You’ve Been Hacked! What Do You Say?

Over the past few months Advisor Armor has seen a dramatic increase in email hacks including those associated with key-logging.  We want to remind all that those are hacks and an investigation is required to assess impact and required responses.

Getting hacked is not only expensive in remediation costs and reputational damage. Now public corporations could also face regulatory penalties if they don’t explain the breach the right way and quickly.

US compliance managers, legal counsel and IT managers of public firms need to devise a strategy for who tells whom, what and when about the breach, says the Securities and Exchange Commission. The US regulatory agency has just updated its 2011 guidance on how public firms notify investors about actual and attempted cybersecurity breaches, as well as how to slam the door on potential insider trading before the breach is made public.

The SEC’s guidance comes in the wake of a series of highly publicized delays in data breach disclosures and suspiciously timed trading. Yahoo, for one, waited until 2016 to disclose data breaches in 2013 and 2014. C-level executives at Equifax made undisclosed stock divestitures totaling over US$1.8 million last year before news of its data breach was made public.

Public firms have been singled out by the SEC for disclosure guidance and trading prohibitions. Although the regulatory agency requires registered investment advisers (RIAs) to create cybersecurity programs to prevent data breaches, it has not come up with detailed disclosure guidelines. Neither has the Financial Industry Regulatory Authority for broker-dealers. However, RIAs and broker-dealers are expected to inform clients affected by cybersecurity breaches of the incidents to fulfill their legal obligations to disclose conflicts of interest. Those which are also public must also follow the new SEC guideline.

“The guidance shouldn’t severely impact how firms already behave since they should already be disclosing breaches to the public as soon as they are known and not allowing insiders to trade on non-public information,” says Jeremy Wittkop, chief technology officer for InteliSecure, a Denver-based security data protection firm. “The guidance simply clarifies how companies are expected to behave.”

Still public firms shouldn’t take the SEC’s guidance lightly. Although guidance doesn’t have the force of law, the regulatory agency could now fine a public firm for misleading investors about its cybersecurity practices or a data breach.

Telling investors a breach has occurred is the easy part. Explaining the impact of such a breach will be far harder to do, because the SEC considers cybersecurity breaches to be part of investment risk. Investors have a right to promptly know how severe the financial damage really was and the likelihood a firm might be hacked in the future. Public firms must also take steps to prevent investors from being harmed by C-level executives using insider information to trade in the firm’s shares.

“Compliance managers, legal counsel and crisis management experts will need to work quickly on what they want to tell investors because they can’t wait until they have investigated the cybersecurity breach, written platform code to patch up the hole and quantified the potential losses,” says Spencer Feldman, a partner with in the corporate and securities practice of law firm Olshan Frome Wolosky in New York. “The SEC said notification must be timely after a breach was uncovered.”

Public firms will also have to think twice about keeping information about “minor” breeches confidential. Although the SEC’s guidance allows public firms to limit their disclosures to “material” breaches, the SEC’s definition of that word isn’t always based on generally accepted accounting principles.

“The SEC isn’t defining materiality based on the amount of the financial loss involved in a particular incident, but on whether a reasonable investor would view omitted information about an incident as important in making an investment decision or whether the omitted information would have significantly altered the total mix of information to investors,” says Matthew Rossi, a partner specializing in securities litigation and data privacy with the law firm of Mayer Brown in Washington, D.C. “Security incidents are now considered material, because they can impact the value of a company’s stock.”

Once a data breach is uncovered, says Feldman, a public firm must warn all of its C-level executives and employees from trading in any of the company’s shares without the express consent of its chief compliance officer until investors are notified.

The Right Story

Multiple professionals are likely to be involved in communmications after a breach. Compliance managers should have already drafted the procedures on who is notified and when. while the legal counsel handles the disclosure language. Public relations professionals specializing in crisis management might be recruited to craft the press releases and train C-level executives for breach-related media interviews.

The first disclosure will likely be the filing of a Form 8-K with the SEC, which is used to promptly report current events that may be of interest to investors. Drafting this document and a press release can easily take up to take several days after the breach is discovered even if the full extent of the damage isn’t known. Further information must be disclosed as the investigation of the incident is underway.

The dissemination of information to the public also requires managing the message within the company. Public firms should have documented policy, in advance, of a step-by-step process for IT and cybersecurity managers  to notify chief compliance officers, legal counsel, chief executive officers, chief operating officers and boards of directors. C-level executives can’t be kept in the dark for too long.

How much should the public firm disclose to investors? “For the Form 8-K document, disclosing at least the bare minimum of material information is likely the best approach because the extent of the financial loss won’t be known,” says Saleemah Ahamed, a managing principal at Adherence LLC, a New York regulatory compliance firm. What’s the bare minimum? “A data breach has occurred and the firm is doing its best to mitigate the financial loss to its investors and customers,” says Ahamed.”Consumer-based companies could even say they are offering customers credit checks for free.”

What then? The quarterly Form 10-Q and annual Form 10-K reports are next in line to include a more detailed discussion of just what occurred, including specifics on the the financial impact. The dollars-and-cents figure must include expenses for investigations, remediation of the breach, litigation and revenues losses. Of course, the public firm can’t quantify reputational harm, but must include mention of that fact. “Public firms must also explain the possibility that a breach could take place in the future and which assets — data– are at risk of being stolen,” says Rossi.

When it comes to explaining how critical data will be protected from a cybersecurity attack, the SEC is allowing some discretion. “Firms won’t be required to spill the beans about every precautionary step they are taking because that would give hackers too much information,” says Rossi.

What if a public firm has never experienced a cybersecurity breach, or at least is not aware of it? The good news is that the firm won’t be in the hotseat from investors, customers and regulators on how much information to disclose. The bad news is it will still have to devise language to explain the future possibility of a cybersecurity breach and whether they have purchased cybersecurity insurance. The firm must also admit that such insurance may not cover all financial losses to investors.

Although the SEC’s guidance focuses on what to do after a cybersecurity breach has taken place, Wittkop recommends that firms review their entire cybersecurity program before they’re faced with a breach. “They must ensure that they have sufficient incidence report procedures to investigate potential breeches quickly, to confirm or deny them, as well as reporting breaches within the timeframes established by the guidance,” he says.


Data Breaches: A Major Risk for Financial Professionals

Dealing with cyber threats and staying compliant with government and industry requirements are now inherent risks of doing business for financial professionals. While some insurance and financial services professionals have awakened to this reality, most have significant work to do to protect themselves and their clients.

In today’s digital age, maintaining a formalized information-security plan and staying compliant with federal, state and industry data breach regulations have not only become essential management practices, but possibly a matter of survival, as well.  Here’s why.

Financial industry targeted

The financial industry is highly targeted by cyber criminals because of the valuable personal, financial and health-related information handled on a daily basis, and because brokers and agents are often the most vulnerable and least prepared to prevent or respond to cyber-attacks.

The industry has been rocked over the last two years by an onslaught of data breaches, resulting in well over 100 million Americans’ personal, financial and healthcare data being exposed.  Making things worse, criminals are looking to access larger businesses and their data by targeting insurance, brokerage, financial, legal, and accounting firms.

This is putting increased pressure on the industry to not only meet new client expectations for data privacy, but to also comply with government and industry standards for protecting confidential information.

Regardless of the types of products you provide, your clients expect you to keep their personal and confidential information private and secure.  Business clients in particular are becoming increasingly concerned about security risks with their third-party service providers, and are starting to require agents and brokers to answer lengthy security questionnaires about their cybersecurity and risk-management practices before doing business.

If you haven’t already begun receiving information-security assessments from key clients, including the requirement to sign an information-security agreement, be assured that this is the future of building and maintaining client relationships.

It’s ironic that after years of worrying about “differentiation” and what makes one broker or advisor better than the other, gaining and keeping clients may boil down to a measurable distinction between the firms that might get hacked and the firms that might not.

Brokers and agents who are serious about their business are now taking this expectation seriously, including obtaining security and compliance certifications based on regulatory and industry standards.  Some brokers are now starting to promote this type of security certification in marketing materials and client pitches as a competitive differentiator.

Regulatory requirements

In addition to client expectations for better security, personally identifiable information (PII), such as Social Security Number, date of birth, financial and insurance information, medical information, and other confidential data must be properly protected under various federal and state laws.

Well-known examples of federal laws include HIPAA-HITECH and GLBA that require insurance and financial-services firms to implement safeguards to protect confidential information they handle in the normal course of business in the health-benefits or financial-services markets.  These include insurance and financial-services brokers, as well as agents and producers.

In addition, 47 states have enacted laws that require all businesses to protect the PII of consumers and businesses within the state.  Brokers, advisors and agents in these states, or those who have customers in these states, must comply with the respective state laws or face civil and/or criminal penalties.

Some states have enacted rigorous laws, such as Colorado, California, and New York, where the Department of Financial Services recently implemented new cybersecurity regulation requiring banks, insurance companies, licensed financial professionals and others to establish and maintain a cybersecurity program to protect consumers.  This law applies even to those who do business within the state.

Financial industry standards

Since 2005, SEC and FINRA have required broker-dealers, investment advisers and other financial firms to protect confidential customer information from unauthorized release to unaffiliated third parties (S-P Safeguard Rule 30 (a)).  This includes the adoption of a formalized information-security plan with written policies and procedures for protecting client information.

In light of the increasing number of data breaches in the financial- services industry, it’s not surprising that SEC and FINRA have recently stepped up efforts to enforce fines and penalties on firms whose security controls are lacking.

Additionally, NAIC has consistently advocated for better information security standards for the industry.  In the coming months, NAIC is set to finalize a comprehensive Model Law that establishes the exclusive industry standards for data security and breach response.  This will apply to all insurance licensees, including not just insurers, but agents, brokers and other parties.

NAIC’s model law requires all licensed persons and organizations to create a comprehensive, written, information-security program that details the administrative, physical and technical safeguards for protecting personal information, including a breach response plan.  It would also require owners and boards of directors to approve and oversee implementation of the program and compliance with the law.  The model cybersecurity standards are aimed at encouraging state insurance regulators to incorporate these elements into their regulatory framework.

Cybersecurity and Compliance Best Practices

The development, implementation and ongoing management of your information security plan should follow the standards and best practices outlined in federal, state and industry requirements.

Here’s a checklist to use as a starting point:

  1. Management commitment, creating a culture of security
  2. Conducting regular security risk and compliance assessments
  3. Creating and maintaining information security policies and procedures
  4. Implementing necessary cybersecurity technology and defenses
  5. Conducting regular security vulnerability assessments
  6. Providing security awareness training for all personnel
  7. Managing third-party service provider/vendor risks
  8. Having a breach incident response plan
  9. Obtaining appropriate cyber-liability insurance
  10. Getting third-party compliance certifications

Failure to implement and maintain these essential practices can cost you business and can significantly reduce your legal defensibility in the event of a data breach incident.

Remember that cybersecurity and compliance are not something you “set and forget.” They constitute an ongoing process that must be tested, maintained and updated.

On the road to compliance

Data breaches have created a new business-management responsibility to properly protect confidential information. The first step is to assess where you stand today.  Where are your current vulnerabilities?  What regulatory, legal and industry requirements are you not adequately following or failing to address?

You may have to admit that you are not an expert in cybersecurity or data-breach compliance and may not be qualified to handle this alone.  Your IT staff or a tech-savvy friend may be able to help some, but this is not just an IT issue.  If you do not have the inside expertise in cybersecurity and compliance management, get outside help.  You may want to consider outside experts anyway, as they likely have more experience and a broader array of tools and resources.

Cyber Incident & Breach Trends Report

Review and analysis of 2017 cyber incidents, trends and key issues to address

This year marks the Online Trust Alliance’s tenth annual publication related to cyber incidents and breach readiness. Now an initiative of the Internet Society, OTA reviews cyber incident and breach events to extract key learnings and provide guidance to help organizations of all sizes around the world raise the bar on trust through enhanced data protection and increased defense against evolving threats. This Cyber Incident & Breach Trends Report builds on last year’s expanded recognition of threats beyond just data breaches to include ransomware, business email compromise (BEC), distributed denial-of-service (DDoS) attacks and connected device vulnerability. MORE


Cybersecurity: Guidance through 2018 Priorities and Recent Exam Findings

The Financial Industry Regulatory Authority (FINRA) is ramping up on their commitment to assist the industry in its cybersecurity compliance efforts. Recent guidance to the industry from FINRA includes:

  1. an Examination Findings Report, detailing observations from recent broker-dealer examinations with the goal of assisting broker-dealers in enhancing their compliance programs and better anticipating potential areas of concern (FINRA included compliance areas to highlight based on the frequency of deficiencies and the potential impact on investors and markets); and
  2. the 2018 Regulatory and Examination Priorities, in which, notably, FINRA instructed firms to review the priorities in conjunction with the Examination Findings Report.

FINRA called out cybersecurity, in its Examination Findings Report, as one of the “principal operational risks facing broker-dealers.” While acknowledging the increased threats today, FINRA noted that firms have generally increased their focus on cybersecurity issues and some firms examined are at the forefront of developing “cutting-edge cybersecurity programs.”

FINRA detailed areas in which they observed in the examinations that firms’ cybersecurity programs were either effective or deficient. Reviewing the positives and negatives provides valuable information for firms looking to shore up their cybersecurity programs.

Examples of Effective Practices Include:

  • Escalation Protocols: Have an escalation process that ensures appropriate level at the firm is apprised of issues to ensure attention and resolution.
  • Plans to Resolve Issues: Implement detailed resolution steps and time frames for completion.
  • Routine Risk Assessments: Conduct regular risk assessments, including vulnerability and penetration tests.
  • Routine Training: Conduct training for firm employees, including training tailored to different functions, in addition to generic cross-firm training.
  • Branch Office Reviews: Include cybersecurity focused branch exams to assess risks and identify issues.
  • Additional Practices: Implement security information and event management practices, use system usage analytics, and adopt data loss prevention tools.

Examples of Deficient Practices Include:

  • Failure to Follow Access Management Steps:
    • Not immediately terminating access of departing employees.
    • Failing to have processes to monitor or supervise “privileged users” to identify unusual activity (e.g., assigning extra access rights, unauthorized work outside business hours, or logging in from different geographical locations at or about the same time).
  • Infrequent or No Risk Assessments:
    • No formal risk assessment practices.
    • Unable to identify critical assets or potential risks.
  • Informal Processes for or Lack of Vendor Management:
    • Failed to have formal processes to assess vendor’s cybersecurity preparedness;
    • Failed to include required notification of breaches involving customer information in vendor contracts.
  • Noncompliant Branch Offices:
    • Failed to manage passwords.
    • Failed to implement security patches and software updates.
    • Failed to update anti-virus software.
    • Lacked control of employee use of removable storage devices.
    • Use of unencrypted data and devices.
    • Failed to report incidents.
  • Segregation of Duties:
    • Failed to segregate duties for requesting, implementing, and approving cyber-security rules and systems changes.
  • Data Loss Prevention:
    • Lack of rules to ensure all customer sensitive information is covered.
    • Permitted or failed to block large file transfers to outside or untrusted recipients.
    • Failed to implement formal change-management processes for data loss prevention systems changes.

FINRA’s 2018 Examination and Regulatory Priorities also include cybersecurity as a priority area. In addition to the areas noted above, which FINRA also calls out in the Priority Letter, FINRA noted two additional themes. One, they will evaluate the effectiveness of firms’ cybersecurity programs in protecting sensitive information. Two, FINRA also reminds firms that they need policies and procedures to determine when a Suspicious Activity Report should be filed regarding a cybersecurity event. (See, FinCEN’s Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime, Oct. 25, 2016.)


FINRA reminds firms that, while exam deficiencies must be addressed, firms often benefit from “proactively” remediating issues before the exam is completed. Acting proactively strengthens firms’ programs and enhances regulatory protections. Our observation, as outside counsel, is that when firms take proactive steps to get ahead of issues, it demonstrates to the regulators that the firm has a commitment to a strong compliance program and, in the right circumstances, may have a material impact on how FINRA decides to resolve an issue.

The information FINRA provides in the Examination Report and Priorities Letter provide roadmaps to enhancing overall compliance, supervisory, and risk management programs. With regard to the focus on cybersecurity, by using this resource, firms can effectively prepare for examinations and potentially prevent program gaps and avoiding cybersecurity incidents.  MORE

3 Types of Cyberattacks and How to Avoid Them: FINRA Conference

One key reminder: Many attacks are due to human error

Protecting against cyberattacks requires both high-tech and low-tech efforts by financial firms, according to presentations at the 2018 FINRA Cybersecurity conference in New York on Thursday.

First advisory firms need to answer four key questions, according to retired FBI agent Jeff Lanza, who was the keynote speaker:

  • Where are your assets?
  • What at your firm is subject to attack?
  • Can you detect an attack in real time?
  • Is cybersecurity a focus for your firm at the board level?

“If you can’t answer all four questions you’re not doing enough to fight hackers,” said Lanza, a former computer systems analyst before he was recruited by the FBI.  MORE

SEC’s 2018 Exam Priorities Reflect Continued Focus on Cybersecurity

Tuesday, February 13, 2018

Annually, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) publishes its examination priorities for the new year.  Recently, OCIE announced five priorities that will inform its examinations moving in to 2018.

OCIE is committed to “promoting compliance, preventing fraud, identifying and monitoring risk, and informing policy.” In support of these “pillars,” OCIE intends to focus on:

  1. Issues of importance to retail investors, such as fee disclosures, mutual funds, and exchange-traded funds;

  2. Entities that are critical to the proper functioning of capital markets, such as clearing agencies and national securities exchanges;

  3. Oversight of the Financial Industry Regulatory Authority (FINRA) and the Municipal Securities Rulemaking Board (MSRB);

  4. Cybersecurity; and

  5. Anti-money laundering programs.

The emphasis on cybersecurity is not new.  As early as 2014, OCIE highlighted its commitment to monitoring cybersecurity practices of regulated entities when it launched a series of examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry.  In 2015 and 2017, the SEC released the results of its first two cybersecurity examination sweeps.  Prior examination priorities also included the SEC’s commitment to “examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at broker-dealers and investment advisers.”

In this year’s announcement, OCIE noted that the scope and severity of risks related to data breaches and cyber attacks have increased and that such attacks can affect not only the targeted firms, but unsuspecting investors and market participants as well.  In evaluating firms’ cybersecurity programs and potential enforcement referrals, the agency intends to emphasize governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.

As noted in a recent post, cybersecurity continues to be a top priority for the SEC’s Division of Enforcement as well.  Indeed, in 2017 the Enforcement Division created a new specialized “Cyber Unit” dedicated to investigating violations related to cybersecurity intrusions and breakdowns.  And the SEC’s Chairman, Jay Clayton, has made clear in public remarks that he is personally focused on the issue.  Unfortunately, these public statements provide little specific guidance as to what cybersecurity measures will be deemed adequate.  Whether specifically subject to OCIE’s examination authority or not, however, organizations should be mindful that the SEC’s spotlight on cybersecurity is likely to intensify and approach their own risk assessments, budget, resources, and compliance priorities accordingly.   MORE


INTRODUCTION This document presents OCIE’s 2018 examination priorities.1 In general, the priorities reflect certain practices, products, and services that OCIE believes may present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.


Our 2018 priorities are organized around five themes:

1. Matters of importance to retail investors, including seniors and those saving for retirement;

2. Compliance and risks in critical market infrastructure;

3. Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB);

4. Cybersecurity; and

5. Anti-Money laundering programs.

CYBERSECURITY: Cybersecurity protection is critical to the operation of our markets. The scope and severity of risks that cyber threats present have increased dramatically. The impact of a successful cyber attack may have consequences that extend beyond the firm compromised to other market participants and retail investors, who may not be well informed of these risks and consequences. We are focused on working with firms to identify and manage cybersecurity risks and to encourage market participants to actively and effectively engage in this effort. We will continue to prioritize cybersecurity in each of our examination programs. Our examinations have and will continue to focus on, among other things, governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response.  MORE


Cybersecurity Compliance for Financial Institutions

The New York Department of Financial Services has adopted detailed cybersecurity regulations for financial institutions.  (Here).  The NYDFS has filled a vacuum created by the failure of the federal government to act in this important area.  Congress has failed to enact any specific requirements; the federal government continues to rely on voluntary efforts and recommended standards.  As long as this vacuum continues, state regulators and even foreign governments will push cybersecurity and data privacy requirements on global businesses.

The cybersecurity regulations apply to bank and trust companies, credit unions, life and health insurance companies, mortgage bankers, money transmitters, investment companies and sales finance companies.

The primary requirements of the regulations require covered entities to:

  • Adopt a cybersecurity program, including appropriate policies and procedures based on a risk assessment to identify threats and protect against cyberattacks;
  • Conduct a periodic risk assessment that includes criteria to evaluate and categorize cyber risks and evaluate the adequacy of existing controls to mitigate such risks;
  • Secure board review and approval of the company’s cybersecurity program, including policies and procedures;
  • Designate a chief information security officer (CISO) to maintain the cybersecurity program and compliance with the regulations. The CISO has to report annually to the board of directors on its cybersecurity risks;
  • Encrypt all nonpublic information in transit and at rest;
  • Implement multi-factor or risk-based authentication to access nonpublic information;
  • Implement a third-party risk management system for vendors, suppliers and other outside businesses;
  • Maintain a log of all business activities so that financial transactions can be audited;
  • Requires the board of directors to certify annually that the company is in compliance with the cybersecurity regulations;
  • Provide training awareness programs that are updated each year based on an annual risk assessment;
  • Notify the NYDFS within 72 hours of any cybersecurity event that has a “reasonable likelihood of materially harming any normal operation of the entity”; and
  • Maintain an incident response plan that provides procedures for responding to a cyber event, responsibilities of each official, and communications and remediation requirements.

The NYDFS has specified that a company’s cybersecurity written policy or policies address the following areas: (a) information security; (b) data governance and classifications; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental concerns; (k) customer data privacy; (l) Vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.

The NYDFS regulations require covered entities to provide multi-factor authentication for external access to the company’s internal network unless the CISO certifies that a less burdensome alternative is reasonably secure (or more secure) than a multi-factor authenticated system.

Covered entities have to encrypt nonpublic information in transit or at rest.  For legacy systems, encryption of systems at rest will be difficult.  Companies have to undertake a careful assessment of their existing systems in order to determine where nonpublic information may be stored.

The company’s cybersecurity program has to include guidelines for protecting internal software development program.  Companies also have to develop security tests for applications developed by third party vendors and suppliers.  Such a requirement can be burdensome for financial companies that rely on external vendors for a number of internal processes.

Data Privacy Day: Top 10 for 2018

In honor of Data Privacy Day, we provide the “Top 10 for 2018.” While the list is by no means exhaustive, it provides key issues organizations should consider in 2018.

5. Ransomware and Phishing Attacks Continue

Ransomware. Ransomware erupted into a billion-dollar industry in 2016. Attacks increased in 2017 by up to 250-percent, according to some estimates, and damage costs estimated to top $5 billion. Forecasters anticipate these numbers to continue to rise in the coming years. Ransomware attacks are becoming more widespread — infiltrating companies globally and across multiple sectors. At the start of 2017, ransom payouts averaged approximately $15,000. Over the last few months, demands of $250,000 to $500,000 became a weekly occurrence, according to Kivu Consulting and Navigant Consulting, a third-party specialist that facilitates cryptocurrency payments and investigates perpetrators.

Accordingly to McAfee:

The profitability of traditional ransomware campaigns will continue to decline as vendor defenses, user education, and industry strategies improve to counter them. Attackers will adjust to target less traditional, more profitable ransomware targets, including high net-worth individuals, connected devices, and businesses.

The 2017 “WannaCry” ransomware attack brought ransomware international attention. On May 12, 2017, some hospitals in the UK’s National Health Service reported being locked out of their computer systems until they complied with ransomware demands. The attack on 300,000 computers across 150 countries exploited a vulnerability in Microsoft’s file-sharing mechanism. Microsoft discovered the vulnerability and issued a patch weeks before, but companies affected had not installed the patch in time. The White House concluded that North Korea was responsible for the WannaCry attack. This is even more worrisome, as, unlike other cybercriminals, nation-states have economic and political backing.

In addition, while many organizations trust and rely on cloud service providers to store their data, believing, in part, that the providers can better safeguard their data, Computer Weekly recently reportedthe Massachusetts Institute of Technology’s prediction that cloud services may turn out to be ransomware’s favorite targets in 2018. For these reasons, organizations should continue to develop and refine their plans to be prepared to effectively respond to an attack.

Phishing Attacks. HR professionals can expect constant, surreptitious attacks from hackers seeking employee tax information, particularly Forms W-2, in January and February. Watch for spearfishing emails targeting HR and payroll personnel likely to have access to this information and who are apt to respond to requests from management for that information. Of course, the emails are not from management, but are artfully disguised as such. The results of successful attacks are that fraudulent tax returns are filed in employees’ names and employers must provide breach notifications to affected employees and, possibly, state agencies. Trust but verify. Employees should be advised to trust the source, but call to confirm the request verbally.

Phishing attacks also have spiked in the healthcare industry. Malware easily can be distributed with a link or infected attachment and delivered to healthcare employees by email. Hackers then can access a healthcare provider’s database containing hundreds, if not thousands, of patient records.

6. Insider Threats

Ransomware, phishing, and other cyberattacks by external hackers often are the main focus of a cybersecurity plan. However, malicious insiders, such as disgruntled employees, with access to areas of the employer’s system external hackers cannot easily reach often result in the most costly data breaches.

Examples of situations in which internal threats can arise include:

  1. An employee leaving a company and taking customer, patient, or client data that includes personal information. The information is used by the former employee or the former employee’s new company to solicit business from those individuals (see our blog post, Healthcare Worker Gives New Employer Patient Records, Old Employer Pays $15,000 to NY Attorney General for HIPAA Violation);
  2. Fearing of losing his or her job, an employee removes files with personal information about customers, patients, or clients in preparation for challenging the termination and related litigation; and
  3. A former employee hacks the payroll system to inflate his pay, accesses proprietary files, and hijacks the company website (see our blog post, Company Awarded Damages after Former Employee Hacks Its Systems and Hijacks Its Website).

More innocent, but equally concerning, are threats such as inadvertent loss of credentials due to clicking spam links with malicious viruses attached, losing a laptop, unknowingly bringing an infected device to work, sending sensitive files to the wrong address, and the like.

According to a 2017 Insider Threat Report by ipswitch, 53 percent of companies estimate remediation costs of at least $100,000, with 12 percent of companies estimating a cost of more than $1 million. The same report suggests that 74 percent of security breaches originate from within the extended global enterprise, including a current or former employee, contractor, or business partner with access to company data.

7. Privacy and Data Breach Class Actions

In May 2016, the U.S. Supreme Court held in Spokeo v. Robins that plaintiffs must allege a tangible or intangible concrete injury to establish Article III standing to sue. This confused the lower courts. How are they to apply this standard in a range of data breach and statutory privacy class actions (such as under the Telephone Consumer Protection Act, Fair and Accurate Credit Transaction Act, and Video Privacy Protection Act)? Different standards have developed and, even within the same circuit, separate panels have reached conflicting conclusions. For example, paying for data security protections he did not receive was sufficient to confer standing on a customer, a panel in the U.S. Court of Appeals for the Eighth Circuit had ruled. However, a separate Eighth Circuit panel ruled the threat of future identity theft from a data breach was insufficient for standing.

The company in Spokeo has re-petitioned the U.S. Supreme Court to review the panel decision finding standing in its case. If the Court provides clarity on this issue in 2018, organizations can better navigate class action suits following a data breach or a statutory privacy violation.

8. Data Breach Readiness

In 2017, a surge of massive data breaches affected more than one-half of the U.S. population. Cyberthreats in the coming year are expected to affect even more people, as hackers develop new attack methods (while IT departments charged with protecting a company’s sensitive information try to keep up). Many hope that advanced machine learning and artificial intelligence technologies can help organizations become better at detecting and remediating attacks. However, hackers also have access to these tools, and they will use them to strengthen their attacks to overcome organizations’ defenses. The battle will continue.

Companies of all sizes and in all industries are expanding their cybersecurity programs and incident response plans. It is important for cybersecurity programs to be flexible, improving and evolving with the shifting tactics of hackers.

9. Increased Data Privacy and Security Legislation

Following massive data breaches in 2017, data privacy and security legislative proposals were introduced at the federal and state level. Senate Democrats introduced the Consumer Privacy Protection Act of 2017, geared toward protecting Americans’ personal information against cyberattacks and ensuring timely notification and protection when data is breached. Subsequently, three Democratic Senators introduced the Data Security and Breach Notification Act, which would require companies to report a breach within 30 days of becoming aware of it and any person may face a penalty of up to five years in prison for concealing a breach.

New York Attorney General Eric T. Schneiderman proposed the SHIELD Act, which would heighten data security requirements for companies and better protect New York residents from data breaches of their personal information. Similar legislation have been proposed in Ohio and Vermont and are being contemplated in other states. State data breach notification laws also continue to develop. Maryland amended its Personal Information Protection Act to expand the definition of personal information, modify the definition of security breach, and provide a 45-day timeframe for notification, among other changes. New Mexico enacted the Data Breach Notification Act, becoming the 48th state with a data breach notification law.

10. Vendor Management

Virtually all businesses interact with third-party vendors for a variety of reasons that involve all kinds of confidential company information. Increasingly, to derive efficiencies and control costs, vendors are linked directly to their customers’ information systems. Cloud service providers, benefits brokers, medical billing services, debt collection companies, consultants, accountants, law firms, staffing services, shredding/data destruction services, cleaning service providers, and other businesses utilize third-party vendors to provide an array of services. In the course of providing their services, vendors, like their clients, use technologies and devices (such as mobile devices, wireless networks, and flash drives) that pose risks to information they handle. Moreover, there may be legal obligations associated with a company’s use of vendors, such as requirements in third-party service provider contracts.

In certain states (including California, Illinois, Maryland, Massachusetts, Nevada, Oregon, and Texas), companies must obtain a written agreement with all third-party vendors handling personal information of state residents in order to provide services to the company. Similar requirements exist elsewhere. For instance, HIPAA imposes expansive requirements for any “business associate” or “subcontractor” that handles protected health information. The Payment Card Industry (PCI) standards have similar requirements, and law firms in many states (e.g., Maine, Missouri, New Jersey, New York, Oregon, Vermont, and Wisconsin) are subject to specific state ethical mandates to have written assurances from vendors handling client data. Finally, a company that must adhere to the looming EU GDPR will have to reassess its relationship with any third-party vendor that processes personal data. Vendor management should be part of an overall strategy to safeguard company and personal information.

Bonus: Be Vigilant and Watch for Changes

Organizations constantly should be assessing their privacy and data security risks and implementing policies and procedures to protect the personal information and data they maintain. This is particularly important as the law and industry guidance change and evolve to keep up with technological advancements. Organizations need to be vigilant to remain compliant and competitive.  MORE

The SEC’s New Year’s Resolutions: Retail Investors and Cybersecurity

2018 arrived in the wake of big changes at the U.S. Securities and Exchange Commission (“the SEC”). Jay Clayton was sworn in as Chairman of the Commission in May, naming Steve Peikin and Stephanie Avakian as Co-Directors of the Enforcement Division (the “Division”) in June. As many do for the start of a new year, they have evaluated the Division’s priorities and promised a new focus. According to a speech by Ms. Avakian late last year, we can expect the Division to direct its resources and attention to two priorities going forward: the protection of retail investors and cybersecurity.

Cybersecurity Threats

The Division also anticipates that the increasing number and impact of cyber-related issues will bring cybersecurity to the forefront of its priorities. In late 2017, the SEC announced the formation of a new Cyber Unit to deal with the increasingly complex nature of cyber threats from foreign and domestic actors, such as traders in stolen market-moving information, market manipulators, and state-sponsored hackers. Ms. Avakian described these threats as “so serious” as to require a dedicated group of personnel and resources devoted to their pursuit.

According to Ms. Avakian’s speech, the Cyber Unit, with the help of the SEC’s Office of Compliance, Inspections and Examinations, will focus on three main enforcement areas:

(i) hacking to access information, access brokerage accounts, or disseminate false information;

(ii) failures by investment advisers and broker dealers to reasonably safeguard information and system integrity; and

(iii) failures by public companies to timely disclose material cyber risks and incidents.


While the Division no doubt will continue to bring cases in other bread-and-butter areas, like financial reporting and insider trading, it is clear that the protection of “Main Street” investors and cybersecurity will be at the top of the Division’s priorities list in 2018. Compliance professionals and others in the securities industry will want to keep those priorities in mind as they evaluate their own risks, policies, and procedures in the year ahead.  MORE

More Compliance Issues to Come

Financial advice firms face a growing list of compliance chores in 2018, including spillover effects of the Department of Labor’s now-delayed fiduciary rule, cybersecurity issues, advisor exam changes and tighter scrutiny of bad brokers, according to ThinkAdvisor.


Despite the 18-month delay the DOL put in place last year, the provisions of the rule purporting to require retirement account advisors to put clients’ interests first will still weigh on advisors’ time and resources, George Michael Gerstein, counsel with Stradley, Ronon Stevens & Young, tells the publication.

He says the DOL is likely to unveil a revised proposal this year, according to ThinkAdvisor. On the other hand, the delay of the final compliance date from Jan. 1, 2018 to July 2019 means the SEC could roll out its own version of a best-interest standard, Brian Hamburger, head of regulatory consulting firm MarketCounsel, tells the publication.

The SEC is likely to propose its fiduciary rule this year as well, David Tittsworth, counsel at Ropes & Gray and former CEO of the Investment Adviser Association, tells ThinkAdvisor. But SEC Chairman Jay Clayton said in October the SEC would not “supplant” the DOL’s rule, the publication writes. And varying standards from the SEC, the DOL and the states will cause “confusion and inefficient allocation of capital,” according to Gerstein.

Meanwhile, cybersecurity is now “a business imperative,” Tittsworth tells ThinkAdvisor. Cybersecurity is also one of the top priorities for Clayton, Tittsworth says, adding that one concern advice firms have is whether the SEC will bring enforcement actions against firms it deems haven’t taken appropriate steps to protect themselves against data breaches. 

The other objective topping Clayton’s list is cracking down on brokers with disciplinary records, according to the publication. Brad Bennett, a partner at Baker Botts and former head of Finra’s enforcement unit, suggests both advisors and broker-dealers watch the SEC’s Retail Strategy Task Force, ThinkAdvisor writes.  MORE

Advisers Are Apparently Ignoring Cybersecurity Threats

Only 27% of RIAs surveyed by TD Ameritrade suggest that “cybersecurity issues,” even when very broadly defined, are likely to impact client portfolios during 2018; experts suggest this is just wishful thinking.

TD Ameritrade this week provided a fresh cut of data from its 2018 RIA Sentiment Survey, in which independent registered investment advisers (RIAs) look ahead to 2018.

Likely surprising to few, the GOP tax cut plan is the top item expected to impact client sentiments and portfolios in the next year, say independent registered investment advisers (RIAs) polled by TD Ameritrade. Survey results suggest advisers are also “closely watching earnings and interest rates.”

The strong majority (70%) of RIAs expect to see economic growth in the U.S. and abroad this year, while roughly half are bullish on equities. According to the survey data, RIAs expect “financials, materials and industrials” to perform better in 2018, which is somewhat at odds with what various asset managers have projected.

“Their own optimism aside, RIAs say that money in retirement, taxes and estate planning also top clients’ biggest concerns,” TD Ameritrade reports. “To keep up 2017’s momentum, RIAs will look to marketing, not merger and acquisition activity.”

More than three-quarters of RIAs say firm assets will rise in 2018; nearly half expect assets to grow faster than 2017. That will be a pretty impressive feat, as RIAs ended 2017 with revenue growth averaging 15%, TD Ameritrade finds, and with full-service brokerage firms supplying a third of their new clients.

“Though M&A is not in the cards for most, RIAs who are considering it want to acquire or add to their firms, versus merge or sell. … RIAs say they will spend more on marketing in 2018, as they consider it the most important way to drive growth,” the research shows.

Turning to client satisfaction, RIAs say tech investments in 2018 will focus on improving client experience, a top strategic priority for many RIAs. “Regulations and lack of client awareness” are seen as the biggest threats to RIA growth, and only 1% are “extremely concerned” about the threat of robo-advisers.

Lack of concern on cybersecurity 

One finding that could be of note for PLANADVISER readers shows only 27% of RIAs surveyed by TD Ameritrade suggest that “cybersecurity issues,” even when very broadly defined, are likely to impact client portfolios during 2018. This lack of concern and action on cybersecurity challenges probably represents wishful thinking and potentially dangerous complacency on the part of RIAs, attorneys and other experts have warned.  

Indeed, on September 25, 2017, the Division of Enforcement at the Securities and Exchange Commission (SEC) announced the creation of a new cybersecurity unit. As pointed out by David Kaleda, principal in the fiduciary responsibility practice group at Groom Law Group, in Washington, D.C., the cyber unit is explicitly tasked with addressing concerns raised by the increasing use of technology by investors and advisers, as well as the growing risk of general market manipulation and other investor harm.

“The cyber unit will comprise SEC staff with expertise and experience in cyber issues,” he confirms. “Clearly, the creation of the dedicated unit signals that the SEC has a growing appreciation of the potential risks associated with cyber issues. Its concerns rightly include the use of technology to gain an unlawful market advantage, e.g., hacking to access material, nonpublic information, hacking of accounts in order to conduct manipulative trading, and disseminating false information through electronic publication; the failure by registrants to adequately secure customer data and ensure system integrity; and the failure by a public company to disclose, or adequately disclose, cybersecurity incidents that occur at the company.”

Advisers may just be surprised by how much they find themselves talking about and responding to cybersecurity issues during 2018, given the low concern measured on this point by TD Ameritrade.  

Full survey results can be downloaded here.

The Big Hack Attack

Rob is an advisor in Cincinnati at a firm with some half a billion in assets. He’s always thought his cybersecurity was pretty good and figured his firm would be a fairly unappealing target for thieves and hackers.

Still, he decided to go one step further and get a penetration test—paying professional good-guy hackers to try to break into his company’s systems and test his weak spots.

He felt confident. He had a brother who worked in IT security at a big company and felt he knew the risks pretty well. So he paid a security firm to have people camp out inside the back of his office; indeed they had trouble breaking into his computers.

But he wasn’t thinking about his copy machine and scanner, which might have high-value information like tax returns or investment statements. Like many other machines, copiers have default administrative passwords—easy hurdles for people who manage to get into the facility, with, say, the cleaning crews.

“Both of [the devices] could have been loaded with software to copy data or scans to an outside location,” Rob says. “What I’m going to do is inject this malware into any device, and every time something is scanned, it’s going to go to the person who has scanned it, but a copy of it is also going to me [the bad guy].”

Now that he’s bulked up his protection, he asked not to be identified by his full name for this article.

Cyber criminals have become increasingly sophisticated, and all financial services firms are ripe targets for frauds. In 2016, the FBI’s Internet Crime Complaint Center received almost 300,000 complaints for almost $1.3 billion in losses. According to the IBM X-Force Threat Intelligence Index, the financial services sector was attacked more than any other industry that year. The most pervasive scams involve phishing, ransomware, malware and denial-of-service attacks.

Diane Pearson of Legend Financial Advisors in Pittsburgh, says her IT person once told her that someone was trying to break through the firm’s firewall every night. Pearson knows of somebody at another firm who lost her job after succumbing to a phishing e-mail, wiring $50,000 from a client to a fraudster.

The scams don’t have to be terribly sophisticated. The biggest vulnerabilities of financial companies, say security experts, are perhaps not surprisingly their employees. Naïve staffers are most at risk of opening phishing e-mails that allow fraudsters to download malicious software into their machines, taking over their computers and breaking into networks.

The biggest risk is that a hacker will capture an employee’s credentials and then log in externally to third-party vendors, says Benjamin Gordon, the manager of advisory services at Rook Security in Carmel, Ind. “Employees just aren’t educated enough on security, to be perfectly blunt. It doesn’t matter what technology you have in place, what IT team you have in place. If somebody clicks on a malicious link, it’s a problem.”  MORE

Cybersecurity 2018 – The Year in Preview: Financial Institutions and the SEC

The U.S. Securities and Exchange Commission has made no secret about the gravity of the cybersecurity threat facing the investment community.  Since at least 2014, the SEC has made a point in emphasizing the cyber threat through enforcement actions, inspections and examinations, roundtables, and policy speeches.  While the change in administration brought new leadership to the Commission, that group has made clear at every possible opportunity that combatting the cyber threat will be a top SEC priority in 2018 and beyond.  For example, Enforcement Division co-director Steve Peikin, a former federal prosecutor and partner at Sullivan & Cromwell, referred to cyber attacks as the “greatest threat to our markets right now.”  His co-director Stephanie Avakian, an SEC Enforcement veteran, similarly called the cyber threat “among the greatest risks facing investors and the securities industry.”  The import of their message is clear – the investment community, and, in particular, SEC-regulated entities, should be on alert in the coming year.

Historically, the SEC has addressed the cyber threat through enforcement actions aimed at entities and individuals that threaten market integrity, either by failing to take necessary cyber precautions or engaging in cyber-related misconduct, and through regular cyber examinations of registered entities by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”).

SEC Cyber-Enforcement

On the enforcement front, the Commission’s Enforcement Division created a new Cyber Unit in September 2017.  This unit has a broad mandate to target all forms of cyber-related misconduct, including market manipulation schemes involving false information spread through electronic and social media, hacking to obtain material nonpublic information, violations involving distributed ledger technology and initial coin offerings (more on that to follow), misconduct involving the dark web, intrusions into retail brokerage accounts and cyber-related threats to trading platforms and other market infrastructure.  The Market Abuse Unit previously handed the SEC’s cyber investigations, but the Commission deemed the threat important enough to create a separate unit (the Enforcement Division’s first newly created unit since 2010).

Beyond press releases and policy statements, the Enforcement Division has offered some guidance on the Cyber Unit’s focus in 2018.  Focus areas include: (1) cyber-related misconduct that is used to gain an unlawful market advantage, (2) the failure of registered entities to appropriately safeguard information or ensure system integrity, and (3) cyber-related disclosure failures by public companies.

The first area – cyber-related misconduct – has historically been the SEC’s primary cyber enforcement focus area.   During the past year, SEC enforcement actions have targeted: (1) hacking to access material, nonpublic information in advance of a material announcement or event; (2) an account intrusion in order to conduct manipulative trading; and (3) disseminating false information electronically, including through EDGAR, in order to manipulate stock prices.

With respect to the second area – the failure of registered entities to appropriately safeguard information – the SEC has often handled such failures through the OCIE examination process.  Avakian has indicated that while the SEC will continue to do so in appropriate cases, it will consider enforcement action if warranted.  The final area identified by Avakian – the failure by a public company to make a cyber-related disclosure (i.e., disclosure of a cyber breach or other event in SEC reporting) – is a new area of enforcement for the SEC.  While the SEC will not look to second guess reasonable, good-faith disclosure decisions, it will take enforcement action if an appropriate case presents itself.  Regardless of whether the SEC ultimately takes enforcement action, the SEC’s message to regulated entities going forward is clear – closely guard confidential information from cyber attack, and if an attack happens, determine whether some form of public disclosure is required.

More recently, on December 11, 2017, the Cyber Unit directly confronted a new and growing cyber risk, halting an initial coin offering by California-based Munchee Inc.  Munchee was seeking $15 million in capital for its blockchain-based food review service.  In selling digital tokens, the company and promoters emphasized that the tokens could increase in value, which the SEC concluded could cause investors to reasonably believe that they could generate a return on investment.  The SEC thus determined that the coin offering constituted an unregistered securities offering.  Further emphasizing the SEC’s focus on this new technology, on the same day that the SEC announced the Munchee enforcement action, SEC Chairman Jay Clayton provided a statement on cryptocurrencies and initial coin offerings.  He offered warnings to both investors and market professionals.  This should serve as a clear signal that the SEC will not hesitate to conduct additional enforcement activity in this arena.

OCIE Cyber Exams

Outside of the Enforcement Division, OCIE continues to make cybersecurity a prominent aspect of its examinations of registered entities, including broker-dealers, investment advisers and investment companies.  OCIE conducted its first targeted cybersecurity sweep in 2014.  It followed up with a Cybersecurity 2 Initiative, the results of which were released in August 2017.

The exams focused on how written policies and procedures addressed: (1) governance and risk assessment; (2) access rights and controls; (3) data loss prevention; (4) vendor management; (5) training; and (6) incident response.   The good news is that registered entities have made vast improvements since 2014.  In particular, of the 75 firms examined, almost all of them had adopted written policies and procedures concerning the protection of customer and/or shareholder data.  The bad news is that many of these policies were either not sufficiently robust or not routinely followed.

OCIE identified a number of common deficiencies, including: (1) policies and procedures provided employees only with general guidance rather than specific examples of safeguards; (2) firms either did not adhere to the policies or the policies did not reflect their actual practices; and (3) firms did not adequately conduct system maintenance, such as the installation of software patches to protect against vulnerabilities.

OCIE also provided guidance on best practices for developing and implementing appropriately robust policies and procedures.  These best practices include: (1) maintaining an inventory of all data, information and vendors, including a classification of risks regarding each; (2) detailed cybersecurity-related instructions for penetration tests, security monitoring and system auditing, access rights and reporting; (3) maintenance of schedules and processes for testing data integrity and vulnerabilities; (4) established and enforced controls to access data and systems; (5) mandatory information security employee training; and (6) vetting and approval of procedures by senior management.

The weaknesses and best practices identified by OCIE should provide clear guidance to registered entities on how to implement effective cyber policies going forward.  Like the SEC’s top officials, OCIE has made clear that cybersecurity is one of top compliance risks for financial firms, and, as a result, OCIE will continue to make it a key aspect of its annual examination process.  MORE


Why choosing a cybersecurity auditor may be tougher than you think

With its 2017 list of examination priorities, the Securities and Exchange Commission left little doubt about its zeal for having advisory firms focus their attention on cybersecurity measures. 

“We will continue our initiative to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls,” the SEC said in the statement announcing its examination priorities. 

But advisory firms, which want to conduct cybersecurity audits to pre-empt any future SEC troubles, must reckon with a reality: Cybersecurity auditing is a less than fully developed science.

“Because of the recent focus on cybersecurity from the SEC, this has become a hot topic. Since firms expect this to be included in their next SEC exam, it certainly makes sense to perform an internal audit prior to that,” says Brent Everett, founder, chief investment officer and partner at Talis Advisors in Plano, Texas.

But, “most traditional IT firms don’t understand the complex requirements of our industry and the few that do are focused on servicing large enterprises, not the typical small to medium-sized RIAs,” he says.

Until more options develop, advisory firms must choose among the “service providers that have sprung up to address this area of the market,” Everett says.

It is an imperfect situation. 

“As the requirements are still rapidly evolving, there is still little standardization of the audit process, what is required and what is provided. This makes it quite difficult to compare services from different suppliers,” Everett says.

Caveat emptor rules apply. 

“It’s also quite obvious that many of the suppliers are in the start-up phase and don’t have particularly robust documentation of their processes. It’s an immature industry, and pricing varies wildly; you don’t always get what you pay for,” Everett says. MORE

Why Cybersecurity Matters To Your Business

You start a business. You grow your company from an idea to a fully functioning and profitable entity. With success comes clients and, as with most companies, you store personal information either to be used in marketing or from a purchase. As a result, you hold the keys to many of the things that your customers value and treasure in their lives and it is now your responsibility to protect your their personal information. Additionally, your company has a myriad of confidential and private information internally that needs to be protected.

The premise is simple: Protect your company's data along with your customers' data. But the execution is complex. Over the past several years we have learned this fact as companies -- from the retail giant Target to the credit reporting service Equifax -- have fallen victim to cyberattacks.

While cybersecurity tools, consultants, software and hardware are all handsomely expensive, none of them have the immediate positive impact on bottom lines that other technologically centered additions do. This means that it is just not as fun to invest in cybersecurity products and services as it is to outfit your team with lightening-fast laptops. Still, a sound cybersecurity plan and deft execution can be an amazing selling point for customers and clients as awareness grows across society at large. Here are a few ways to take control.

Understand Cybersecurity Applies To You

The first step to protecting your business is to understand that the threat is real. Many times when news of wide-scale data breaches flood Facebook feeds and media outlets, business owners take solace in the fact that while Target may have been hacked, their company is too small to be at risk. This is a false sense of security. According to Symantec, over 43 percent of cyberattacks in 2015 were targeted toward small businesses — and this number will only rise. Furthermore, only 14 percent of small business believe that their current ability to guard against cyberattacks is effective. Thus, cybersecurity is a small- and medium-sized business problem -- one most are not addressing properly.

Seek (Quality) Advice

No matter what type of business your company conducts, even if it is technology-based, your business can benefit from an outside set of eyes. The technology and data surrounding cybersecurity are constantly changing and evolving. This means that while you may have some of the most brilliant tech minds around grinding out your code, their focus is not necessarily security -- and the result is vulnerability.

Accordingly, it is totally acceptable, if not necessary, to work with a cybersecurity professional. A simple Google search for "cybersecurity services" will yield thousands of results. Not only will consulting a professional make your operations more secure, but this contact will go a long way. In the event that a cyberattack happens, the contact will fend off would-be lawsuits by showing that you took adequate measures for security.  MORE

SEC to Focus on Individual FAs Next Year

The latest enforcement actions report from the SEC suggests the regulator will likely go after advisors more often than firms, legal experts tell InvestmentNews.

The SEC brought 82 standalone cases in fiscal year 2017 compared to 98 the year prior, but advisors shouldn’t get too comfy, according to the publication. Eighty percent of the actions were against individuals, Todd Cipperman, a managing principal at Cipperman Compliance Services, tells InvestmentNews.

“Just because you’re paranoid doesn’t mean they aren’t after you,” Cipperman tells the publication.

The SEC is likely to continue prioritizing individual advisors over firms even though it’s more expensive “because of the fear and the deterrent effect,” he says, according to InvestmentNews.

In January, SEC chair Jay Clayton said much the same, according to the publication. Going after individuals and naming names also produces “more of a reputational effect,” Amy Lynch, founder and president of FrontLine Compliance, tells InvestmentNews.

The SEC is shifting staff to its new cybersecurity unit and its new Retail Strategy Task Force, launched in September, but it is also reducing the number of lawyers in its enforcement division by 100 through attrition, Deborah Meshulam, a partner at the litigation firm DLA Piper and a former assistant chief litigation counsel of the division, tells the publication. The cut isn’t likely to affect its enforcement brawn, however, according to Meshulam: the SEC will likely simply go after bigger fish, she tells InvestmentNews.  MORE

SEC Exam Priorities Said to Focus on Cybersecurity, Seniors in 2018

The new examination priorities list, usually released in January, would be the roadmap for OCIE activities for the year


Investments involving seniors and cybersecurity compliance are among the concerns expected to make the 2018 examination priority list now being developed by the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE), according to industry experts familiar with the process.

The list is likely to be released in January and will be the roadmap for OCIE activities for the year with an expected focus on market-wide risks and retail investor risks.

“Cybersecurity will be an expanded OCIE priority in 2018, as examiners look to whether sufficient cybersecurity policies, procedures and controls are in place to protect personal information,” Joseph Moreno, an attorney at Cadwalader, Wickersham & Taft, told ThinkAdvisor.

“With the one-two punch of the Equifax and EDGAR breaches still fresh in the headlines, it is hard to imagine cyber will not be front-and-center going forward. Chair [Jay] Clayton has stated that he views cybersecurity as a critical part of the infrastructure underlying the capital markets, and this emphasis will no doubt be borne out in OCIE priorities.”

James Fanto, a professor at Brooklyn Law School, agrees, saying, “There is simply so much activity in the cybersecurity space with the Equifax hack and the SEC’s own hack that they can’t ignore this subject. And there is always the worry that customer assets will be hacked into and taken.”

Similarly, Robert Plaze, an attorney at Proskauer Rose, also sees cybersecurity as an OCIE priority.  “It’s a real risk throughout the financial services industry – and a wide swath of other industries – and the SEC is vulnerable if it is not viewed as sufficiently vigilant because the SEC was itself hacked.”

Moreover, Denver Edwards, an attorney at Bressler, Amery & Ross, points out that the OCIE, in recent years, examined broker-dealers and investment advisors for compliance with cyber-security regulations.

“OCIE will continue to examine registrants for cyber compliance given that cyber breaches have become ubiquitous,” he adds.  “The Commission is concerned about hacking to access material, non-public information; account intrusions to conduct manipulative trading; and disseminating false information … to manipulate stock prices.”

Related to this, there has been a divide internally among the SEC staff on cybersecurity, a knowledgeable source told ThinkAdvisor. On one side, there are those who are more “militant” and want stricter standards and more enforcement actions, and want to make an example of a business or firm that has a cyber incident.

On the other side, are those who are not as militant, and they understand that companies and firms regulated by the SEC want to avoid cyber incidents and are spending money to mitigate risk and improve their cyber defenses. This side, too, may want to see information sharing and collaboration with the government — and does not want to be as aggressive. As 2018 progresses, the SEC may reveal where it stands among the factions.

Also, the SEC is concerned about savings by retirees and baby boomers. This involves those who saved money in a 401(k) or other retirement fund, and how financial service companies want them to put the money into their firm, which poses some risk.

“Last time, the list had an entire section on senior investors and retirement products. I just don’t see that focus going away, given the drumbeat on that topic as so many of us age and have to rely on retirement assets,” Fanto said. “This topic could include all sorts of things, such as products targeted to seniors.” 

Fanto says other issues could make the priority list for 2018 and may include:

  • Problem brokers who move from firm-to-firm or from broker-dealers to advisors.
  • Problematic retail products, such as initial coin offerings and anything related to Bitcoin.
  • Investment advisor practices.

Edwards suggest other possible categories may be included, such as: high fee mutual funds share classes; failure to disclose fees; robo-advisors; advertising; abusive practices; and anti-money laundering.

Also, given that OCIE Director Peter Driscoll had input into OCIE’s 2017 priorities, many of them could “carry over into the new year. There will continue to be a focus by OCIE on protections for retail investors, especially seniors, from abusive sales and marketing practices and improper fee structures,” Moreno said. “A continued emphasis on reviewing registered investment advisors – particularly those who have never been examined by OCIE – will mean fewer resources focused on broker-dealers.”

The list is not expected to change that much from 2017 priorities, and whatever is listed, the knowledgeable source said the priorities are likely the result of speaking with each SEC commissioner and each division. The list is worked on for months, and becomes a “strategic plan for the year,” the source said.

In fact, the source predicts the OCIE will dedicate three quarters of its time and resources to the listed priorities.

“The OCIE’s priorities list is of significance to compliance officers in broker-dealers and advisers because it tells them what to expect when the SEC’s examiners visit their firm,” Fanto adds.  MORE

Cyber attack response - What do you do?

A client database has been hacked – and personal details of individuals stolen. It’s every company’s nightmare, and now it’s happened. What steps should the firm take? And who needs to be notified?

In today’s world of cyber risk, a successful attack on a financial services firm’s systems is not a matter of “if”, but rather of “when”. While it makes sense to invest in the best cyberattack deterrence technology, and to put in place preventative policies and procedures, bad things can still happen to good cybersecurity programs. And when they do, it’s the firm’s reputation that is on the line.  

Firms need to have a plan of action ready to implement if they are hacked and data is stolen. Like a business continuity strategy, such a plan will help guide individuals as to the actions they should be taking – to limit further damage to systems, to mitigate reputational risk, and to ensure compliance with a growing number of regulatory requirements.

A key part of any plan must be managing the notification requirements. Firms usually will need to notify a regulator or other government body that it has been hacked. Sometimes there is also a requirement to notify impacted clients too – but if there isn’t, it is usually best practice to make them aware in any case. Failure to report a cyber breach to either a government body or to clients – if the breach comes to light later – can have a serious negative impact on a firm’s reputation. The internet is littered with companies who delayed reporting and have encountered supervisory censure as well as negative headlines and client lawsuits – Equifax is a recent example.

Many jurisdictions are putting formal notification requirements in place. For example, New York State’s March 2017 regulations now require financial services firms to notify the regulator within 72 hours of a breach taking place, and other US states are putting in place similar requirements. The US Securities and Exchange Commission (SEC) published some observations from its cybersecurity examinations in August which noted that firms need to have robust reporting frameworks.

In the EU and the UK, the General Data Protection Regulation (GDPR) will require firms to notify the correct regulator within 72 hours of a breach, and impacted individuals “without undue delay”. Failure to meet these notification requirements can result in a significant fine of up to 10 million Euros or 2% of global turnover.

There are good reasons why governments are asking firms to make a formal notification of a cyber breach. First, they are recognizing the need for more action on their part to combat hacking. Registration of incidents helps governments to understand the nature of the problem. Secondly, in some jurisdictions this information is shared in some way with other financial services firms – helping all firms to collaborate to prevent successful cyberattacks.

Thirdly, regulators are beginning to use this cyber breach reporting data in their pre-examination analysis. Supervisors can see which firms are having incidents and what kind of incidents they are having – perhaps to formulate good questions for discussion with the firm during the visit. On the flip-side, they can also see who is reporting below-normal levels of incidents. If the firm has some form of cybersecurity best-practice, then that is of interest. However, if the firm is simply not reporting cyber breaches, then more difficult questions will be asked.  

As a result of these new breach reporting regulatory requirements and client expectations, firms are advised to develop specific policies and procedures for when an incident occurs. This should include identifying what their breach reporting requirements are, developing reporting templates, and actually testing this part of the incident response plan. Specific elements of the communications plan could contain when and how to:

  • Notify investors 
  • Bring in the legal team 
  • Call law enforcement 
  • Report to the regulator if a requirement, or when to contact if no requirement
  • Communicate to employees 
  • Disclose to clients 

Best practice firms conduct table-top exercises using several different scenarios, such as ransomware, or an insider attack. If the firm outsources significant portions of its IT infrastructure, it’s important to conduct these exercises in partnership with the IT supplier. If the firm engages with third parties for other types of activities, and those activities involve use of client data, the firm should perform these table top exercises with these vendors – and ensure the vendor is aware of all reporting obligations the firm has to regulators.

If a firm is genuinely not subject to any cyber breach reporting requirements, it should nonetheless put a framework in place to document each incident and note why no reporting is required. This will help support the firm’s engagement with regulators in the future.

In short, it’s important for firms to understand the notification requirements that impact them, as well as how they wish to engage with clients – and to then formulate an incident response plan. For financial services firms, reputation and trust are of high importance, and so ensuring a solid approach can make a real difference to how well a firm weathers a cyberattack. 

FA: Is Your Firm Cyber Secure?

Last year, the SEC fined Morgan Stanley $1 million for failure to protect information in 730,000 client accounts, which were first stolen by an employee and transferred to a personal server and then hacked and offered for sale online. The SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure the security of clients’ personally identifiable information.

The case shines light on what the SEC expects from firms when it comes to their internal web applications and portals that give employees access to customers’ confidential account information.

To try to avoid future enforcement actions, broker-dealers and investment advisors should focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques.

Examiners are also looking at employee training and vendor relationships, Rubin said, adding that firms should have policies that show they’re actively training their employees and registered persons to try to ensure that each person understands her role and responsibility with regard to cybersecurity. Firms are also responsible for knowing what kind of cybersecurity system their vendors have.

State regulators have already found nearly 700 deficiencies during exams of 1,200 state-level investment advisors—in the first year state regulators reported on cybersecurity incidents.

The North American Securities Administrators Association (NASAA) used the data to generate a list of cybersecurity best practices for investment advisors: prepare and maintain records by backing them up; maintain client information; revise Form ADV and disclosure brochures; implement safeguards through cybersecurity policies and measures; and prepare a written compliance and supervisory procedures manual.

NASAA found policies and procedures to be adequate when firms require and enforce frequent password changes, lock devices, report lost devices, and create specific roles and responsibilities for people to frequently assess these requirements.

To minimize threats posed by data breaches, NASAA recommends that firms routinely back up devices and store the underlying data in a separate, remote location. And they should regularly test backup procedures to ensure their suitability. Similarly, firms should consider whether e-mail communications should be sent securely, especially where they involve identifiable information regarding a client.  MORE