons of FINRA's priorities between 2007 and 2019 and the SEC's priorities between 2013 and 2019. The comparison of the SEC's priorities is available here. The comparison of FINRA's priorities is available here.

Cybersecurity: The SEC places a particular emphasis on cybersecurity this year and states that it will continue to prioritize cybersecurity in each of its five examination programs. Specific to investment advisers, the SEC will emphasize cybersecurity practices at investment advisers with multiple branch offices, including those that have recently merged with other investment advisers. The SEC will also continue to focus on, among other areas, governance and risk assessment, access rights and controls, data loss prevention, and incident response.

FINRA also retains its emphasis on cybersecurity, although it does so primarily through its focus on regulatory technology or "RegTech." FINRA will engage with firms to understand how they are using a variety of innovative RegTech tools to make their compliance efforts more efficient and how they are addressing related risks, challenges, or regulatory concerns, including supervision and governance systems, third-party vendor management, safeguarding customer data and cybersecurity. MORE

SEC Issues Privacy and Data Security Risk Alert

Thursday, April 18, 2019

Following recent examinations of SEC-registered investment advisers and broker-dealers, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a privacy risk alert on April 16, 2019. OCIE is hoping to remind advisers and broker-dealers about providing compliant privacy and opt-out notices, and adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.

Privacy Notices. During the examinations, OCIE observed advisors and broker-dealers were not providing initial privacy notices, annual privacy notices and opt-out notices to their customers. When these notices were provided, many did not accurately reflect firms’ policies and procedures and/or notify customers of their right to opt out of having their nonpublic personal information shared with nonaffiliated third parties. OCIE’s risk alert, thus, reminds advisors and broker-dealers that Regulation S-P requires that they:

  • provide a clear and conspicuous notice to customers that accurately reflects privacy policies and practices generally no later than when a customer relationship is established,

  • provide a similar notice not less than annually during the continuation of the customer relationship, and

  • deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties.

Written Policies and Procedures to Safeguard Customer Information. OCIE also observed during these examinations that some advisors and broker-dealers had not adopted written policies and procedures as required under the Safeguards Rule. According to the risk alert, some firms simply:

restated the Safeguards Rule but did not include policies and procedures related to administrative, technical, and physical safeguards.

And, other policies

contained numerous blank spaces designed to be filled in by registrants.

Given the OCIE’s observations, purchasing sample privacy and data and security policies and procedures, perhaps online, without more, would likely be inconsistent with Regulation S-P. Data security compliance is more than simply having a policy document. OCIE explained that written policies and procedures under Regulation S-P must be “reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Thus, the general approach for advisors and brokers-dealers should be to assess the threats and vulnerabilities to customer records and information, and then craft administrative, physical, and technical policies and procedures to address those threats and vulnerabilities.

OCIE also detailed data security practices that it found troubling under Regulation S-P. Examples include:

  • Personal devices – employees storing and maintaining customer information on their personal laptops without policies and procedures address how to protect the information on those devices.

  • Electronic communications – the absence of policies designed to prevent employees from regularly sending unencrypted emails to customers containing PII.

  • Training and monitoring – a lack of training for employee about encryption, password-protection, and transmission of PII through company-approved methods.

  • Outside vendors – advisors and broker-dealers maintaining policies that required outside vendors to contractually agree to keep customers’ PII confidential, but not following their own policies.

  • PII inventory – not maintaining an inventory of all systems on which PII is maintained leaving advisors and broker-dealers unaware of the categories of customer PII that they maintain, and limiting the ability to adequately safeguard customer information.

  • Incident response plans – plans failed to address role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.

  • Departed employees – former employees of advisors and broker-dealers retained access to restricted customer information rights after termination of employment.

Many of the observations noted above are common gaps to data security policies and procedures, particularly for small and medium-sized enterprises in any industry. For advisors and broker-dealers, the consequences of compliance lapses could result in data breaches, enhanced scrutiny by the SEC and OCIE, and reputational harm. Thus, as OCIE suggests following its recent examinations, advisors and broker-dealers should review and update, as needed, their written policies and procedures to mitigate the issues identified by OCIE staff. MORE

Jackson Lewis P.C. © 2019

NASAA Proposes Investment Adviser Model Cybersecurity Rule

On September 23, 2018, the North American Securities Administrators Association, Inc. (“NASAA”) released a proposed model rule for state-registered investment advisers (“state RIAs”) that would impose new information security and privacy requirements (the “Cyber Proposal”).1 NASAA intends the Cyber Proposal to provide state RIAs with a basic structure for implementing information security policies, procedures and practices and to create uniformity in state regulation of investment adviser cybersecurity.

The Cyber Proposal is intended to build on existing NASAA cybersecurity efforts, such as the 2017 release of a security checklist to help state RIAs identify and remediate cybersecurity vulnerabilities.2

This Legal Update (i) describes the relevant scope of the Cyber Proposal, (ii) explains its substantive requirements, and (iii) highlights some takeaways for the investment adviser industry.


The Cyber Proposal is a proposed model rule, meaning that, even if it is adopted by NASAA, it will not be binding on any state RIAs unless and until state securities administrators formally adopt it through state administrative rulemakings. Additionally, the Cyber Proposal applies to state RIAs and generally would not apply to federally-registered investment advisers (“federal RIAs”), which are exempt from state registration under the National Securities Markets Improvement Act of 1996’s amendments to the Investment Advisers Act of 1940. However, as discussed below, the Cyber Proposal also would amend the model rules for unethical business practices and prohibited conduct, which apply to federal RIAs.  

Substantive Requirements

The Cyber Proposal has three components: (1) a new model information security and privacy rule that would require state RIAs to adopt policies and procedures, (2) an amendment to the existing model recordkeeping rule and (3) an amendment to the model unethical business practices and prohibited conduct rules (collectively, “UBP Model Rules”).

Information Security and Privacy Rule. The proposed model information security and privacy rule would contain two parts addressing (a) the implementation of Physical Security and Cybersecurity Policies and Procedures and (b) the delivery of a Privacy Policy. 

Physical Security and Cybersecurity Policies and Procedures: This part is based on longstanding information security concepts from the Gramm-Leach-Bliley Act’s (“GLBA”) Safeguard Rules3 and the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework and is not intended to create a new cybersecurity protocol. 

Under this part, a state RIA would be required to establish, implement, update and enforce reasonably designed, written physical security and cybersecurity policies and procedures to ensure the confidentiality, integrity and availability of physical and electronic records and information.

Consistent with the Securities and Exchange Commission’s (“SEC”) Reg. S-P, the Cyber Proposal would require a state RIA’s policies and procedures to:

  • Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;

  • Ensure that the investment adviser safeguards confidential client records and information; and

  • Protect any records and information the release of which could result in harm or inconvenience to any client.

The Cyber Proposal also would require the state RIA’s policies and procedures to cover the five cybersecurity functions from the Cybersecurity Framework. These functions are: 

  • Identify. Develop the organizational understanding to manage information security risk to systems, assets, data and capabilities; 

  • Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;

  • Detect. Develop and implement the appropriate activities to identify the occurrence of an information security event; 

  • Respond. Develop and implement the appropriate activities to take action regarding a detected information security event; and 

  • Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.

A state RIA would need to review and update these policies and procedures at least annually.

Privacy Policy Practices. This part would require a state RIA to deliver a copy of its privacy policy at onboarding and thereafter as it is updated, but at least annually.4

Amended Recordkeeping Requirement. The amendments to the model recordkeeping rule would require that state RIAs maintain copies of their policies and procedures and other compliance records related to the Information Security and Privacy Rule discussed above. The Cyber Proposal would expressly require that state RIAs maintain hard copies of their current policies and procedures to mitigate information security risks.

Amended UBP Model Rules. The proposed amendment to the UBP Model Rules would clarify that a failure to establish, maintain and enforce a required policy or procedure would be an unethical business practice and prohibited conduct. This amendment is intended to cover supervisions and business continuity in addition to the required policies and procedures. 

Given that the UBP Model Rules apply to federal RIAs, it is unclear why NASAA would include this amendment in the Cyber Proposal, which generally would not apply to federal RIAs. It is possible that NASAA is seeking to create an avenue for state securities administrators to take action against federal RIAs that lack cybersecurity policies or that the amended UBP Model Rules may be used to target non-compliance with the policies and procedures requirements of the SEC’s Safeguards Rule.


As noted above, the Cyber Proposal represents a significant effort by NASAA to develop cyber guidance and preparation standards for small advisory firms. However, because the Cyber Proposal is only a model rule, the versions adopted in each state may vary. 

Additionally, it is unclear how the Cyber Proposal will interact with other cybersecurity requirements, such as Colorado’s and Vermont’s cybersecurity regulations for broker-dealers and state RIAs providing services in those states or Massachusetts’s generally applicable cybersecurity regulation.5 State RIAs doing business in those states may need multiple variations of cybersecurity policy or to adopt the most restrictive requirements and apply them across all states.

1 NASAA, Request for Public Comment Regarding a Proposed IA Model Rule for Information Security and Privacy Under the Uniform Securities Acts of 1956 and 2002 (Sept. 23, 2018). The text of the Cyber Proposal is available at http://www.nasaa.org/wp-content/uploads/2018/09/NASAA-Request-for-Public-Comment-on-Information-Security-and-Privacy.pdf and public comments on the proposal are available at http://www.nasaa.org/regulatory-activity/nasaa-proposals/public-comment-on-nasaa-proposals/public-comment-on-proposed-ia-model-rule-for-information-security-and-privacy-under-the-uniform-securities-acts-of-1956-and-2002/

2 NASAA, NASAA Releases Cybersecurity Checklist for RIA firms (Oct. 17, 2017); NASAA, Top 2017 NASAA RIA Compliance Deficiencies: Cybersecurity (Mar. 27, 2018). 

3 Specifically, the Cyber Proposal would implement concepts from the versions of the Safeguard Rules that have been promulgated by the Federal Trade Commission (“FTC”) and the Securities and Exchange Commission. However, the Cyber Proposal uses, but does not define, the term “client”, and it is unclear if NASAA intends for the Cyber Proposal to cover clients who would not be “customers” under GLBA.

4 NASAA recognized that an annual delivery requirement diverges from the requirements of GLBA but asserted that “privacy policies contain important information, and advisory clients should receive a copy of their investment adviser’s privacy policy every year.” 

See Colo. Code Regs. §§ 704-1:51-4.8, 4.14; 4-4 Vt. Code R. § 8:8-4; Mass. Gen. Laws ch. 93H, §§ 1 to 6, 175I, §§ 1 to 22; 201 Mass. Code Regs. 17.00 to 17.05.

Jeffrey P. Taft

Adam D. Kanter

Matthew Bisanz

Nicholas McCoy

Industry Regulator Issues Cybersecurity Guidance

Borden Ladner Gervais LLP

The Financial Industry Regulatory Authority (FINRA) is an independent, self-regulatory organization for brokerdealer firms doing business in the United States. FINRA is authorized by the United States Congress to protect American investors by making sure the broker-dealer industry operates fairly and honestly.

In 2015, FINRA issued a Report on Cybersecurity Practices to provide information about the following practices that broker-dealer firms should consider to strengthen their cybersecurity programs: (1) cybersecurity governance and risk management; (2) cybersecurity risk assessment; (3) technical controls; (4) incident response planning; (5) vendor management; (6) staff training; (7) cyber intelligence and information sharing; and (8) cyber insurance. The report explained FINRA’s expectation that broker-dealer firms would make cybersecurity a priority and would devote sufficient resources to understanding and preparing for current and evolving cybersecurity threats. 

In 2016, FINRA published a Checklist for a Small Firm’s Cybersecurity Program to help small broker-dealer firms with limited resources establish a cybersecurity program. The checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices (2015), and references the SANS Critical Security Controls for Effective Cyber Defense

The 2018 Report

FINRA’s Report on Selected Cybersecurity Practices – 2018 presents FINRA’s recommendations for effective practices regarding five important cybersecurity topics: (1) cybersecurity controls in branch offices; (2) phishing attacks; (3) insider threats; (4) penetration-testing programs; and (5) mobile devices. The Report reminds that the recommended practices should be part of a holistic cybersecurity program, as discussed in FINRA’s 2015 Report on Cybersecurity Practices. The Report also provides a list of core cybersecurity controls for small broker-dealer firms to be used in conjunction with FINRA’s Checklist for a Small Firm’s Cybersecurity Program. Following is a summary of some of the key recommendations in the Report.

Branch Controls 

The Report explains that effective cybersecurity controls in branch offices are especially important for firms with decentralized business models. The Report details four practices for addressing cybersecurity risks at branch offices: (1) develop comprehensive and easily referenced written supervisory procedures to define minimum cybersecurity requirements and to formalize oversight of branch offices; (2) create inventories of branch-level data, software and hardware assets, and related third party services, for use in conjunction with cybersecurity risk assessments to help identify critical assets and their cyber vulnerabilities; (3) establish and maintain branch technical controls to mitigate identified cybersecurity threats; and (4) implement a robust review program to ensure that branches consistently apply cybersecurity practices.


The Report explains that social engineering or “phishing” attacks, which try to convince a targeted individual to disclose sensitive information (e.g. personal information or credentials) or take harmful action (e.g. clicking on a malicious link or opening an infected attachment), are one of the most common cybersecurity threats to firms and their customers. The Report warns about the increasing sophistication and quality of phishing attacks, especially carefully planned attacks targeted to a specific individual (known as “spear phishing”) or to a senior executive (known as “whaling”) that can be difficult to distinguish from legitimate communications. The Report provides a useful summary of the characteristics of common phishing communications.

The Report details practices to mitigate phishing risks, including: (1) develop policies/procedures to specifically address phishing; (2) include phishing scenarios in risk assessments; (3) establish policies/procedures to confirm transaction requests; (4) implement email scanning and filtering to monitor and block phishing and spam communications; (5) train staff, including simulated phishing campaigns and remedial training for staff who demonstrate risky behaviour; (6) review processes/procedures to detect and remediate a successful phishing attack; (7) implement data loss prevention practices/procedures to reduce the impact of a successful phishing attack; and (8) provide customers with resources to protect themselves from phishing attacks. 

Insider Threats 

The Report warns that insider threats are a critical cybersecurity risk, because insiders (i.e. individuals with authorized access to firm systems and data) are often able to circumvent controls and cause material data breaches and other significant harm to an organization. The Report explains that an effective risk-based insider threat program typically includes the following components: (1) executive leadership and management support; (2) identity and access management policies and technical controls; (3) technical controls to help identify risky activities or anomalous behavior and detect potential attacks, and data loss prevention controls to prevent the inadvertent or malicious transmission of data to unauthorized recipients; (4) training for all insiders; (5) measures (based on people, processes and technologies) to help identify potentially malicious insiders and deter intentional misconduct, and to cultivate a strong culture of compliance; and (6) a comprehensive asset inventory.

Penetration Testing 

The Report explains that penetration (or “pen”) testing can be an important part of a cybersecurity program. A pen test simulates a malicious external or internal attack on a firm’s network to identify vulnerabilities and evaluate the effectiveness of preventative measures. The Report notes that firms often take a risk-based approach to determining the systems to be tested and test frequency. The Report encourages due diligence when selecting pen test service providers, and the use of appropriate contractual arrangements (including confidentiality obligations) with all pen test service providers. The Report notes that firms often follow established governance structures and procedures for determining when and how to address risks identified by a pen test.

Mobile Devices 

The Report explains that the increasingly widespread use of mobile devices by staff, customers and service providers can present significant cyber risks, including infected, cloned or pirated applications, operating system vulnerabilities, and phishing, spoofing or rerouting calls, emails and text messages. The Report details practices to mitigate risks presented by staff use of mobile devices, including: (1) develop policies/ procedures (e.g. “bring your own device” standards) for staff use of mobile devices and for the protection of sensitive data and information; (2) prohibit staff use of a mobile device unless the device has been approved and the user has agreed to comply with applicable policies/procedures; (3) train staff; (4) require all mobile devices to comply with technological requirements (e.g. mobile device management applications, password requirements, software restrictions, and encryption and transmission controls); (5) emphasize the importance of physically securing mobile devices and reporting lost devices; and (6) enforce compliance with mobile device policies/procedures with appropriate consequences for violations.

The Report details practices to mitigate risks presented by customers’ use of mobile devices, including: (1) customer education/information about mobile device risks; (2) require the use of multi-factor authentication and implement data loss prevention controls; (3) prohibit the use of mobile devices for certain activities (e.g. changes to account settings or contact information); (4) automatically terminate remote network access after a period of inactivity; and (5) secure development and testing of mobile applications.

Core Cybersecurity Controls for Small Firms 

The Report lists the following “core controls” for small firms’ cybersecurity programs: (1) patch maintenance; (2) secure system configuration; (3) identity and access management; (4) vulnerability scanning; (5) endpoint malware protection; (6) email and browser protection; (7) perimeter security; (8) security awareness training; (9) risk assessments; (10) data protection; (11) third-party risk management; (12) branch controls; and (13) policies and procedures. The Report cautions that an effective cybersecurity program requires that each of those controls be considered in the context of the firm’s particular business model and technology infrastructure, and in light of other relevant circumstances. The Report encourages small firms to consider other FINRA cybersecurity guidance.