SEC Does Not 'Dictate' Cyber Controls, Cyber Chief Says

The SEC is more focused on preparedness, cyber chief Robert Cohen said at a NASAA Cybersecurity Roundtable.

n assessing firms’ cyber preparedness, the Securities and Exchange Commission is “looking for firms that have significant risks that they aren’t disclosing,” Robert Cohen, head of the agency’s cyber unit, said Monday.

Speaking on a panel at the North American Securities Administrators Association’s cyber roundtable in Washington, Cohen stated that it’s not the “SEC’s approach to dictate specific [cyber] controls” on regulated entities. “I don’t know that that’s the most effective way to ensure compliance. We do more, especially for the financial industry, through exams, to see what they’re doing and see if they’re prepared.”

“For the commission to dictate you must do this, you must do that, sometimes we’ll publicize best-practice issues … but generally, if the commission dictated something, I’d be concerned that it gets out of date really quickly.”

The best source of expertise in the cyber realm, he added, “is within the industry and the consultants they employ.”

What does the SEC look for when assessing firms’ preparedness?

“Really you can learn a lot just by asking firms what they do to prepare” for cyber breaches, Cohen said.

Cohen cited the recent charge against Voya Financial Advisors Inc. for violating Regulation S-P or the Safeguards Rule and the Identity Theft Red Flags Rule, as “a classic mistake that we see.”

Des Moines-based broker-dealer and investment advisor Voya, which agreed to pay $1 million to settle charges for cybersecurity failures that led to a cyber intrusion that compromised thousands of customers’ personal information, “had policies and procedures and controls, but really didn’t enforce it across the board,” Cohen said.

The Voya case was the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. “This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Cohen, when the complaint was filed in late September. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

FBI Has Doubled Agents in Cyber Program

Meanwhile, Supervisory Special Agent Matthew Floyd of the FBI stated at the roundtable that cybercrime causes “billions of dollars of losses every year,” and is the FBI’s third priority behind counterterrorism and counterintelligence.

“We’re continually banging our heads against a wall to try to figure out how we can better combat this,” he said, adding that over the last several years the FBI has doubled the number of agents in its cyber program.

“As we look into cybercrime, very rarely does it not cross international borders,” he added.

Business email compromise continues to be one of the top scams, with an average loss of $130,000.

Also “synthetic ID” is becoming a more prevalent scam against financial institutions, he said.

“An actor will take a real Social Security number and changing some of the variants of the personal identifying information and creating a ‘synthetic ID’ — a nonexistent person — they apply to some different credit lines, they had no credit to begin with … but then once you get denied credit, it actually creates a credit file. … Once they have that credit file established, they will attach it to someone else’s credit — someone with good credit — … and over the course of six months that score will go from 300 up to 750, they’ll detach it, and then they’ll start opening bank accounts, credit cards…”

Financial institutions are “really struggling with this,” Floyd said.

NASAA Initiatives

NASAA President-elect Frank Borger-Gilligan, who also serves as the assistant commissioner of the Tennessee Securities Division, within the state Department of Commerce & Insurance, noted at the roundtable that “last year, more than half of the adult online population in the U.S. were victims of cybercrimes,” according to a 2017 Norton Cybersecurity Insights report.

Globally, cybercriminals stole $172 billion from 978 million consumers in over 20 countries in 2017. Cybercriminals, it was estimated, cost the world economy more than $600 billion last year, Borger-Gilligan said.

More alarming, he continued, financial services firms were “three hundred times more likely to be targeted than traditional American companies.”

Last year, 61% of cyber victims were small businesses — which continue “to be the low-hanging fruit for cybercriminals,” Borger-Gilligan said. “Smaller companies often lack the IT resources, the robust network defenses, and they mistakenly assume that they’re too small to be targeted.”

Couple this with the fact that 78% of nearly 18,000 state-registered investment advisors are one to two person shops, he added. “So it is clear how important the issue of cybersecurity is for our regulators.”

More work is planned in the year ahead. This year, Borger-Gilligan said, NASAA is considering whether to adopt a model rule, which will provide “more direction to advisors and baseline protection for investors.”

He noted that NASAA’s Investment Adviser Section also recently published a model rule for public comment, which would require advisors to “adopt policies and procedures regarding information security,” and will require them to deliver the policy annually to clients.

The comment period closes on Nov. 26. MORE

Practice What You Preach: Having Cybersecurity Policies and Procedures That Don’t Do What They Are Supposed To Do Can Result in Fines

In the first enforcement of the Identity Theft Red Flags Rule, the U.S. Securities and Exchange Commission (SEC) fined Voya Financial Advisors, Inc. $1,000,000 for failing to provide training on and reasonably design its written policies and procedures to mitigate identity theft. On September 26, 2018, the SEC announced a settled enforcement action against Voya, a dually registered broker-dealer and investment advisor, arising from a cyber intrusion that compromised personal information of thousands of customers.

The SEC’s order describes a six-day period in 2016 during which cyber intruders impersonated Voya contractors by calling Voya’s support line and requesting that their passwords be reset. With the new temporary passwords, the intruders obtained access to the personal information of 5,600 Voya customers. From there, they were able use that information to create new online customer profiles and get access to account documents for three customers. There were no unauthorized transfers of funds or securities from Voya customer accounts.

The SEC alleged that Voya had violated the Safeguards Rule, which requires broker-dealers and investment advisers adopt written policies and procedures that provide for the protection of customer records and information, and the Identity Theft Red Flags Rule, which requires them to develop and adopt a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft.

Voya had written policies and procedures, but the SEC alleged that in light of Voya’s business model and risk profile, they were not reasonably designed to: “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Significantly, several of Voya’s cybersecurity policies and procedures were not reasonably designed to be applied to its contractor representatives or to their remote systems, and they were not updated to reflect changes in risks to customers from identity theft. Moreover, Voya failed to provide training specific to preventing identity theft. Accordingly, the intruders were able to obtain access because of Voya’s weaknesses in those procedures, some of which had been exposed by previous fraudulent activity. The SEC order includes a detailed description of how the intruders obtained access, and should be required reading for everyone who establishes or oversees a cybersecurity program. MORE

New NASAA president Michael Pieciak puts cybersecurity at top of agenda

It's often the smallest investment advisory firms that are the most vulnerable to online threats, and that's why it's natural for rule-making to start at the state level, according to a top state regulator.

The North American Securities Administrators Association last week released for public comment a proposed cybersecurity rule. It would require advisers to adopt policies and procedures to safeguard information physically and online and to inform clients about their privacy policies annually.

The potential model rule is a top priority of new NASAA president Michael Pieciak. The Vermont commissioner of financial regulation was inaugurated for a one-year term on Sept. 25 at the organization's annual conference in Anchorage, Alaska.

State regulators are responsible for overseeing approximately 18,000 investment advisers with less than $100 million in assets under management. Many of them are one- and two-person operations, which can be juicy targets for online predators. But they also lack the cyber defense resources of major financial firms, Mr. Pieciak said.

"I'd like to see a model rule in place that does a good job of right-sizing the need to secure firms' important data," he said. "I don't see this as an issue where it's regulators versus industry. I see it as an issue where it's regulators and industry versus the cybercriminal."

The comment period lasts until Nov. 26. After digesting the feedback, NASAA could propose a model cyber rule for state legislatures to consider. There are cyber regulations in New York, but a model rule could expand the number of states with cyber oversight.

If NASAA proceeds, it could launch a cyber rule before the Securities and Exchange Commission and the Financial Regulatory Authority do. The SEC and Finra examine for cyber deficiencies.

"Maybe it makes sense that we're first," Mr. Pieciak said. Small advisers regulated by states "are some of the most vulnerable shops. The SEC and Finra have a different contingency they're trying to protect."

NASAA will host a cybersecurity roundtable in Washington on Oct. 15.

First millennial to lead NASAA

Mr. Pieciak, 35, is the first millennial president of NASAA, giving him a perspective that will influence both his leadership style and his regulatory agenda.

He said that his generation is often mislabeled. He has found his cohorts to be independent, detail-oriented and collaborative. That last trait will be helpful as the head of NASAA, a group in which the president is just "first among equals."

"That collaborative decision-making style is something I think is a hallmark of the millennial generation and something I hope to bring to this position," Mr. Pieciak said.

Millennial investors also pose a regulatory challenge given that they are often saddled with big student loans, put off buying homes and saving for retirement, and are attracted to online investments that may pose threats, such as cryptocurrencies.

"We see a lack of financial literacy and basic financial skills among the younger generation, particularly when it comes to thinking about some of the big life decisions like buying a home, which is usually someone's most important asset," Mr. Pieciak said. "We're going to have a specific millennial focus on our investor education and outreach initiative to educate and also protect millennial investors."

Other items on Mr. Pieciak's agenda include working on programs related to financial technology and cryptocurrency, leading a NASAA strategic planning process and fighting to preserve state regulatory authority.

Voya cybersecurity blunder should serve as a wake-up call to the entire industry

The stakes are high: Procedures have to be reviewed and tested on a regular basis

By nowanyone responsible for cybersecurity at a financial advisory firm is probably tired of hearing about the subject. But the recent $1 million fine levied against Voya Financial Services should serve as a wake-up call to everyone in the industry for several reasons.

Cybercrime details

For one, it describes in detail an actual cybercrime and how it occurred — and how the firm failed not only to prevent it, but to shut it down adequately once being alerted that the breach was happening.

The Voya story also represents the first time the Securities and Exchange Commission has fined a company under its Identity Theft Red Flags rule, and puts all firms on notice that the regulator is ramping up cybersecurity enforcement. In other words, expect more fines in the future.

Procedures in place

Like most other firms, Voya had security procedures in place that should have guarded against the breach that occurred back in 2016. In this case, cybercriminals posing as advisers asked for and received usernames and new passwords from Voya support personnel, giving them access to the personal information of 5,600 customers.

Even after one of the real advisers who had been targeted in this identity theft scam reported that he had not requested a new password, the scheme was not thwarted. Over the next several days, two more advisers were impersonated. In fining Voya, the SEC said the breach occurred, in part, because its personnel did not have a full understanding of how its own portal worked.

Prevention and response

One hard lesson Voya learned is that having procedures and protocols in place is not enough. Procedures have to be reviewed and tested on a regular basis to make sure personnel are trained and are following protocols correctly — and that the procedures and protocols in place are still effective in both preventing and responding to cyberattacks.

(More: How a hacker led to Finra censuring and fining a broker-dealer)

Companies also need to be more proactive in anticipating cyberattacks. Thieves can be creative. If you stop them from breaching your systems one way, they will try to get their hands on your protected data using different methods. They won't stop, so companies can't let down their guard.

Need for review

It is not enough simply to draw up a cybersecurity plan and put it on the shelf to show regulators when they ask for it during an exam; it must constantly be updated using the latest information on what cyberthieves are up to.

That brings us to yet another lesson. Cybersecurity comes with a cost. But it is a cost that cannot be ignored. The SEC's regulations apply to all firms in the industry, no matter their size. And remember, the stakes are high.

Clients and investors will usually forgive a security breach one time. But if it reoccurs, they will flee to a competitor with a better record on security. And who can really blame them? MORE

Financial Advisors Should Question Tax Preparers About Protecting Data

CPAs continue to be tempting targets for cybercrooks looking to steal data to file tax returns and steal identities. High-net-worth clients’ information is especially prized, and the IRS and other tax agencies have made recommendations and established electronic requirements for tax preparers to protect that data.

“In addition to the obvious financial information handled by tax oriented CPAs and other practitioners, practitioners often serve as advisors to client businesses and other financial affairs,” said Dr. Sean Stein Smith, a CPA and assistant professor at the department of economics and business at Lehman College in New York. “Data security and protecting information is a high profile issue, and clients -- especially HNW individuals -- certainly understand the value that comprehensive security policies provide.” MORE

SEC charges Voya Financial Advisors with deficient cyber-security procedures

In the Securities and Exchange Commission's first enforcement action for violations of the Identity Theft Red Flags Rule, Voya Financial Advisors has agreed to pay $1 million to settle charges for having deficient cyber-security policies and procedures concerning a cyber intrusion that compromised the personal information of thousands of customers.

The SEC on Sept. 26 charged the broker-dealer and investment adviser with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. According to the SEC’s order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.

The SEC’s order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. The order also finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cyber-security procedures, some of which had been exposed during prior similar fraudulent activity.

According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA’s workforce. “This case is a reminder to brokers and investment advisers that cyber-security procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, Chief of the SEC Enforcement Division’s Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1 million penalty and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.

Financial Industry Takes Most Heat for Data Breaches: Study

Of all the industries prone to data breaches — maybe better make that of all industries, period, since hacking and other incursions have become so prevalent — the financial industry stands out, and not for a good reason.

In fact, according to a report from eMoney Advisor, financial services firms are the most susceptible to the bad publicity that results from an exposure of what should have been private data. In fact, at 5.7%, the industry has the highest abnormal churn rate — a measure of lost customers — in the U.S. economy.

And even though cyberattacks make lots of headlines, that doesn’t mean that firms are prepared to ward them off. Says the report, they lack the resources, infrastructure or experience to keep them at bay.

The average financial firm breach costs nearly $7 million, while a recent report finds that in 2017, 25% of such firms were hit; in 2016, 20% of firms suffered a breach.

The purpose of data breaches can vary depending on the industry, with hackers of retail and government systems usually looking for data to sell online. Within the financial industry, hackers are typically looking to steal money or data directly from customers, eMoney says.

Some of the tricks hackers use are the business email compromise (BEC), which tricks someone in the company into sending funds to a bogus account; ransomware, shutting down a company’s systems until a ransom is paid; and phishing, which is the most common in financial sector companies. Phishing emails lure the recipient into clicking on a link, attachment or website that can then infect the computer with malware.

Attacks are getting more sophisticated and more common, with the risks including having to deal with irate clients and offering free or discounted services to them, time spent dealing with the situation, reputational damage and the cost of lost customers.

Some of the measures eMoney Advisor suggests to protect data include two-factor authentication, which makes it more difficult for bad guys to gain access to client accounts; encryption, which keeps hackers from being able to make sense of data if they’ve hacked in directly; and backups, which can protect against ransomware by allowing companies to restore their own data.

Vendors need to be monitored and a disaster recovery plan just for cyberattacks should be in place, and companies should also be prepared to review “lessons learned” in the wake of a problem.

Last but not least, “cybersecurity hygiene” that keeps systems and security measures current and active; better training of users to avoid their being taken in by tricks; and testing security to make sure that everything is working and protected as it should be have to be on a company’s list of protective measures. MORE

New Ohio law incentivizes businesses that comply with cybersecurity programs

On Aug. 3, 2018, Gov. John Kasich signed Senate Bill 220, also known as the Ohio Data Protection Act. Under the Act, eligible organizations may rely on their conformance to certain cybersecurity frameworks as an affirmative defense against tort claims in data breach litigation. The Act is intended to provide organizations with a legal incentive to implement written cybersecurity programs. 

In order to qualify for this new defense, the organization must implement a written cybersecurity program designed to 

  • Protect the security and confidentiality of personal information.

  • Protect against anticipated threats or hazards to the security or integrity of personal information.

  • Protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud. 

The scale of the cybersecurity program should be appropriate to the organization based on its size and complexity, the nature and scope of its activities, the sensitivity of the personal information protected under the program, the cost and availability of tools to improve its information security, and the resources available to the organization.

Additionally, the organization’s cybersecurity program must “reasonably conform” to one of the following cybersecurity frameworks:

  • National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

  • NIST special publication 800-171, or 800-53 and 800-53a.

  • Federal Risk and Authorization Management Program’s Security Assessment Framework.

  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense.

  • International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards.



DHL breaks ground on $20M Westerville headquarters


Countdown: Here are Columbus' top restaurants, according to OpenTable


Salesforce Administrator

The Business Journals


Taco wars: Cleveland's Barrio sues Columbus' Condado


Could Columbus handle Amazon's HQ2? A look at housing and offices 


Here's what Jeff Bezos finally had to say about HQ2 during D.C. speech


Cardinal Health CEO Mike Kaufmann sharpens focus in unsteady times 

For organizations that accept payment cards, their cybersecurity programs must also comply with the Payment Card Industry’s Data Security Standards (PCI-DSS) to qualify for the affirmative defense. Similarly, organizations subject to certain state or federally mandated security requirements may also qualify, such as the security requirements in the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act (FISMA), or the Health Information Technology for Economic and Clinical Health Act (HITECH).

The legislation expressly states that it does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the act.” Rather, it seeks “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”

This law will be the first in the nation which incentivizes businesses to implement certain cybersecurity controls by providing them with an affirmative defense. States like New York require certain businesses to meet specific cybersecurity compliance standards, without providing a specific affirmative defense as an incentive to do so.

Qualification for this new safe harbor will not be automatic and may be challenging to establish. Many of the specified frameworks, like NIST, do not have a standard certification process, so proving that a security program conforms to the applicable framework may prove difficult. However, given the increasing risk that cybersecurity presents for many organizations, the Ohio Data Protection Act may grant some relief.

The SEC, Cybersecurity, and Registered Investment Advisers: All in the Same Boat Fighting Cybercrime

Why Ignoring OCIE On Cybersecurity Could Lead to Catastrophe

The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) has recently started to examine the capabilities of domestic organizations to fend off attempted cyberattacks and respond quickly to successful ones to ensure the confidence of investors, limited partners, and public markets in general. Since these attacks can be devastating, OCIE has created guidelines for companies and firms intended to help prevent cyberattacks and minimize risk. Failure to follow these guidelines will likely result in OCIE issuing critical inspection reports or even making referrals to enforcement offices. To guard against disastrous cyberattacks, minimize both organizational and reputational risk, and prevent OCIE or enforcement penalties, companies and firms should understand and implement these guidelines at their earliest opportunity. This benefits both the organization (to avoid potential regulatory fines and penalties, and liability to other parties affected by a breach) and any investors and limited partners, who could potentially lose millions should there be a successful breach.


OCIE is the arm of the SEC that goes out to registered entities to evaluate many aspects of operations and regulatory compliance. The SEC has charged OCIE with the task of evaluating the readiness of regulated investment advisory firms in relation to cybersecurity. In addition to entities such as registered investment companies, registered advisers, broker-dealers, and transfer agents, these firms also include alternative investment and hedge funds, wealth management firms, and private equity funds. The SEC’s National Exam Program (NEP), run by OCIE, aims to protect investors, maintain market integrity, and promote responsible capital formation using risk-focused strategies. These strategies, if implemented properly, should improve compliance, prevent fraud, monitor risk, and inform policy. On July 21, 2010, the passing of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) granted OCIE additional authority over more people and entities.

For many years, OCIE has issued an annual exam letter detailing priorities for examinations it will conduct during the year. Since 2010, OCIE has made computer security issues an important item on its list of topics. OCIE has been working with organizations to help them self-assess their ability to mitigate risk and defend against cyberattacks, and to improve their practices in these areas. In 2011, referrals from NEP in cooperation with the SEC’s Division of Enforcement resulted in a significant number of enforcement actions. These cases reportedly stopped Ponzi schemes, identified material disclosure omissions and misinterpretations, and illuminated hidden fees/undisclosed remuneration and expenses charged to investors. The SEC uses the data collected from NEP to recognize and monitor risk, brief rule-making initiatives, pursue misconduct, and improve industry practices guided by NEP’s general principles: to be data-driven, risk-based, and transparent; to have maximum efficiency with its resources; and to embrace new technology. More recently, OCIE referrals have led to enforcement actions related to poor cyber-security, and to actions derived from actual breaches that have harmed companies or investors.

National Exam Program Risk Alert, 2015:

In April 2014, OCIE published its first comprehensive Risk Alert addressing how SEC-led examinations would help to identify cybersecurity risks and determine the degree of cybersecurity preparedness in the securities industry. In February 2015, OCIE published its conclusions from these observations. This publication deliberated upon legal, regulatory, and compliance issues relating to cybersecurity. After examining 57 broker-dealers and 49 investment advisors, OCIE came to these general conclusions:

  1. 93 percent of broker-dealers and 83 percent of investment advisors examined adopted written security procedures and policies, and a large group of the firms operated regular audits to determine compliance with procedures and policies.

  2. Many firms used external standards and other outside resources to guide their information security processes and architecture.

  3. Most of the examined firms engaged in regular risk assessments to find cybersecurity threats, vulnerabilities, and business consequences.

  4. Most firms examined conducted inventorying, cataloguing, and/or mapping of their technological resources.

  5. Almost 75 percent of the examined broker-dealers, but less than 25 percent of the investment advisors, implemented mandatory actions regarding cyber risk into their contracts with partners and vendors.

  6. Almost all firms used encryption.

  7. Many firms provided clients with advice to protect information, but more broker-dealer firms did so than investment advisors.

  8. More than half of the broker-dealers had cybersecurity insurance, but very few investment advisory firms had it.

These results show that cybersecurity and risk management improved in these firms, but further improvement is needed to prepare for and defend against cyber incidents. Furthermore, it was shown that broker-dealers generally have cybersecurity practices that are much better suited to the modern world, which is riddled with cyber-risk, than those of investment advisor firms. In response to these 2014 findings, OCIE continued to emphasize cybersecurity compliance and controls in its 2015 Examination Priorities.

The Continuing Examination Process

OCIE devised its Cybersecurity Examination Initiative to further develop its examination practices in response to ongoing security breaches and threats, and to determine the level of cybersecurity preparedness within the securities industry. This includes firms’ ability to safeguard broker-dealer customer and investment advisor client information. Public reports have found cybersecurity breaches concerning vulnerabilities in rudimentary controls often went unattended or were simply ignored. As a result, OCIE suggested that examiners collect data on cybersecurity-related controls in addition to examining the implementation of specific firm controls. To encourage improved compliance practices and to improve the SEC’s comprehension of cybersecurity preparedness, the SEC release noted that its cybersecurity initiative will emphasize the following areas: governance and risk assessment, access rights and controls, data loss and prevention, vendor management, and incident response.  Below is additional information about each of the areas under consideration by the SEC:

Governance and Risk Assessment

The SEC emphasized that examiners should consider whether registrants possess cybersecurity governance and risk assessment processes in relation to the topics discussed. This could reveal whether firms are regularly examining cybersecurity risks and whether controls and risk assessment processes fit the business needs of the firm. The SEC further suggested that the degree of communication to and participation of senior management (as well as the board of directors) should be thoroughly reviewed. Communication is crucial because the board of directors, management companies, and senior managing directors often hold immense power to effect change within the organization. If they are not informed and updated on the proper cybersecurity protocols, the lack of proper cybersecurity oversight could potentially inflict considerable damage on the organization if there is a breach. Also, adequate communication enables the proper personnel to address the incident as swiftly as possible. The difference between a minor setback and a major disaster in the cybersecurity world could be a matter of mere hours, so continuous communication is a necessity.

Access Rights and Controls

Firms leave themselves especially vulnerable to data breaches if they fail to establish basic controls designed to prevent unauthorized access to private systems and data. Some examples of these important controls are multifactor authentication and updating access rights based on personnel/system changes (meaning authorized current users are given just enough access to do their jobs, but no more). It is important for examiners to review how firms control access to various systems and data through management of user authentication, credentials, and authorization methods. This may include reviewing controls in relation to remote access, consumer logins, and firm protocol when addressing consumer login issues, passwords/passphrases, network segmentation, and tiered access.

Recognizing that many recent cyber invasions to capture data or extort system operators have exploited human weaknesses that allowed access to systems, recent OCIE examinations have shown increased attention to the training provided to organization personnel. As discussed below, training to prevent successful “phishing” attacks and insertion of “malware” into systems is receiving enhanced attention.

Data Loss Prevention

Data breaches can occur due to a lack of strong controls in patch management and system configuration. To minimize data loss, the SEC suggested that examiners assess the method in which firms supervise the volume of content transferred outside the firm by its employees or through third parties. This content includes email attachments and uploads, among other things. It is also important for examiners to assess the methods by which firms watch for unauthorized data transfers and to review how firms authenticate consumer requests to transfer funds.

Vendor Management

Among the largest data breaches (prior to OCIE’s NEC Risk Alert Volume IV, Issue 8) were those that resulted from the hacking of third-party vendor platforms, the greatest threat to firms in 2015 according to Booz Allen Hamilton. Despite this threat, PwC found through its 2015 U.S. “State of Cybercrime Survey” that 23 percent of firms did not examine third-party vendors, 19 percent of CIOs had no concern for supply-chain risks, more than half of respondents surveyed did not consider supplier risks at all, and most companies did not create a process for determining the security capabilities of third-party vendors before associating with them. Of course, allowing trusted third parties to have access to the firm’s network may create real efficiencies for all parties involved, but OCIE recognized that such access could create a “back door” entry into the firm’s network using compromised credentials. Recent examinations of registered entities are now asking registrants what they do to inspect or otherwise evaluate the controls in place at vendors who are granted access to the organization’s systems, and vendors hired to operate systems, provide software, or host data for the registrant. Some of these providers, in order to enhance their own security, are reluctant to share such information with registrant-customers, but OCIE is not always satisfied with that response from the registrant.


Firm employees and vendors can benefit greatly from appropriate training on how to mitigate data risk. Data breaches can result from unintentional employee actions, such as misplacing or losing a device (e.g., a laptop, phone, tablet, etc.), viewing confidential or classified information while connected to an unsecured internet source, or opening messages/downloading attachments/clicking on links from an unknown source. To protect against these potential data breaches, well-trained employees will have location services turned on for all their devices, possess the ability to wipe the data remotely, and confirm the connection is secure (e.g., through a VPN) before viewing confidential/classified information. Finally, through regular employee training and awareness, employees should be equipped to spot suspicious downloads, attachments, links, etc. from unknown sources, and verify that they are safe before opening them. Likewise, good employee training and awareness will help employees understand the potential dangers associated with social media browsing and “watering hole” attacks.

Incident Responses and Business Continuity

In general, firms recognize the growing risk of cybersecurity threats and breaches. Management should be aware that OCIE will want to determine if firms have established policies, assigned roles, evaluated and addressed system vulnerabilities, and created plans to combat and respond to future incidents, as well as to recover from them quickly. OCIE and the SEC are now using extremely complicated data analytics to select exam targets, to focus the scope of examinations and to achieve the most efficient use of SEC resources. Organizations can use similar analyses to help decide which firm data, assets, and services (i.e., “the crown jewels”) should be assigned the most security to stop attacks from inflicting severe damage.14 Business continuity plans allow the firm to prioritize critical systems and get them up and running as soon as possible.

2018 NEP Examination Priorities

OCIE has published five priorities regarding the focus of the NEP for 2018. These priorities follow (in no specific order):

  1. Matters of importance to retail investors, seniors, and people saving for retirement

  2. Compliance and risks in critical market infrastructure

  3. Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB)

  4. Cybersecurity

  5. Anti-money laundering programs

It is prudent for individuals, companies, and firms to emphasize strengthening compliance infrastructure, especially in areas of OCIE focus. Though compliance with OCIE’s cybersecurity initiatives cannot successfully ward off all breaches, adherence to the SEC’s cyber suggestions could make firms more resilient, and hopefully more secure. Efforts that match industry best practices will help minimize the risk that the SEC will pursue more severe sanctions in the event of an unpreventable breach.

OCIE’s Continuing Focus Relating to Cybersecurity

OCIE examinations relating to cybersecurity will continue to include risk assessments, governance, vendor management, data loss prevention, access rights and control, incident response, and training. Due to this prioritization of cybersecurity, the SEC has fined organizations for ignoring responsibilities in cybersecurity procedures and policies. A common fine levied by the SEC is for the violation of Rule 30(a) of Regulation S-P, otherwise known as “The Safeguard Rule.” This rule mandates that investment companies, investment advisors, and registered broker-dealers adopt written policies and procedures that facilitate the protection of customer data. OCIE also stated that an organization can still be charged with cybersecurity-related infringements even if the client does not experience financial loss. For example, the SEC fined R.T. Jones Capital Equities Management $75,000 for its lack of cybersecurity procedures and policies relating to a breach of a third party’s web server. These fines are arguably nominal compared to the disaster that results from data breaches. Apart from the damage done to consumers, firms often must pay costly legal fees and payouts resulting from consumer lawsuits, repair their damaged reputations, and upgrade their security while investigating the breach (the latter two also being very expensive).

While following OCIE’s guidelines effectively does require time and money, doing so can not only spare companies from incurring fees if the guidelines are neglected but also help mitigate cyber risk, prevent cyberattacks, and control the damage resulting from a successful attack. If a successful cyberattack goes unaddressed, the ensuing legal fees, payouts to victims, etc. may damage an organization severely, possibly to the point of no recovery. In other words, spending some resources on cybersecurity and risk management now may significantly lower the risk of losing everything later.

Wealthy Investors Have a Big Cybersecurity Problem

Cybertheft is important to all investors, but especially to high-net-worth individuals who might have greater exposure, less knowledge and more endpoints of access for thieves, according to Aon’s Cyber Solutions CEO Jason J. Hogg.

In fact, more than half of 664 high-net-worth respondents of a 2017 Aon online survey said they had either experienced a cybersecurity event or knew someone who had.

Most interesting to Hogg was the survey found that 77% of respondents were concerned about risks posed to their finances by cybersecurity, and 78% were concerned about related issues on identity theft, numbers far above traditional financial worries such as market volatility (60%), or changing interest rates (39%).

“People are more concerned about cybersecurity than they are with regard to their actual wealth,” Hogg told ThinkAdvisor. “That was incredibly telling and most resonating to me.” MORE

Five RIA Cybersecurity Myths - Busted!

From Bentley Long

In the course of my work, I regularly speak with RIAs of all sizes and AUM on cybersecurity risk management and compliance. Every firm is concerned about cybersecurity - sometimes driven by confusion about regulatory guidance, other times driven by fear of damage to the firms reputation from a data breach.

The Investment Advisers Association recently published their 2018 Compliance Testing Survey, and for the fifth year in a row cybersecurity was the No. 1 concern, cited by 81% of survey respondents

And yet, convincing firms to make additional investments in information security remains a challenge. I attribute a lot of the push back to "cyber fatigue". The cybersecurity industry has done itself a great disservice by selling on fear. The result is that many firms have become desensitized to a very real, and imminent danger.

The antidote to cyber fatigue is education against a non-apocalyptic backdrop. Cyber attacks are a fact of life in the 21st century, there is no choice but to address the threat. In this article, I will deconstruct some of the most common excuses that I hear for not taking action to continuously improve cybersecurity practices.


#1 - I have a Firewall and Use Antivirus Software so I'm Protected

Antivirus software and a network firewall offer the most basic elements of cyber risk mitigation. However, they are only a small piece of a comprehensive solution.

Antivirus programs rely on databases of "signatures" that screen for malware or suspicious behaviors that are known to the good actors in the software development community. That's a problem: if a threat is unknown, it can't be detected. Increasingly often, we are finding that antivirus products can take months before adding the algorithms to recognize the more complex threats, leaving endpoints unprotected. Moreover, if you don't regularly update your antivirus, or accidentally disable it, you won't be getting full protection.

The greatest threat to investment advisers is a phishing attack, and antivirus programs offer almost no protection against fraudulent emails that trick users into releasing sensitive information to attackers. The best defense against phishing emails is to conduct regular Security Awareness Training, and run simulated phishing attacks to teach users to recognize malicious emails.

A firewall is the first line of defense for your network, but needs to be regularly checked for proper configuration. If a port is opened for a vendor, or software program, and not closed then that becomes a vulnerability. Periodic vulnerability and penetration tests will detect improper configurations so that they can be fixed. Best practices would also dictate the use of Network Intrusion Detection Software (NIDS) in conjunction with a firewall, as well as Host Based Intrusion Detection Software (HIDS) and/or Host Based Intrusion Prevention Software to protect servers.

In summary, antivirus and a network firewall are important pieces of your overall strategy, but they are not "set it and forget it" tools. They require periodic updates and maintenance, and must be augmented with other elements of a robust cyber strategy.

# 2 - My IT Services Provider Has Addressed the SEC's Guidance on Cybersecurity

I have observed an inherent gap between IT and compliance. Managed Service Providers (MSPs) tend to view the world in terms of network security and endpoint management, while compliance officers often lack the technical expertise to advise on cybersecurity issues. MSPs often bundle point solutions from multiple vendors into a one size fits all cybersecurity suite that is part of their monthly fee. The suite is designed to be industry agnostic, which allows the MSP be to enjoy volume discounts, and avoid the difficulty of managing multiple tools that serve the same function. This makes perfect business sense.

For RIAs, this approach is lacking since the SEC has provided very specific guidance on cybersecurity via its Office of Compliance and Inspections (OCIE). Moreover, in an SEC examination on cyber, you will be asked to produce a Written Information Security Policy (WISP) based on their guidance. You will also be asked to provide evidence that all firm employees understand and are following these policies.

Adding it up, the SEC recommends 34 specific elements for your security program which can be broken down into six subgroups: Governance and Risk Assessment, Access Rights and Controls, Data Loss Prevention, Vendor Management, Training, and Incident Response.  

MSPs are an important part of your cyber compliance plan, but at most they address some of the Access Rights and Controls, and some of the Data Loss Prevention subgroups. What about the other pieces?

In addition, the periodic risk assessments recommended by the SEC cannot be performed by the same entity that sets up and maintains your network. The assessments needs to be performed by an independent 3rd party to to ensure unbiased results.

#3 - Our Business is Way to Small to Be a Target

First of all, you work in Financial Services which means you work in one the top 3 industries targeted by hackers. Initiating fraudulent wire transfers through phishing can be surprisingly easy and quite lucrative.

Secondly, because you area small business, you are more likely to have not invested in cybersecurity. This make you an easier target.

Lastly, hackers have begun using bots and artificial intelligence to sniff out vulnerabilities on public facing networks, and can even engage potential targets in social engineering attacks. This means that hackers can scale their efforts exponentially. No one is immune.

If you want to read the sobering statistics on SMBs and cybersecurity from Ponemon Instititue you can find it here. But the bottom line is that you are an attractive target to hackers.

#4 - We Only Access Secure Portals, So Our Enpoints (Devices) Don't Need Protection

Another variant of this is, "I don't need to worry about my devices since all my data and applications are in the cloud. There's nothing valuable on them.”

Au contraire. Users, and by proxy their endpoints, are the weakest link in securing your firms sensitive information. How do you know that the endpoint hasn't been compromised when you are accessing a secure site?

Devices can be infected via a usb drive, email attachment, website, or simply connecting to an unsecured WiFi network. Once infected, the device can then transmit key strokes and login credentials that allow the hacker to access your data in a secured portal.

Even if your applications are cloud based, many of them keep a local copy of your data to give you access when you are offline. If your email client stores your messages in a local folder, that information can be treasure trove for hackers. It can be used to impersonate you for fraudulent purposes, as well as to phish all of your contacts, among other things.

Think about all of the devices that you use to access work applications and data. Smartphones, tablets, laptops, and desktops all need to be encrypted, monitored, and protected with antivirus and MDM software.

#5 - We Don't Need Cyberinsurance

The term "Cybersecurity" is something of a misnomer. It implies that your information can be totally secured. In reality, you reach a point of diminishing returns with point solutions. It becomes increasingly expensive to achieve marginal gains, and you can never get to 100% secure. That's why you need cyberinsurance.

Purchasing a cyber insurance policy is not tantamount to throwing in the towel on securing sensitive information. It is, rather an acknowledgement that cyber attacks are a growing threat to your business in the same way that fire, theft, and workers comp claims are.

Many firms assume that they already have coverage under their general liability policy. This can be a costly assumption. Most traditional commercial general liability policies do not cover cyber risks, such as property damage, personal and advertising injury claims arising from access or disclosure of confidential information.

In addition, many of the cyber policies written to date are not worth the paper they are printed on. They have a long list of exclusions and high retentions (deductibles) that make them unlikely to pay out in the event of a breach.

Take the time to talk to a cyber insurer that specializes in RIAs. The time to find out about gaps in coverage is not after you have had a breach.

Myth Busting

Don't perpetuate these myths. Realize that most myths are really "partial truths". That means that these misconceptions start with reasonable assumption, but fail to take account of the bigger picture. A comprehensive cybersecurity risk management and compliance program has multiple elements. The biggest myth is that you can find one silver bullet that will make you secure.

And remember, the threat is constantly evolving, so an annual assessment of your policies, procedures, protections, and risks is the only way to keep current. Stay safe, my friends.

States taking control of data and cybersecurity requirements

Cybersecurity continues to be a concern for government and the private sector. It has enormous implications for government security, economic prosperity and public safety.

States are addressing cybersecurity through various initiatives, such as providing more funding for improved security measures, requiring government agencies or businesses to implement specific types of security practices, increasing penalties for computer crimes, addressing threats to critical infrastructure and more.

2018 Introductions: At least 36 states, D.C. and Puerto Rico introduced/considered more than 265 bills or resolutions related to cybersecurity. Some of the key areas of legislative activity include:   SUMMARY BY STATE

Some Examples:

NEW YORK - NYDFS Cybersecurity Deadline Approaching 

COLORADO - Ramping up for Data Privacy Compliance

CALIFORNIA - California Passes Landmark Law Creating Broad Data Privacy Rights for California Resident

OHIO - Cybersecurity Safe Harbor Against Data Breach Lawsuits Becomes Ohio La

NAPFA ADVISOR: Keep regulators happy with your firm's cybersecurity

Simply keeping your clients safe from fraud, as suggested in "6 ways to keep your client accounts safe from fraud" (page 16) is not enough to make the regulators happy with your firm's handling of cybersecurity.  That was the bottom line of "Cybersecurity and Compliance Issues for RIA's" at NAPFA Spring Conference session presented by Mark Brown and Dan Konzen of Advisor Armor, a cybersecurity and compliance firm.  READ ARTICLE

INSIGHT: Parallels in the SEC’s Approach to Cybersecurity for Market Intermediaries and Issuers

From Securities & Capital Markets on Bloomberg Law

Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...


By Vince Martinez and McNair Nichols


When it comes to cybersecurity, the Securities and Exchange Commission (SEC) has a limited regulatory hand. First, for virtually all of its registrants, the SEC has no regulation that articulates specific cybersecurity requirements (with the possible exception of Regulation SCI, which applies to a very limited number of SEC registrants). Second, SEC regulatory processes move more slowly than the pace of technological change. Accordingly, any regulation mandating specific technological measures runs the risk of being obsolete on arrival. Despite these issues, the SEC has a relatively clear and discernable approach to cybersecurity. This article discusses how the SEC has crafted staff and interpretive guidance in lieu of regulation mandating prescriptive technological requirements in order to fashion a uniform approach to cybersecurity that is thematically consistent across its registrants, from market intermediaries (such as broker-dealers, investment advisers, and investment companies) to issuers (public reporting companies).

SEC Regulations Applicable to Market Intermediaries

Rule 30 of Regulation S-P, known as the “Safeguards Rule,” requires firms to implement policies and procedures to: insure the security and confidentiality of customer records and information; protect against anticipated threats; and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to a customer. See 17 C.F.R. § 248.30 (2004). To date, the SEC has brought most of its cybersecurity-related enforcement actions as violations of Rule 30, including most recently R.T. Jones Capital Equities Management, Inc., Investment Advisers Act Rel. No. 4204 (Sept. 22, 2015); Craig Scott Capital, Securities Exchange Act Rel. No. 77595 (Apr. 12, 2016); andMorgan Stanley Smith Barney LLC, Securities Exchange Act Rel. No. 78021, Investment Advisers Act Rel. No. 4415 (June 8, 2016).

However, Rule 30 is limited in two important ways. First, its information protection requirements apply to the information of “customers” and “consumers,” the latter of which is defined as “an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.” 17 C.F.R. § 248.3(g)(1) (2009) (emphasis added). Second, the rule specifies no means for accomplishing its objectives. Instead, it requires registrants to create “reasonably designed” policies and procedures. In other words, Rule 30 merely articulates a principles-based standard. However, a registrant must act at least negligently to violate Rule 30. See NEXT Financial Group, Inc., Admin. Proc. File No. 3-12738, at 23 (June 18, 2008). To illustrate the SEC’s difficulty in creating specific technological measures in its regulations, the SEC has tried without success to amend Regulation S-P three times.

Other applicable regulations are less specific. Rule 206(4)-7 under the Investment Advisers Act of 1940 requires registered investment advisers to adopt and implement policies and procedures “reasonably designed” to prevent securities law violations, to conduct an annual review, and to designate a Chief Compliance Officer to administer compliance policies. Likewise, Rule 38a-1 under the Investment Company Act of 1940 imposes a similar policies and procedures requirement on registered investment companies. The only indication that these rules encompass cybersecurity is that cybersecurity-related concepts―such as “[s]afeguards for the privacy protection of client records and information” and “[b]usiness continuity plans”―are mentioned among the considerations that registrants are expected to address in the preamble to the final rule. Advisers Act Rel. No. 2204 (Dec. 17, 2003). Otherwise, the mandate of these rules is a simple direction to ensure that the registrant is adhering to its obligations under the federal securities laws.

Nonetheless, it is through these broad prescriptions that the SEC staff has pursued the agency’s basic approach to integrating cybersecurity into the business processes of market intermediaries. In April 2015, the SEC’s Division of Investment Management (IM) issued a “Cybersecurity Guidance Update,” which described measures that “funds and advisers may wish to consider” regarding their cybersecurity. SEC Division of Investment Management,Guidance Update: Cybersecurity Guidance, No. 2015-02 (Apr. 2015). Most instructive is the following passage:

In the staff’s view, funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks. Funds and advisers could also mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws.

Id. at 2. In effect, IM is stating that although cybersecurity is not a regulatory requirement itself, it is necessary in this day and age to ensure that a registrant is able to meets its obligations under the federal securities laws. More simply put, the SEC is bootstrapping cybersecurity onto other regulatory requirements.

SEC Cybersecurity Guidance for Issuers

This same bootstrapping concept informs the agency’s approach to issuers, for whom the regulatory ties to cybersecurity are more limited. Unlike market intermediaries, the SEC does not regulate the businesses of issuers. Instead, the regulation of public reporting companies is limited to imposing standards on the quality of disclosures, books and records, and internal controls. Accordingly, the agency’s ability to integrate cybersecurity into the conduct of issuers is much less substantial.

In February 2018, the SEC issued a “Statement and Guidance on Public Company Cybersecurity Disclosures.” Securities Exchange Act Rel. No. 82756 (Feb. 21, 2018). Although, like staff guidance, it does not have the force of law or regulation, it does represent the agency’s considered views on the place of cybersecurity in issuer disclosure practices. Further, like the April 2015 IM Guidance discussed above, it creates a linkage between cybersecurity and an issuer’s regulatory obligations―in this case disclosure controls. The February 2018 Interpretation largely reiterated guidance issued by the staff of the SEC’s Division of Corporation Finance (CorpFin) in October 2011, but added a new section on disclosure controls and procedures. Most instructive is the following passage:

Cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws. We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications …. When designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. Pursuant to Exchange Act Rules 13a-15 and 15d-15, companies must maintain disclosure controls and procedures, and management must evaluate their effectiveness. These rules define “disclosure controls and procedures” as those controls and other procedures designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is (1) “recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms,” and (2) “accumulated and communicated to the company’s management … as appropriate to allow timely decisions regarding required disclosure.”

Id. at 18-20. Again, the agency’s approach is not to impose cybersecurity requirements directly. Nor does it seek to define specific technological measures. Instead, the February 2018 Interpretation makes the case that cybersecurity is a necessary part of a public reporting company’s ability to ensure that it is detecting disclosure-worthy cyber events, and making timely and appropriate disclosures.

Coincidentally enough, the SEC drove these points home shortly after issuing the interpretation by bringing an enforcement action for a failure to disclose a data breach. On April 24, 2018, the SEC announced a settlement under which Altaba (formerly Yahoo! Inc.) agreed to pay a $35 million penalty in response to charges that it failed to disclose a significant data breach of personal information from user accounts. SeeAltaba Inc., f/d/b/a Yahoo! Inc., Securities Act Rel. No. 10485 (Apr. 24, 2018). According to the SEC’s order, members of the company’s senior management and legal department were informed of the breach, but the company nevertheless failed to “properly assess the scope, business impact, or legal implications of the breach.” Id. at 6. In short, this is an instance of an asserted failure to properly implement controls reasonably designed to ensure that material information is timely and effectively disclosed. That fact was made clear by Jina Choi, Director of the SEC’s San Francisco Regional Office, who stated in the accompanying press release that “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” SEC Press Release, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (Apr. 24, 2018).

How Will the SEC’s Approach to Cybersecurity Unfold over Time?

It is difficult to predict how a regulatory approach grounded in staff and interpretive guidance coupled with the indirect application of principles-based regulations will manifest itself. Still, recent SEC staff practices offer some important clues.

With respect to market intermediaries, the SEC has been signaling its expectations for a little over four years. Beginning on April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a “Risk Alert” announcing its first “Cybersecurity Initiative,” the results of which it announced publicly on February 3, 2015 in a subsequent Risk Alert. OCIE issued another Risk Alert to announce a second “Cybersecurity Examination Initiative” on September 15, 2015, which also led to published results on August 7, 2017. All of these Risk Alerts can be found on the SEC’s website. Attached to the Risk Alerts announcing each initiative was an Appendix which listed specific questions and topics that firms could expect to encounter in an OCIE examination that included a cybersecurity component. These Appendices were based in part on the February 12, 2014 “Framework for Improving Critical Infrastructure Cybersecurity,” issued by the National Institute of Standards and Technology. Both Appendices were offered by OCIE with the stated purposes to “empower” and “assist” firms in evaluating their own cybersecurity preparedness. Significantly, the guidance articulated in the Appendices became more precise and prescriptive over time, venturing from general questions about policies and procedures to specific questions about controls and documentation.

While OCIE’s guidance is a laudable effort to help firms increase their cybersecurity preparedness, it carries potential risks; namely, it can create de facto standards with respect to policies, procedures and technological measures that firms must become familiar with, and upon which they may be judged. In other words, these staff-created measures may well become the standards by which “reasonably designed” policies and procedures are evaluated.

Certainly, recent enforcement actions for violations of the Rule 30 of Regulation S-P reflect an intention to define “reasonable design” in light of failures to apply specific technological measures including encryption, access restrictions and monitoring controls. See R.T. Jones at 3; Morgan Stanley at 5-6. It is fair to predict both that cybersecurity examination components will become more frequent and detailed, that enforcement actions will not be limited to firms that have been attacked (e.g., Craig Scott), and that OCIE and the Division of Enforcement will find deficiencies and violations based on concepts articulated in staff guidance.  MORE


Cybersecurity Is Still Advisors' Top Compliance Worry: IAA Poll

Other notable concerns are the SEC’s Advertising Rule and new Form ADV disclosures.

Cybersecurity continues to be registered investment advisors’ top compliance challenge, with 81% of advisors polled in a just-released Investment Adviser Association survey placing it at the top of their list, the fifth year cyber has held the spot, and nearly two-thirds indicating that their firms increased compliance testing in this area over the past year.

IAA’s 13th annual poll, the 2018 Investment Management Compliance Testing Survey, conducted jointly with ACA Compliance Group, found that other compliance hot topics include complying with the Securities and Exchange Commission’s Advertising Rule as well as the new disclosures relating to separately managed accounts on Form ADV.

The poll found that advisors are concerned about findings raised in the SEC’s September 2017 Risk Alert, which detailed deficiencies examiners found in Advertising Rule compliance. Advisors are also bracing for the SEC’s potential amendments to the Advertising Rule.

As Sanjay Lamba, IAA’s assistant general counsel noted in a recent legal brief, the agency’s Advertising Rule “has been on the books substantially unchanged for nearly six decades!” The good news, he says, is that the SEC’s regulatory priorities for 2018 include amending the rule to “enhance marketing communications and practices by investment advisors.”

Other areas of concern related to custody, identified by 28% of survey respondents, as well as issues relating to privacy.

Compliance professionals at 454 investment advisory firms participated in the survey.

The survey found that the majority of CCOs (66%) continue to wear more than one hat, with 20% also serving in some legal capacity.

“Among the many key takeaways of this year’s survey is that the job of a CCO is becoming more complex and varied, as demonstrated by the wide range of legal and compliance areas CCOs are responsible for, with new ones being added every year,” said Karen Barr, IAA’s president and CEO, in releasing the survey findings.

Enrique Alvarez, senior principal consultant at ACA, added that “as with previous years, we found that the role of the CCO and compliance in general has continued to grow in complexity. This is mostly due to regulatory changes and the expanding scope of responsibilities that compliance teams have taken on.”

To address this, he continued, “we found that participants are not adding more resources and instead are implementing and using technology and service providers to fill the gaps where needed.”

Other notable findings were:

Cryptocurrency: Despite the SEC’s recent focus on issues relating to cryptocurrency, virtually all survey respondents reported that their firms do not trade in cryptocurrency. A majority of survey respondents reported that their codes of ethics relating to employee trading do not contemplate cryptocurrencies; only 10% require pre-clearance for initial coin offerings.

Cybersecurity: Eighty-three percent of firms reported conducting cybersecurity assessments, including software patches (76%), network penetration tests (73%), and vulnerability assessments (72%). Nearly two-thirds of respondents increased the type, scope and/or frequency of compliance testing in the area of cybersecurity. A common response to how firms have enhanced their cybersecurity program is that they now conduct phishing tests of employees.

Form ADV amendments: When asked about the most onerous part of preparing the new Form ADV, disclosures relating to separately managed accounts (SMAs) came in first — specifically, increased SMA reporting of derivatives and borrowing (37%), determining the classification of investment types held in SMAs (21%), determining what is an SMA for purposes of Form ADV (13%), and disclosures relating to SMA custodians (7%).

ESG: Forty-six percent of respondents do consider environmental, social and governance (ESG) factors in managing client portfolios; 27% of “ESG advisors” signed to the United Nations-supported Principles for Responsible Investment (PRI) Initiative and 10% are considering doing so.  MORE

SEC Prioritizes Data Security and Expects More Mature Cybersecurity Programs

Investment advisers and broker-dealers can expect more scrutiny of their data security from the Securities and Exchange Commission. Our Cybersecurity Preparedness & Response and Investment Management, Trading & Markets teams explore how multiple SEC divisions will be assessing capital market participants’ cybersecurity risk management.

  • Be sure to inform your investors of cyber risks
  • Practical considerations
  • The GDPR and global reach of regulators

In the first half of 2018, the Securities and Exchange Commission (SEC) has reaffirmed its focus on data security and the importance of cybersecurity preparedness through its draft Strategic Plan for fiscal years 2018 through 2022 and interpretative guidance for public company disclosures. Taken together with preexisting guidance, it is clear that the SEC expects more mature cybersecurity programs from its registrants and that it will continue to prioritize data security as fundamental to the U.S. capital markets and market participants.

Multiple divisions and offices of the SEC have now provided guidance and a series of risk alerts regarding its cybersecurity regulations, including the Office of Compliance Inspections and Examinations (OCIE), Division of Investment Management, and, most recently, Division of Corporation Finance. In addition to numerous speeches by commissioners and division directors and an enhanced website, the SEC’s approach to cybersecurity risk management and compliance continues to leverage existing regulations and statutes to police market participants’ preparedness and responses to new and emerging cyber threats.

Because of the importance of “data collection, storage, analysis, availability, and protection,” market participants can expect the SEC to continue to use all tools at its disposal to ensure that market participants “are actively and effectively engaged in managing cybersecurity risks” for the foreseeable future. In addition, the SEC will seek to ensure that market participants as well as public companies “are appropriately informing investors and other market participants of these risks and incidents.” For instance, public companies are expected to disclose material risks and material cybersecurity events, a process that usually depends on internal procedures and controls for assessing materiality and disclosure thresholds. For public companies not otherwise subject to OCIE examination, the SEC has limited its activities to the oversight of disclosures via enforcement action in cases where it has deemed the disclosure of a material cybersecurity event to have been inadequate.

Investment Advisers and Broker-Dealers Under Scrutiny

Written guidance, OCIE examinations of investment advisers and broker-dealers, and the increasingly active Division of Enforcement’s Cyber Unit are the key ways the SEC is addressing cybersecurity preparedness for its registrants. In recent remarks, SEC Chairman Jay Clayton reiterated the work of the Division of Enforcement’s Cyber Unit, and in particular noted that intrusions into online retail brokerage accounts are an area of focus for the specialized unit. Coupled with the FBI’s recent release of its 2017 Internet Crime Report, it is clear that both regulators and law enforcement are focused on cybersecurity threats that rely on investment services platforms and resources to target or harm the investing public. For registered investment advisers and broker-dealers, the primary implication of this focus is that the SEC will continue to expect more mature cybersecurity programs that adapt to the changing threat environment and appropriately manage and communicate risks to investors and other market participants, as discussed below.

Over the last three years, the SEC has sanctioned firms for a range of specific alleged cybersecurity-related violations. These have included the reliance on ineffective limitations on access rights that failed to prevent a firm employee from inappropriately accessing confidential customer data and for failing to audit or test those limitations to access rights. Other allegations have included the failure to conduct periodic risk assessments, employ firewalls to protect servers that contain sensitive personally identifiable information (PII), encrypt PII at rest, and establish procedures for responding to a cybersecurity incident. The SEC has also brought an action alleging that an adviser’s policies and procedures failed to designate a responsible supervisor and address how customer records and information are to be handled when transmitted, were incomplete, and were not tailored to the actual practices of a firm.

The SEC continues to be focused on technology-based market disruptions as well. In June 2016, the Division of Investment Management released guidance following an August 2015 market disruption caused by a systems malfunction at a financial institution that affected hundreds of mutual funds and exchange-traded funds. The SEC guidance noted that “some funds could have been better prepared for the possibility that one of their critical service providers would suffer an extended outage.” The guidance suggested that advisers of fund complexes, CCOs, and fund boards should reexamine their oversight of critical service providers as they strengthen their business continuity and disaster recovery plans, with a particular focus on communications protocols across the fund complex, with the board, and externally with the affected service provider and other stakeholders. The guidance highlighted the importance of understanding how the business continuity plans of the critical service providers relate to the fund and how that impacts the fund’s backup procedures. Finally, the guidance suggested that funds consider how a variety of critical service provider disruptions could impact fund operations and investors and to be prepared to manage the response, whether the disruption occurs at a critical service provider or at the fund itself.


Five Ways to Improve Compliance—And Not Feel Overwhelmed

Abiding by expanded regulations will take more time, input, effort and oversight—said differently, maintaining the status quo will require more investment.

Compliance is a constant struggle in the financial services sector. As soon as one audit is done another arises, locking brokers into an endless effort with hefty consequences for failure. And that effort evolves and expands with new communication tools.

Every year, FINRA evaluates about 10 issues to consider for updated regulation. This year, that list includes both anti-money-laundering initiatives and the issue of suitability. Depending on how new regulations shake out, brokers and financial advisors could face burdensome requirements for data management.

Detecting money laundering requires massive amounts of data, which advisors will have to capture and store. Detection also requires access to any and all relevant business communications, which creates another archiving obligation. In order to prove to regulators that nothing untoward is occurring, financial professionals already provide a lot of verification.

Proving that investments are suitable to a client based on fiduciary principles creates a similar burden. Brokers use all manner of electronic communication to provide clients with recommendations. Saving all these communications demonstrates to regulators that every recommendation is, in fact, suitable. As baby boomers become the “Silver Tsunami,” the issue of suitable, late-life investments for seniors will likely be a priority for regulators and investors alike.

 Regulators Aren’t the Only Risk

There is a whole raft of regulators who mandate and monitor that financial service providers are archiving their information properly—SEC, FINRA, DOL and state governments. Each has its own mechanisms to apply pressure, but the most common is to levy fines.

Some companies consider regulatory fines to be the cost of doing business. That attitude may change as the cost rises. In 2016, FINRA issued $173.8 million in fines to broker/dealers, which was an 85 percent increase over the previous year. Any cost rising that fast will create financial strain.

There is also the remote but still real risk of having a trading license revoked. That would happen for only an especially egregious offense, but it would effectively put a trader out of business. And even though regulators tend to threaten this action rather than actually revoke licenses, it still underscores the danger of not getting regulatory requirements right.

Finally, there is the client cost to consider. Clients are understandably sensitive when their own data is involved. Learning that their trusted broker/dealer failed to archive important communications and comply with security standards raises troubling questions about security overall, not to mention ethics. It’s not a surprise that clients tend to flee from brokerages that are on the wrong side of regulators. 

Consistent Compliance with Less Time and Effort

Brokers find themselves in a tricky position. Compliance is a requirement, but it’s also a workload. Abiding by expanded regulations will take more time, input, effort and oversight, said differently, maintaining the status quo will require more investment. The key is to look for evolving approaches to compliance that will satisfy regulators without overwhelming brokers and their staff. Here are some suggestions: 

  • Revise Written Supervisory Procedures Regularly. Because WSPs essentially dictate every aspect of the broker-client relationship, they must incorporate any new rules related to electronic communications. Reviewing these documents and updating them as needed is recommended semiannually, but a quarterly review is ideal. Relying on a supervision interface ensures that updates are applied across client groups and to all relevant WSPs. Without this asset, it may be prohibitive or impossible to make revisions as often as required. 
  • Work with a Group of Peers. Every broker can struggle with compliance, and perfection is unattainable. This is especially true when new and unfamiliar regulations hit the books. Partnering with a regional FINRA group or another association of peers allows participants to discuss revisions and share issues, ideas and approaches. That way, an individual broker’s approach evolves in parallel with the best practices of the industry.
  • Bring in a Consultant. Financial experts are not experts in financial regulations. Bringing in a consultant ensures that brokers don’t suffer because of a lack of in-house resources or planning that takes place in a vacuum. Consultants specialize in regulatory minutiae, work with multiple brokerages and offer realistic solutions. Partnering with counsel is often essential and always an asset. 
  • Implement New Tools. Tech vendors have designed a number of tools specifically to meet the information-collection mandates placed on the financial services sector. If the old approach to compliance was already inconsistent or ineffective, it won’t accommodate new requirements. Finding a vendor who understands these pain points and can engineer solutions to accommodate them is essential.
  • Respond to the Regulators. Take advantage of the fact that regulators are eager to improve stability and security, not to act punitively. If regulators offer a warning before a fine, it can empower brokers to improve their approaches to compliance.

It’s uncertain when new regulations will hit the books or what forms they will take. What is certain, however, is that new rules are coming. European regulators recently updated requirements to include the archiving of voice. Similarly, the U.S. will make updates to adjust to the way brokers are communicating.

Regardless of the regulations that will follow, information preservation is clearly a global financial priority. It’s up to brokers and advisors on how they will approach compliance and whether they will take advantage of new tools and best practices to better serve their clients and their business. MORE

Cyber assailants targeted in important new security sweep

The skill and sophistication of attackers are often outpacing firms' ability to protect themselves

According to compliance and cybersecurity experts, financial industry regulators are embarking on a new cybersecurity sweep, with a focus on registrants' data loss prevention, oversight of third-party service providers and incident response planning. 


And with good reason. Cyber assailants continue to perpetrate increasingly sophisticated attacks on U.S financial institutions, including exploiting weaknesses to steal valuable data and breaching third-party information service provider systems. Yet many firms remain woefully ill-prepared to fend off the latest threats and lack actionable incident response plans to recover from a breach.

In the wake of minor malware attacks just five years ago, a newer breed of cyberthreats is a growing national concern. The latest of these include opportunistic phishing attacks, which are broad efforts to infect as many computers as possible. In contrast, more targeted "spear-fishing" attacks focus on specified individuals to perpetrate higher-value crime that is much harder to trace. An example of the latter includes organized crime rings that search social media sites to identify financial industry executives such as hedge fund managers, to compromise their accounts. 

Equally as clever, criminals often create fake email accounts that are very similar to those of their targets, changing just one letter in the email address, an activity referred to as "typo-squatting." 

Michael Brice, co-founder of BW Cyber Services, has seen multiple cases of fraudulent capital calls in which investors were duped into sending wire transfers to illicit accounts. And these activities are not insignificant, with wire transfers ranging anywhere from hundreds of thousands to millions of dollars irretrievably lost. 

For cryptocurrency funds, the cyber stakes may be even higher. Not only are individual criminals involved, but organizations and countries like Korea are being traced to crypto-cyber malfeasance. 


The skill and sophistication of attackers are often outpacing registrants in their ability to protect themselves. "Some simple security practices and operational precautions related to the collection and storage of personally identifiable information — a top regulatory priority — will go a long way to mitigating regulatory and even litigatory issues should a breach occur," Mr. Brice said.

Another regulatory focus area involves third-party service providers. When companies engage information technology service providers, they should review their cybersecurity policies and procedures, and not assume a provider is up to the task of protecting their data. 

"Firms should require that their vendor either has deep technical expertise or enhanced security protection for systems and data as there is a strong possibility they are not doing it or not doing it very well," Mr. Brice explained. 

Thus, even firms that are making their best effort to minimize cyberrisk may be operating with a false sense of security because executives often make incorrect assumptions regarding the risks they are dealing with. For instance, cyber insurance policies rarely cover wire transfers, Mr. Brice added. Yet this is one of the primary reasons organizations get cybersecurity policies in the first place. 

As outlined in their respective 2018 examination priorities notifications, the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc. are focusing their resources on examining the quality of registrants' written cybersecurity policies and procedures. 


In February, the SEC issued guidanceto encourage companies to assess the sufficiency of cybersecurity policies and procedures in part to satisfy federal securities law disclosure obligations. One goal of the guidance is to prevent directors and other insiders from making selective disclosures about cybersecurity risks or incidents and then trading on that information. 

An important part of a firm's cybersecurity plan, vulnerability assessments and supporting penetration testing, or pen tests, aim to reveal security weaknesses before attackers do. The SEC allows leeway as to how firms conduct cyber pen testing but expect registrants to engage third-party experts to assist in this process. Doing so ensures both the quality and independence of testing results. 

The cybersecurity plan must be customized to each firm and encompass a holistic approach to periodically assess, remediate and test the organization. Many firms engage cyber experts and compliance professionals to develop a cybersecurity plan as part of the compliance program. 

Experienced professionals can ensure that a registrant's compliance program and cybersecurity plan address regulators' top focus areas — data loss prevention, third-party service providers, and response planning — and that the technical testing matches the registrant's risk profile. 

The costs of retaining experts entails cost upfront, but those costs could be far outweighed by the reputational and financial impact of a breach. Moreover, it will help firms maintain an audit-ready posture.  MORE

SEC outlines cybersecurity changes after probe of EDGAR hack

As the SEC brings to a close its review of the 2016 breach of its EDGAR filing system, the commission is proposing reforms to its cybersecurity practices and also says it is investigating whether anyone gained from illicit trading activity based on the hacked information.

In testimony submitted to the House Financial Services Committee, SEC Chairman Jay Clayton outlined changes the commission is putting in place in response to the incident. He acknowledged that the SEC is still working to get its house in order on the cyber front as it prods the firms that it oversees to take steps to shore up their own systems.

"I want to continue to work with companies and the investing public on how we should be approaching this issue," Clayton told members of the committee.  MORE



“A data breach itself is the second worst possible event that can occur in an organization; the mismanagement of the communication about the response is the worst.” This observation comes from Exabeam chief security strategist Steve Moore, who has tracked criminal and nation-state adversaries and led the largest healthcare breach response in history. Moore added that the time spent on a breach, including audit, regulatory, and litigation support, can last not months but years.
I previously covered 5 ways you can prepare for a breach, which can help reduce risks. If a breach still occurs despite those precautions, however, here are eight things you should do within 48 hours to manage and contain the situation as best as you can.  Regardless of the type of breach, these steps should apply—whether it involves a single device, a series of
systems, or a company-wide intrusion.  MORE