Tune up your firm’s cybersecurity training program

There may have been a time when an annual employee training program on cybersecurity was enough to satisfy regulators that an advisory firm was taking the threats of hackers and other malicious actors seriously.

No longer.

The Securities and Exchange Commission has made no secret that it expects more from firms in the area of cybersecurity, identifying the issue in its recent exam priorities letters, conducting sweep exams focused on firms' cyber policies and procedures, and, most recently, announcing the establishment of a dedicated cyber unit.

TD Ameritrade recently launched a campaign to promote the message to its registered investment advisers that a strong, dynamic cybersecurity training program is an essential element of a modern practice. A key part of that effort is the notion that employee training must be ongoing, that policies to protect the firm's systems and information aren't just a set-it-and-forget-it proposition.  MORE

Tune up your firm’s cybersecurity training program

There may have been a time when an annual employee training program on cybersecurity was enough to satisfy regulators that an advisory firm was taking the threats of hackers and other malicious actors seriously.

No longer.

The Securities and Exchange Commission has made no secret that it expects more from firms in the area of cybersecurity, identifying the issue in its recent exam priorities letters, conducting sweep exams focused on firms' cyber policies and procedures, and, most recently, announcing the establishment of a dedicated cyber unit.

TD Ameritrade recently launched a campaign to promote the message to its registered investment advisers that a strong, dynamic cybersecurity training program is an essential element of a modern practice. A key part of that effort is the notion that employee training must be ongoing, that policies to protect the firm's systems and information aren't just a set-it-and-forget-it proposition.  MORE

Cybersecurity: How to satisfy regulators

NASAA Checklist

State securities regulators could put forward this year a model rule on cybersecurity, Joe Borg, Alabama securities director and president of the North American Securities Administrators Association, said in a recent interview.

If so, elements of the regulation may be drawn from NASAA’s cybersecurity checklist for investment advisers. Here are a few of the 89 items on the roster and what they might look like as provisions of a cyber rule.  MORE

SEC and States Are Upping Their Cyber Game, Are You Doing the Same?

September 2017 saw no respite from the relentless pace of cyber developments, not only from the perspective of rapidly evolving attacks, but also from the perspective of dynamic federal and state regulatory moves. In particular, on September 25, 2017, the Securities and Exchange Commission (SEC) announced a new enforcement initiative to address growing cyber-based threats and protect retail investors.1 The initiative established a Cyber Unit to target misconduct, a move that could place further pressure on broker-dealers and investment advisers already feeling the heat from an uptick in cyber-related exams and the relentless onslaught of cyber intrusion attempts. Second, a day earlier, the North American Securities Administrators Association (NASAA) announced that state securities examiners conducted over 1,200 coordinated examinations of state-registered investment advisers between January and June 2017, finding 698 cybersecurity-related deficiencies.2

Given the advancing threats and the increasing regulatory scrutiny, broker-dealers and investment advisers should consider acting with increased urgency to further prepare themselves, focusing in particular on having written cyber policies that are regularly updated to account for the latest threats. The severity and frequency of attacks are only growing, while the tolerance among regulators for failing to take sufficient preventive steps is only diminishing. Against both attackers and regulators, the best offense truly is a good defense, and regulators are strongly indicating that it is not enough to simply have a defense; but rather, that defense must also evolve to keep pace with the rapidly evolving offense. 

The SEC

What the Cyber Unit Will Do

With the creation of the Cyber Unit, the SEC is beefing up its technical expertise and demonstrating that it too will evolve and adapt as cybersecurity threats become more advanced. The agency is making it increasingly clear that it expects those it regulates to up their games as well. 

The unit will function as part of the SEC’s Enforcement Division to target misconduct along six cyber-related priority areas:

  • Market manipulation schemes involving false information spread through electronic and social media;
  • Hacking to obtain material nonpublic information;
  • Violations involving distributed ledger technology and initial coin offerings;
  • Misconduct perpetrated using the dark web;
  • Intrusions into retail brokerage accounts; and 
  • Cyber-related threats to trading platforms and other critical market infrastructure.

By examining each of these areas in depth, this Alert tries to discern the SEC’s key concerns and suggests issues that firms may want to consider addressing, before facing the SEC in an examination or in an enforcement action. 

Market Manipulation Schemes

With the spread and growing influence of “fake news” to manipulate political outcomes (and with further proof of intentional nation-state involvement in spreading such false stories),3 it is no surprise that the SEC is concerned about the use of targeted misinformation via social media to manipulate market outcomes. 

The SEC will likely be on the lookout for companies hoping to turn an illicit profit by creating or spreading known misinformation via the internet. The SEC could bring fraud cases against those who disseminate false information to manipulate the market, and aiding and abetting cases against those who negligently spread the false information. In fact, the SEC has already started. In 2015, the SEC filed securities fraud charges against a Scottish trader whose false tweets caused sharp drops in the stock prices of two companies and triggered a trading halt in one of them.4

In light of the growing prevalence of intentionally fake stories, it may be prudent for firms to have proactive policies in place that not only explicitly prohibit the dissemination of knowingly false information, but that also require some form of verification before sharing certain market-related news with clients and prospective clients. 

Hacking to Obtain Material Nonpublic Information

The SEC’s new enforcement unit will be on the lookout for hackers that infiltrate broker-dealers and investment advisors to trade on nonpublic information or try to manipulate the market, something from which even the SEC is not immune.5 While firms are victims of a cyberattack, the SEC may nonetheless bring “strict liability” enforcement actions against them if they had deficient proactive policies or procedures in place. While not a market manipulation case per se, in September 2015 the SEC brought an enforcement action against an investment adviser that had been breached, compromising the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients (although there was no evidence that any of the information was used).6 The SEC alleged that the firm violated the “Safeguards Rule” over a four-year span by failing to adopt written policies and procedures to ensure security of 100,000 individuals’ personally identifiable information. The “Safeguards Rule” in Rule 30(a) of Regulation S-P requires certain policies and procedures for financial institutions to put into place to ensure confidentiality of their client’s information.7 Similarly, in April 2016, the SEC brought an action against a dually registered broker-dealer/investment adviser that had an employee impermissibly access and transfer data regarding approximately 730,000 accounts to his personal server, which was ultimately hacked by third parties.8 The SEC alleged that the firm failed to adopt written policies and procedures reasonably designed to ensure the security of customer records and information.

Accordingly, to try to avoid future enforcement actions, broker-dealers and investment advisors may want to focus on establishing and implementing written, proactive cybersecurity policies that are regularly updated to account for the latest hacker tactics and techniques. Cyber is a dynamic, if not volatile, environment—the best laid plans of last year may not mean much this year.

Violations Involving Distributed Ledger Technology and Initial Coin Offerings

The SEC is signaling that it will not allow distributed ledger technology (DLT) or cryptocurrency to be used in a way that evades regulations, results in market manipulation, or is used to perpetrate frauds on investors. Unlike China, which has outright banned cryptocurrency—a move that has further a black market of cryptocurrency trading9—the SEC is indicating more of a desire to focus on regulating it. 

On September 29, for example, the SEC brought its first enforcement action involving two Initial Coin Offerings (ICOs) for “defrauding investors” by selling these “unregistered securities” purportedly backed by investments in real estate and diamonds.10  

At this juncture, however, it remains unclear whether the SEC will mandate that all or some ICOs be registered as securities.

Misconduct Perpetrated Using the Dark Web

As part of its effort to keep up with the rapidly evolving techniques to engage in insider training and market manipulation, the SEC is now putting potential bad actors on notice that it will be shining the light on the so-called dark web, where bad actors have traditionally gone to anonymously buy and sell improperly obtained information and tools to conduct nefarious cyber activity. Therefore, if firms are not periodically—either themselves or through third parties—monitoring the dark web for stolen firm information that could impact their business or clients, it is possible that the SEC may focus on that failure. 

Intrusions Into Retail Brokerage Accounts

The SEC is also calling out the practice of hacking retail brokerage accounts to manipulate markets. By making certain trades, the hacker can try to inflate the prices of holdings that he or she possesses or decrease prices to facilitate successful short selling. In 2016, the SEC charged a man from the UK with breaking into numerous accounts and placing unauthorized trades, ultimately leading to profits within minutes of trading the same stocks within his own account.11 While the broker-dealer was not charged in that case, it is possible that in future cases, the SEC could charge the firm for allowing the hack to take place. 

In another case, a dually registered broker-dealer/investment adviser had experienced a series of computer system security breaches in which an unauthorized person or persons had accessed and traded, or attempted to trade, customer accounts.12 The SEC alleged that the firm had failed to implement increased security measures and adopt policies and procedures reasonably designed to safeguard customer information as required by Regulation S-P. Thus, broker-dealers and investment advisers may want to consider assessing what the scope of their data is and adopt procedures to attempt to prevent intrusions, and to respond to an intrusion if one takes place.  MORE

Massive spike in deficiencies at smaller RIAs

SEATTLE — Deficiencies found by regulators during their examinations of state-registered RIAs jumped nearly 60% to 7,907 in the first half of the year, and agencies are signaling plans to make advisors accountable for shortcomings in cybersecurity, officials say.

While recordkeeping is the most frequently cited concern among RIAs with $100 million in assets under management or less, the new category of cybersecurity helped drive the growth in deficiencies, according to a survey released this week by the North American Securities Administrators Association.

State securities regulators examined 25 compliance areas, up from 22 in the last study by NASAA in 2015. State-registered RIAs that year showed only 4,983 deficiencies over six months. Regulators at the state level echoed SEC officials’ warnings about cybersecurity and their bulked-up exam capacity.

“Training and technology have combined to enable state examiners to conduct more examinations and better detect deficiencies,” NASAA Investment Adviser Section chairwoman Andrea Seidt said in a statement released at the group’s conference.  MORE

SEC Sharpens Cybersecurity, Boosts RIA Exams

The SEC has sharpened its focus on cybersecurity in recent days, with its chairman Jay Clayton releasing a statement identifying it as a priority, and announcing by the creation of a cyber unit that will focus on targeting cyber-related misconduct. Additionally, the watchdog will also focus on the fiduciary rule and boost its RIA examination capacity, Clayton has told lawmakers.  MORE

Top 10 companies that phishing attackers impersonated in the first six months of 2017:

Phishing attacks are on the rise, and show no signs of slowing down: Nearly 1.4 million new, unique phishing sites are created each month, according to the Webroot Quarterly Threat Trends Report, released Thursday. In May, this figure reached a high of 2.3 million sites created, the report found.

Today's phishing attacks are highly targeted, sophisticated, and difficult to detect, making them increasingly hard to avoid. The phishing sites being built each day appear to be realistic, and are almost impossible to find using web crawlers, the report stated. And instead of randomly targeting large groups of people, hackers now use social engineering to individualize attacks.

Here are the top 10 companies that phishing attackers impersonated in the first six months of 2017:

1. Google (35%)

2. Chase (15%)

3. Dropbox (13%)

4. PayPal (10%)

5. Facebook (7%)

6. Apple (6%)

7. Yahoo (4%)

8. Wells Fargo (4%)

9. Citi (3%)

10. Adobe (3%)

Users should be wary if they receive an email that appears to be from any of these sources that asks them to click on a link or download a file.  MORE

Cybersecurity Must Be C-Suite Concern at RIAs, Brokers and Managers

Recently, the Securities and Exchange Commission (SEC) issued a risk alert urging broker/dealers, registered investment advisers (RIAs) and investment fund companies to take direct steps to improve their cybersecurity policies and practices.

According to Marlon Paz, partner at Seward & Kissel LLP and former compliance staffer at the SEC, this risk alert was a long time coming, and the themes it presents actually occupied much of his own work at the regulator from 2004 to 2010. The big upshot of the risk alert is that, following case study reviews of some 75 investment management firms, the SEC’s Office of Compliance Inspections and Examinations (OCIE) feels that most broker/dealers, investment advisers and funds have at least one potentially serious cybersecurity issue to be addressed—likely more. 

“This is a very well written and informative risk alert,” Paz says, encouraging all investment industry practitioners to read it carefully. “The SEC has made it clear that they will continue to examine and test for cybersecurity compliance procedures and controls, and will not shy away from potential enforcement actions for those who are not compliant.”

Given his former time at the SEC, Paz offered up some inside baseball analysis of what the SEC is signaling in the text and between the lines of its risk alert publications. 

“One of the clearest messages I am getting is that the SEC is actually fairly pleased that more and more firms are drafting and adopting well-crafted policies and procedures in this area,” Paz says. “However the SEC also is warning that there is clear evidence that the policies and procedures are not always being followed as closely as the regulator would like. Protecting client information and assets is becoming a major focus for SEC examinations. That is the message.”

Paz reminds readers that there are very specific and exacting requirements to be followed in this area, enforced under various statues and the Employee Retirement Income Security Act (ERISA). 

The “SEC has put the industry on notice and offered specific guidance with this risk alert, so we should all expect the next round of examinations and enforcement actions to use the requirements here laid out as a baseline for future compliance,” Paz says. “In other words, there really is not any more time to wait to improve your practices, because the SEC is seemingly done with having leniency in this area. Here is the SEC telling us in clear terms what they expect, so we should listen.”  MORE

8 things to give your clients after Equifax's data breach

From Dave Sather, Sather Financial.

Last week, we were informed 143 million Americans had key identifying information stolen through credit reporting company Equifax.

Equifax responded by saying they will offer a one-year "credit monitoring" service and then tried to upsell their premium service.  Being as they are the ones responsible for the breach in the first place, this does not reassure. 

Furthermore, one year of monitoring is completely random. Suppose thieves only want my information for the next year and then will promise to never use it again? Ridiculous.

Given this, what to do?

1. Religiously read and scrutinize your bank and credit card statements every month. If you see something that does not look right, contact the institution immediately. They will generally suspend the payment of the suspicious transaction pending a more thorough investigation. If you have moved to all-online access (no monthly hard-copy statement), make sure you are thorough in reviewing transactions on a regular basis. 

2. Use credit cards instead of debit cards. If someone has hacked into your world, a credit card offers a grace period in which you can review your statement before payment is due. However, if someone hacks into the debit card, the burden falls more on your shoulders. If you have payments auto-drafting from your bank account, this can easily send you into a cascading problem of overdrafts. If this happens, it is a pain to fix. 

3. Once you have determined a fraud has occurred, put an alert in your credit report and send a copy of the ID theft report (consumer.ftc.gov/articles/pdf-0094-identity-theft-affidavit.pdf) to all the credit reporting companies. Although this may sound like closing the barn door after the horses are out, you want proper documentation that you have reported this and are working with the authorities. 

4. Monitor credit reports closely. Not only can these reports have errors that can hinder your ability to get credit, but it's a good habit to be in to see what accounts have been opened in your name. This service is available for free on an annual basis by going to: annualcreditreport.com/index.action. 

5. Evaluate a credit freeze. This offers the most serious level of protection, in our opinion. It literally freezes the ability for anyone, including you, to open new credit of any kind in your name or Social Security number. Although it works very well, it can also be a bit of a burden to undo. Allow yourself at least a week to lift a credit freeze once you have submitted the necessary information. This is important to consider if you plan on financing a new car or applying for a mortgage. 

It is also important to understand that a credit freeze does not stop someone from accessing an existing credit card and using it. As such, a second reminder to review your credit and debit statements religiously!

6. Contact the police and Federal Trade Commission. Although cybercrime may not involve a gun and masked robber, it is still a crime. To get needed protection, contact the local police and the FTC to obtain their official reports. These reports must go in your credit files. Not only does this help law enforcement track and catch criminals, but it is necessary for your protection, too.

7. Change passwords and be careful of where you access Wi-Fi. If there has been a breach, determine what accounts are affected. Immediately change those passwords. Furthermore, reduce vulnerability to someone stealing passwords by not using public Wi-Fi. Public Wi-Fi allows keystrokes to be more easily monitored, allowing information to be stolen. 

8. Contact the Social Security fraud hotline (oig.ssa.gov/report-fraud-waste-or-abuse). In some cases, we have seen clients who have had their Social Security numbers used for fraudulent purposes. Depending on the level of severity, they not only had to not only prove their innocence but then apply for a new Social Security number. 

We have only seen the tip of the iceberg relative to the Equifax debacle. As such, be proactive and remain vigilant to prevent being a victim.

Disco, Sex And The Cybersecurity Nightmare

SEPTEMBER 1, 2017 • MARK HURLEY

Remember “Disco Inferno” and “The Hustle” and the “anything goes” promiscuous lifestyle of the late ’70s? All of that did not end very well, as the world learned that all behaviors are accompanied by their own set of—potentially very bad—consequences.

This good general rule of life somehow was forgotten in the Internet Age. Suddenly, we were in a “New Economy.” Everyone was going to be connected and share information—an electronic “anything goes” era in which convenience and access were far more important than safety. If you think about it, there are probably more than a few eerie parallels between the way people have approached using the internet over the last 25 years and how they thought about sex in the late ’70s.

But the recent WannaCry ransomware attack (which briefly shut down millions of computers around the world), along with the hacking of political campaigns, government agencies and Fortune 500 companies, is probably only a sniffle compared with what is to come. Someday, hackers will release an unstoppable computer virus or malware. And the only real protection will be responsible behavior.

Internet theft is now a very big business—in many cases, it’s done by government-funded and operated businesses. The stereotypical hacker is no longer an overweight, personality-challenged geek living in his mother’s basement. In fact, hackers, virus makers and other cyberterrorists in countries such as China and Russia openly work in large office buildings as part of organizations designed to steal money or spread mayhem.

Unfortunately—and this is particularly surprising to anyone who follows this industry—very few wealth managers seem to recognize the magnitude of this threat to their livelihoods. Their firms are particularly attractive targets for bad guys because their clients’ non-public personal information (Social Security numbers, account info, etc.) is regularly sold in aftermarkets (known as “darknets”) to organizations that use it to loot bank and brokerage accounts, steal credit cards and tax refunds.

Typical wealth management firm clients have substantial amounts of liquid assets and robust credit, so their data can be sold for a high price—in fact, on the dark web they are referred to as “whales.”

The wealth management landscape is littered with firms—including some of its largest and most sophisticated—that have already been hit. The CEO of one multibillion-dollar firm recently clicked on a link in an e-mail and all of his clients’ e-mail addresses were exported. Another big firm discovered that hackers seeking client information were sending e-mails appearing to be from people inside the firm. MORE

Financial Firms’ Worst Mistakes With Cybersecurity

Law360, New York (August 21, 2017, 10:55 PM EDT) -- Although the U.S. Securities and Exchange Commission said earlier this month that broker-dealers, investment advisers and funds have improved their “cybersecurity preparedness” in recent years, it found a majority of firms still had issues. 
The findings came in an Aug. 7 risk alert released by the SEC’s National Exam Program detailing observations from its exams of registered firms, and were mirrored in survey results released last week by Cipperman Compliance Services.

Cipperman found that 57 percent of surveyed alternative managers — a category that includes hedge fund and private equity fund managers — felt their cybersecurity policies didn’t meet regulatory requirements.

While broker-dealers were more certain their policies passed muster, they were less sure about their programs overall, with 64 percent saying they weren’t confident in their respective firms’ cybersecurity.

John Araneo, managing director and general counsel of Align Cybersecurity, said he’s seen many investment advisers and broker-dealers who wait to “jump into the cybersecurity pool” out of fear they’ll immediately find deficiencies.

“When you approach cybersecurity, there’s an apprehension that, ‘I almost don’t want to open the door because I don’t want to see what’s in the closet,’” Araneo said. “That’s very shortsighted, and it’s only going to get you into trouble.”

Seward & Kissel LLP partner Marlon Q. Paz, who previously served in the SEC’s Division of Trading and Markets, said financial firms face particular risks that make cybersecurity especially important. While data breaches or incidents in other sectors like retail can lead to financial losses if customers’ credit card information is stolen, hackers that breach a broker-dealer or investment adviser get direct access to client assets, he said.

“The issue of safeguarding and protecting other people’s money is paramount,” Paz said. “That’s not the same in other industries.”

With that in mind, here are some of the biggest mistakes firms in the financial industry make with cybersecurity.

Their Systems Aren’t Tailored

The failure to reasonably tailor cybersecurity policies and procedures topped the list of issues the SEC identified in its latest sweep, and experts said they’ve noticed just such ill-fitting practices at many broker-dealers and investment advisers.

Among other things, agency staff said they observed policies that gave only general guidance, were narrow in scope, or gave confusing instructions, including policies governing remote customer access to accounts that contradicted instructions for investor fund transfers.

The alert illustrates that firms can’t just buy a cookie-cutter cybersecurity program off the shelf, Paz said, as untailored policies will not protect firms from their particular risks.

“I feel like there’s too many snake oil salesmen, just saying, ‘Here, I’ve got a nifty policy that’s been reviewed and vetted by the SEC,’” Paz said. “That doesn’t matter a bit — it’s got to be tailored for that business.”

Araneo said the risk alert also illustrates that the “devil was in the details,” as the SEC faulted firms both for failing to customize their programs and for failing to follow through on cybersecurity plans. The agency noted, for example, that some firms that required annual customer protection reviews conducted them less frequently, while others that required ongoing reviews to see if additional security protocols were needed performed those reviews “only annually, or not at all.”

“It can’t be a one-stop, buy this policy, buy this technology, hire this person and stop there — this really is an exercise that needs to cascade through the entire enterprise and involve different employees or at least different functions,” Araneo said.

To design policies that are adequately tailored to fit the firm, experts said, broker-dealers and investment advisers need to perform a deep risk assessment to identify exactly what the procedures must address.

An assessment will help a firm focus its limited resources and personnel, so that written procedures are followed in practice, said Mayer Brown LLP partner Jeffrey P. Taft. But the assessment has to focus on the firm itself and its unique systems, customer base and other potential risks.

“Taking someone else’s risk assessment or looking at the risks applicable to other companies doesn’t do you much good,” Taft said.

Their Plans Are Too Long

In addition to broader cybersecurity policies, experts said firms need incident response plans with instructions on how to deal with an unauthorized intrusion — but the SEC said more than one-third of examined investment advisers and funds didn’t have such plans.

“We’ve seen many organizations that have been caught flat-footed, don’t have a plan, and when an incident happens they don’t know what to do,” said Robert Prucnal, the president of Cipperman Compliance Services.

Of plans firms have implemented, many are too long to be of use in a critical situation when employees need to know exactly who is in charge of what part of the response, Stroz Friedberg Managing Director Chad M. Pinson said in a panel discussing cybersecurity at the SEC’s National Compliance Outreach Program for Broker-Dealers in July.

“All the IR plans I see look like a Stephen King novel where they were being paid by the word to write them,” Pinson said. “You cannot use those things in an emergency, they are completely unusable.”

Instead, firms need to draft simple plans that delineate which employees are responsible for which aspects of the response, and update the plan regularly to ensure details like contact information are accurate, said Erik Rasmussen, North American cyber practice leader for the cybersecurity and investigations practice at risk consulting firm Kroll.

They also need to define clearly when the response plan will be invoked. Triggering the plan in too many scenarios, Rasmussen said, could create “noise” and make it harder to respond efficiently to a larger crisis.

And while there’s no such thing as a perfect plan, Rasmussen said, firms can get closer by practicing incident responses regularly to simulate the real conditions of a breach or other attack.

“Everybody has a plan until they get punched in the face,” Rasmussen said.

Their Vendors Aren’t Vetted

As firms identify the weaknesses and vulnerabilities their cybersecurity policies need to address, experts said one area many overlook is the risk that lies outside their doors, with third-party vendors and service providers.

“A lot of investment firms, a lot of Wall Street firms, spend time on their own systems, but then give access to third-party providers who create vulnerabilities,” Paz said.

Paz noted that vendors and service providers like document review teams, outside counsel and consultants often have extensive access to their clients’ systems and the information therein. If an employee at a provider leaves their laptop on an Amtrak train, Paz said, whoever picks up that computer can then get full access to the firm they were advising.

Indeed, many hacks and breaches have occurred because a vendor providing some kind of access to another firm was hacked, Taft said.

“It’s imperative that companies do something with respect to those weak links,” he said.

The issue is especially important because broker-dealers and fund managers have legal and regulatory obligations to protect the types of client data frequently stored at outside service providers, Araneo said.

To safeguard that information, firms need to reach out to vendors to ensure they have standards in place that meet expectations — a conversation Araneo said has thankfully become easier in recent years.

“The industry as a whole and the vendor community now understand what the advisers and the broker-dealers are asking, so they’re sort of getting their own cybersecurity controls in a language that people can share,” Araneo said. “That part of vendor management has been made a lot easier to accomplish.”

Their Employees Aren’t Trained

Even if firms have secured and protected access points from all their third-party vendors, experts said they’ll still be vulnerable if their employees are clicking on every suspicious-looking message that lands their inbox.

“Employees are human, and as long as employees are human they’re going to make mistakes,” Taft said. “Clicking on links that they shouldn’t click on, sending money or responding to emails that they shouldn’t respond to.”

Araneo noted that the “human element” is typically the weakest link in an organization’s cybersecurity, especially in investment firms where regulatory transparency requirements can facilitate hackers. For example, Araneo said, the Form ADV filed by investment advisers with the SEC contains much of the information needed to begin a phishing campaign.

With the addition of social media, Araneo said, would-be hackers can use LinkedIn or Facebook to identify targets or discern when points in an organization might be vulnerable, for example if key employees are on vacation. Together, that information allows hackers to manipulate a firm’s employees with tailored phishing campaigns.

“We’ve seen a high sophistication and effective rate of those types of attacks,” Araneo said.

As part of that training, Rasmussen said, firms should be making security “run through the fabric of the company,” so that cybersecurity becomes an everyday thing and employees know they have an important role to play in keeping their company secure.

“It can be very daunting to people, or [they can be] very dismissive because they look at it as an inconvenience rather than a part of their daily routine,” Rasmussen said.

At the same time, Paz said, firms can’t focus on lower-level employees to the exclusion of the C-suite. He said that while the high tech aspects of cybersecurity are often handled by younger staff, executives need to also be aware of and trained in cybersecurity issues to set the right tone at the top.

“They need to give it high importance, if for no reason than the fact that their entire business could perish as a result,” Paz said.  MORE
 

SEC chief says cyber crime risks are substantial, systemic

NEW YORK (Reuters) - Regulators must do more to help mom-and-pop investors better understand the potential risks posed by cyber crime and new technologies used to commit fraud, U.S. Securities and Exchange Commission Chairman Jay Clayton said on Tuesday. 

Clayton, who was appointed to the commission earlier this year, said cyber security would be one of the top enforcement issues during his tenure at the head of Wall Street’s main regulator. 

“I am not comfortable that the American investing public understands the substantial risks that we face systemically from cyber issues,” he said during a panel discussion at New York University. “I’d like to see better disclosure around that.” 

One concern for the SEC relates to a rise in cases of information being stolen by hackers to gain some sort of market advantage, said Stephanie Avakian, co-director of the SEC’s enforcement division, who joined Clayton on the panel along with co-Director Steven Peikin. 

Other areas of focus include ensuring financial firms take the appropriate steps to safeguard sensitive information; cyber-related disclosure failures; and the growing prevalence of “initial coin offerings (ICOs),” Avakian said.  MORE

An Emerging Patchwork Of Cybersecurity Rules

With the recent adoption of cybersecurity regulations governing broker-dealers (BDs) and investment advisers (IAs) registered in Colorado and Vermont, the landscape of cybersecurity regulation continues to evolve in significant ways. For those businesses not yet covered by cyber regulations, these latest moves indicate that the day of reckoning may be coming, with both federal and state regulators actively expanding their reach.

Moreover, these latest regulations may further contribute to an emerging “cybersecurity standard of care,” leaving those who lag behind best practices more vulnerable before the courts. Finally, this emerging regulatory patchwork increasingly threatens to lead to inconsistent standards — although an important thread of consistency (or regulatory convergence) exists.

The Colorado and Vermont Rules

The Colorado[1] and Vermont[2] rules — applicable to BDs and IAs registered in those states (and certain other “securities professionals” in Vermont) — are very similar, which is both fortunate for the financial services industry and the product of an emerging regulatory consensus on the core elements of a sound or “reasonable” cybersecurity strategy.

Under the rules adopted by the Colorado Division of Securities and the Vermont Department of Financial Regulation, BDs and IAs subject to the rules are required to “establish and maintain written procedures reasonably designed to ensure cybersecurity.” The Colorado rules include an additional requirement to specifically protect confidential personal information, which is defined to include a person’s first name or first initial and last name in combination with at least one of the following data elements:

  •   Social Security number;

  •   Driver’s license number or identification card number;

  •   Account number or credit or debit card number, in combination with any required security code, access code, security questions or other authentication information that would permit access to an online account; Individual’s digitized or other electronic signature; or

  •   User name, unique identifier or electronic mail address in combination with a password, access code, security questions or other authentication information that would permit access to an online account.

    In determining the reasonableness of cybersecurity procedures, the Colorado and Vermont rules do not mandate specific practices as much as the New York rules do, but they do clarify that the following factors will be considered:

  •   The firm’s size;

  •   The firm’s relationships with third parties;

  •   The firm’s policies, procedures and training of employees with regard to cybersecurity practices;

  •   Authentication practices;

  •   The firm’s use of electronic communications;

  •   The automatic locking of electronic devices; and

  •   The firm’s process for reporting lost or stolen devices.

    Further, to the extent “reasonably possible,” the rules require cybersecurity procedures to provide for the following:

  •   An annual assessment by the firm or an agent of the firm of potential cybersecurity risks and vulnerabilities;

  •   The use of secure email, including the use of encryption and digital signatures;

  •   Authentication practices for employee access to electronic communications, databases and

    media;

  •   Procedures for authenticating client instructions received via electronic communication; and

  •   Disclosure to clients of the risks of using electronic communications.

    Comparison to New York’s Regulation

    As with the Colorado and Vermont rules, the New York Department of Financial Services cyber regulation (NYDFS rule), which has its first compliance deadline later this month, embraces a risk- and principles-based approach to cybersecurity; however, it also mandates certain specific practices.[3] For example, the NYDFS rule requires firms to conduct annual penetration testing and biannual vulnerability

assessments, and also insists on multifactor authentication (MFA) and encryption of certain nonpublic information. By contrast, the Colorado and Vermont rules simply require BDs and IAs to implement “reasonable” cybersecurity policies which could include the use of MFA and encryption.

It is possible that compliance with the NYDFS rule may satisfy the Colorado and Vermont requirements, but the reverse may not be true.

Another key difference between the NYDFS rule and the Colorado and Vermont rules concerns the entities subject to each rule. Whereas the Colorado rules apply generally to Colorado-registered BDs and IAs, and the Vermont rules apply only to Vermont-registered “securities professionals,” the NYDFS rule applies to a different assortment of businesses, covering insurance companies, insurance agencies and producers, banks and certain other “covered entities” regulated by NYDFS,[4] and also mandates that those covered entities implement written policies and procedures to ensure the security of information systems and nonpublic information that are “accessible to, or held by, Third Party Service Providers.”

Comparison with Federal Regulations

For those companies which the U.S. Securities and Exchange Commission regulates, Colorado's and Vermont’s rules, unlike New York’s specific mandates, likely do not represent a major change in cybersecurity programs.

As a practical matter, SEC regulation S-P, for example, requires SEC-regulated broker-dealers, investment companies and investment advisers to adopt reasonably designed written policies and procedures to safeguard customer records and information. SEC staff guidance issued in April 2015 recommends that investment advisers conduct “periodic” cybersecurity risk assessments and develop and maintain written policies to prevent, detect and respond to cybersecurity threats.[5] In addition, an SEC risk alert issued in August 2017 also reiterates that “cybersecurity remains one of the top compliance risks for financial firms,” and that the SEC will continue to focus on the prevention of cyberattacks.[6] The most recent risk alert also highlights certain firm best practices, including:

  •   Maintenance of an inventory of data, information and vendors;

  •   Detailed cybersecurity-related instructions;

  •   Maintenance of prescriptive schedules and processes for testing data integrity and vulnerabilities;

  •   Established and enforced controls to access data and systems;

  •   Mandatory employee training; and

  •   An engaged senior management.

    Additionally, the Colorado and Vermont rules align with Federal Trade Commission guidance regarding what constitutes “reasonable security” designed to protect personal information.

    That said, BD and IA firms doing business in Colorado and Vermont could nonetheless be faced with investigations and enforcement actions involving the adequacy of their cybersecurity procedures. This

increased risk may put a premium on documenting and explaining risk-based, proactive cybersecurity decisions in a way that will prove compelling to federal and state regulators.

Impact on Litigation

With Colorado and Vermont joining the chorus of regulators calling for “reasonable” cybersecurity programs, it is also increasingly likely that courts will look to regulatory standards to help determine the applicable standard of care in data breach cases. Falling behind in those standards — even if cybersecurity regulations do not directly apply to a particular company yet — may increase litigation risk.

On the other hand, keeping in good standing with the regulators may help fend off civil litigation. This benefit also could extend to senior management in their individual capacity, as scrutiny over the actions of officers and directors appears poised to increase.

Key Takeaways

With the adoption of cybersecurity regulations in Colorado and Vermont, the trend towards increasing cybersecurity regulation continues to pick up momentum. Even those firms not yet covered by cyber regulations may soon find themselves bound to certain minimum standards as a result of being a third- party provider for covered entities, or in order to keep pace with what may very well be an emerging standard of care. There are consistent elements across the varying cyber regulations, which largely accord with best practices for protecting against and mitigating the impacts of cyberattacks. However, compliance with one set of rules does not necessarily mean compliance with all sets of rules. 

10 tips for reducing insider security threats

Insider threats can pose greater risks to company data than those associated with external attacks. Here are some techniques to help you spot and mitigate them as quickly as possible.

A report recently released by the Institute for Critical Infrastructure Technology pointed out that most cybersecurity incidents (both intentional and accidental) are the result of some action by insiders.

Earlier this year, I covered some ways to reduce insider security risks. As a follow up, I want to look at further strategies which can assist system administrators in quickly detecting and reducing the threat of insider risk — a critical requirement given the fact some insider security breaches can go undetected for weeks, months or years.

Here are 10 more tips to reduce insider threats:

1. Establish a security incident and response team 

Even if it consists of one individual, a dedicated team is essential to security success. This team should be responsible for preventing, detecting and handling incidents and have documented plans and procedures for each. Provide them as well as general IT staff with security training to keep up on the latest tactics and threats is also a key factor in identifying insider threats as quickly as possible.

2. Use temporary accounts

Set up third-party employees such as contractors or interns with temporary accounts  MORE

The Good and the Bad from OCIE’s Cyber Examinations and What Firms Should Do Next

The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) released a National Examination Program Risk Alert (Risk Alert) on August 7, 2017 regarding observations from its cybersecurity-related examinations of 75 registered broker-dealers, investment advisers and investment companies (collectively, Firms).1 This OnPointdetails the National Examination Program Staff’s (Staff’s) positive and negative findings from OCIE’s 2015 Cybersecurity Examination Initiative (Cybersecurity 2 Initiative) and summarizes the elements that the Staff identified as hallmarks of “robust” policies and procedures. 

The Staff’s examinations, conducted in connection with the Cybersecurity 2 Initiative, focused on Firms’ written policies and procedures regarding cybersecurity, and specifically drilled down on the six areas of focus that OCIE had identified in its September 15, 2015 Risk Alert regarding cybersecurity:2

  • Governance and risk assessment;
  • Access rights and controls;
  • Data loss prevention;
  • Vendor management;
  • Training; and
  • Incident response.

The Staff conducted the examinations between September 2015 and June 2016 and, during that time, it examined a “different population” of Firms from those that it had examined in connection with its 2014 cybersecurity initiative (Cybersecurity 1 Initiative).3

Although the Staff found that Firms’ cybersecurity preparedness had generally improved in the time since it conducted the Cybersecurity 1 Initiative, the Staff made clear that there were still several areas in which Firms could improve their cybersecurity-related controls. The Staff also identified for Firms what it believes to be “elements of robust policies and procedures” regarding cybersecurity.

The Staff’s Positive Observations from the Cybersecurity 2 Initiative

The good news was that the Staff noted “an overall improvement in [F]irms’ awareness of cyber-related risks and the implementation of certain cybersecurity practices since the Cybersecurity 1 Initiative.” The Staff explained that, “[m]ost notably, all broker-dealers, all funds, and nearly all advisers” had written policies and procedures regarding cybersecurity and the protection of customer records and information. For example, “nearly all” Firms had policies and procedures that addressed regular system maintenance, cyber-related business continuity planning, and the SEC’s Regulation S-P (Reg. S-P) and Regulation S-ID. Most Firms also “maintained cybersecurity organizational charts” and detailed the cybersecurity roles and responsibilities of Firm employees. In addition, “nearly all” Firms had plans in place that addressed incidents related to unauthorized access, and the “vast majority” of Firms had such plans for denials of service and unauthorized intrusions.

With respect to third-party service providers, the Staff found that “almost all” Firms either conducted their own risk assessments of vendors or required those vendors to provide their security reviews and certifications to the Firm. In addition, over half of the Firms examined required that their vendors update their risk assessment responses at least annually. These findings were particularly encouraging in light of the fact that, in the Cybersecurity 1 Initiative, the Staff reported that 84% of broker-dealers and a much lower percentage of investment advisers required cybersecurity risk assessments of such vendors with access to their Firms’ networks.

From a technical standpoint, the Staff reported that “nearly all” broker-dealers and the vast majority of investment advisers and funds periodically conducted risk assessments of their critical systems, and that all Firms had a tool or system in place to monitor data losses involving personally identifiable information. In addition, “nearly all” broker-dealers conducted penetration tests and vulnerability scans on their critical systems; however, less than half of advisers and funds did so, and a number of Firms did not “fully remediate” “high risk observations” identified via those tests and scans. Similarly, although the Staff explained that “all broker-dealers and nearly all advisers and funds” conducted regular maintenance on their systems and installed software patches to address vulnerabilities, a few Firms failed to install patches that included critical security updates. The Staff also identified these shortcomings related to the remediation of known vulnerabilities as “issues” in the Risk Alert.

Issues Observed During the Cybersecurity 2 Initiative 

But these positive findings were not all the Staff found: the Staff also identified issues that Firms should work on resolving as they seek to “assess and improve” their cybersecurity programs. The Staff explained that the majority of Firms’ written policies and procedures “appeared to have issues.” The Staff noted that some policies and procedures were “vague,” provided “only general guidance” and were “not reasonably tailored” to suit the Firms’ needs. They reported that some Firms did not actually enforce their policies and procedures, and that in some cases the policies and procedures depicted by Firms did not accurately describe their actual practices. For example, certain written policies might require annual “customer protection” reviews or the completion by employees of cybersecurity training, but, in practice, reviews were conducted either less frequently than annually or employee trainings did not occur at all. Furthermore, the Staff observed issues related to Reg. S-P violations, noting specifically that certain Firms did not properly conduct system maintenance because they failed to install security patches, timely update their operating systems or fully remediate high-risk findings they had identified when conducting penetration tests and vulnerability scans on their systems.

Best Practices Identified During the Cybersecurity 2 Initiative

The Staff identified certain elements that were included in certain Firms’ “robust” policies and procedures and that serve as examples of best practices for Firms to consider. The elements of these robust policies and procedures included:

  • Maintaining a complete “inventory of data, information and vendors;”
  • Delineating “detailed cybersecurity-related instructions” – for example, with respect to “access rights,” this could include tracking requests for access and having policies and procedures specific to the modification of certain access rights (such as when a new employee comes on board, a position is terminated or an employee’s role changes);
  • Maintaining “prescriptive schedules and processes for testing data integrity and vulnerabilities,” such as by testing a patch before deploying it Firm-wide and analyzing the risks related to and the effectiveness of the patch; 
  • Establishing and enforcing “controls to access data and systems,” through, for example, acceptable use policies and policies that require third-party vendors to log their network activities;
  • Requiring mandatory employee training at the time of hire and on a periodic basis thereafter; and
  • The vetting and approval of the cybersecurity policies and procedures by senior management.

The Staff encouraged Firms to review the enforcement actions brought against Firms for violations of the Safeguards Rule of Reg. S-P as an additional source for guidance regarding the Staff’s expectations.4

Takeaways from Staff’s Findings of Firms “At Risk” Regarding Cyber-Readiness

Despite the observed overall improvement in Firms’ awareness of cyber-related risks, the Staff’s findings demonstrate that a number of Firms have some way to go in order to achieve cyber-readiness. The specific shortcomings that the Staff identified involve elements that should be considered basic components of an effective cybersecurity program, meaning that the absence of those components in Firms’ policies and procedures may expose those Firms to increased cybersecurity risks.

For example, when a Firm’s policies and procedures are “not reasonably tailored” or a Firm relies on “form-of” policies, the Firm runs a risk of having a shell policy that provides little direction and does not encourage those responsible for the policy to effectively protect the Firm’s customer information or systems. Similarly, a Firm’s failure to “say what you do and do what you say” increases the likelihood that a policy exists only on paper, which can lead a Firm to take ad hoc approaches to cyber threats that are both inconsistent and ineffective, and can also lead a Firm to violate its compliance policies and procedures. 

As recent hacks have reminded companies, the failure to remedy and patch known system vulnerabilities may make a Firm a “sitting duck” target for hackers who seek to exploit those vulnerabilities, exposing customer information to theft and leaving the affected Firm without an argument that it could not have reasonably prevented the breach. In these situations, an affected Firm may be exposed not only to increased cybersecurity risks but also to regulatory risks, given the Staff’s expectation that registrants have in place and actually implement tailored cybersecurity policies that adequately protect their systems.

Conclusion

The improvements Firms have made since the Cybersecurity 1 Initiative are important and have not gone unnoticed by SEC Staff. Nevertheless, the “issues” and shortcomings identified by the Staff in the Cybersecurity 2 Initiative should not be taken lightly, as the deficiencies identified amount to key components of a basic cybersecurity program. 

All Firms – even those who have done so recently – should take a careful look at the written policies and procedures they have in place, and at how they implement their cyber controls in practice, to ensure that they do in fact have a tailored cybersecurity program that is actually implemented and works effectively to remediate known vulnerabilities and threats. Once a Firm is comfortable that it has those basic elements in place, it should look for ways in which it can further improve its processes and controls related to cybersecurity and, at the Staff’s suggestion, should use the examples of “robust” controls and findings from the Staff enforcement actions under Reg. S-P as a guide. The Staff’s summary shows that many Firms have more work to do in this space and that the Staff remains focused on what it has described as “one of the top compliance risks for financial [F]irms.” MORE

SEC Cybersecurity Risk Alert Emphasizes Proactive Compliance and Ongoing Vigilance

On August 7, 2017, the Securities and Exchange Commission (SEC) released its latest cybersecurity risk alert, detailing findings from the examination of 75 broker-dealers, investment advisers and investment companies carried out by its Office of Compliance Inspections and Examinations (OCIE) pursuant to its 2015 cybersecurity examination initiative. In contrast with the previous round of examinations, the Cybersecurity 2 Initiative focused more on validating and testing cybersecurity procedures and controls, with the alert highlighting improvements, deficiencies and best practices for registered firms.

Although OCIE noted improvements across the board (with all or “nearly all” broker-dealers leading advisers and investment companies in a number of areas), it also identified a number of deficiencies.

Written Policies and Procedures

Firms generally scored high marks on maintaining written policies and procedures addressing cybersecurity, including Regulation S-P, Regulation S-ID, business continuity planning, the cybersecurity roles and responsibilities of their employees, and their response procedures to access incidents and intrusions that could cause service disruptions or lead to data breaches.

OCIE determined that some policies and procedures were not reasonably tailored, offering only “general guidance” and “limited examples of safeguards” or because they were “narrowly scoped” or “vague,” or were perceived as providing “contradictory or confusing instructions” that employees might find difficult to follow.

Some firms also did not follow their policies and procedures, conducting reviews less frequently than prescribed or failing to ensure that all employees completed their required cybersecurity awareness training. And other policies and procedures were stale. For example, OCIE reported that “less than two thirds” of advisers and funds appeared to maintain their data breach incident response plans.

Risk Assessments

Nearly all” broker-dealers and the “vast majority” of advisers and investment companies conducted periodic risk assessments of their information systems.

“Almost all firms” conducted initial risk assessments of third-party service providers either directly or through various reports or certifications at the outset, and “over half of the firms” updated these assessments at least annually.

Penetration Testing and Vulnerability Scans

“Nearly all” broker-dealers and “almost half” of advisers and investment companies conducted penetration tests and vulnerability scans on “critical” systems.

A “number” of firms failed to fully remediate certain risks identified through their penetration tests and vulnerability scans.

Data Loss Prevention

All broker-dealers and “nearly all” advisers and investment companies instituted procedures to maintain their information systems.

A “few” firms failed to install system patches, including security updates, while others used outdated operating systems that no longer receive security patches.

Access Controls

All advisers and investment companies maintained written policies and procedures to verify the identity of a customer requesting a funds transfer.

Some broker-dealers failed to memorialize customer verification procedures for funds transfers, relying instead on informal practices for confirming a customer’s identity prior to honoring transfer requests. As scams involving fraudulent wire transfers proliferate, formal procedures and redundant safeguards to protect against unauthorized requests are key.

Best Practices. OCIE also provided a noncomprehensive list of best practices identified during its examinations, suggesting that firms consider implementing these measures to bolster their cybersecurity programs. In addition to encouraging firms to undertake the compliance efforts discussed above, OCIE recommended that firms consider steps such as:

  • Maintaining an inventory of their information assets and associated vendors, as applicable, classified by risks and vulnerabilities. This recommendation appears to go hand in hand with a firm’s ability to conduct its periodic risk assessments.
  • Tracking requests to access information systems, including policies and procedures for modifying access rights when hiring, terminating or changing responsibilities of employees. Although the risk alert did not specifically reference third-party service providers here, this recommendation likely would apply to them as well.
  • Requiring and enforcing restrictions and controls for mobile devices that access information systems, including password protection and encryption. This recommendation acknowledges evolving business practices, the ubiquity of mobile devices and the necessity of remote access.

Because cybersecurity remains one of the SEC’s top priorities, registered firms should, among other things, measure themselves against these improvements, deficiencies and best practices to ensure they are keeping up with regulatory expectations. MORE

SEC risk alert calls on advisory industry to do more to shore up cybersecurity

Advisory firms given more details on how examiners want systems protected from hackers

Financial advisory firms are getting more advice from federal regulators on steps they should be taking to protect their information systems from hackers. 

Advisory firms need to do a better job of following their stated cybersecurity policies and they should correct all the vulnerabilities that periodic tests reveal, according to results from a new round of cybersecurity examinations by staff at the Securities and Exchange Commission.

Advisers also need to do a better job of keeping the firm's security patches up-to-date, the new SEC exam risk alert said. It contained findings from 75 cybersecurity exams of advisory firms, broker dealers and funds conducted from September 2015 through June 2016.

"The staff observed that a few of the firms had a significant number of system patches, that according to the firms, included critical security updates that had not yet been installed," the staff of the Office of Compliance Inspections and Examinations wrote.

The importance of timely installation of security patches was highlighted earlier this year when the "WannaCry" ransomware attack hit more than 200,000 computers in 150 countries, encrypting computers and demanding $300 to release each computer. The malware spread through a bug in an old Windows version that Microsoft had issued a "critical" patch to fix two months earlier. 

(More: Cyberattack should prompt advisers to ask their IT professionals hard questions)

The attack in May was especially damaging because it had a mechanism to spread through the network, infecting other computers that hadn't been updated. The SEC issued an alert specific to the issue of ransomware soon after the massive hack.

Another area where firms should improve is in maintaining response plans for addressing data breaches and letting clients know about material events. Less than two-thirds of advisers have these plans in place, the alert said. 

The SEC alert also said broker-dealers were not doing as good a job as advisers and funds at having formal procedures for verifying customers' identities when clients request electronic transfers.

(More: Passwords to become passé as more firms back biometrics)

Federal regulators generally have been less prescriptive than some states when it comes to giving financial services firms detailed requirements for protecting their systems from attacks. Colorado recently implemented new rules requiring annual assessments, use of secure email, including digital signatures and encryption, and New York also has set specific rules for financial institutions. 

"The SEC hasn't been very specific about what it wants firms to do on cybersecurity," said Justin Kapahi, vice president for solutions and security at External IT. "I think we'll see a lot more states follow Colorado's lead." 

In the new alert, the SEC said the firms with robust cybersecurity protections reviewed the effectiveness of their security solutions with penetration tests, tracked access rights of employees, had formal patch management policies, made training mandatory, and established data access controls for mobile devices that used passwords and software that encrypted communications, among other steps.  MORE

SEC Increases Focus on Cyber Incident Response

In the past few years, we have seen an uptick in agencies beginning to focus on the cybersecurity readiness and response of organizations subject to their jurisdiction.

The U.S. Securities and Exchange Commission (SEC), for example, has identified cybersecurity as a top priority for many years. This past June, the SEC named Stephanie Avakian and Steven Peikin as the new co-directors of the enforcement division. Peikin noted that “[t]he greatest threat to our markets right now is the cyber threat.” What has generally been a focus on urging companies to bolster their cybersecurity prevention efforts may be making a shift toward an expectation that companies respond efficiently and effectively in the wake of a data breach. Such a shift is not surprising, given that many experts believe that security breaches are increasingly inevitable.

Given the growing recognition that, even with robust and mature information security programs, incidents will occur, the SEC and others are looking to frame appropriate regulatory responses. Recent SEC comments place an increased importance on how companies are identifying and responding to cybersecurity incidents.

By increasing regular examination of regulated entities, such as broker dealers and investment advisers, these entities will likely have more direct oversight and scrutiny of their information security programs. In addition, direct regulatory oversight of financial institutions subject to the SEC’s jurisdiction, and broader scrutiny of public companies and their security breach-related disclosures, seems probable.  “In the wake of a breach, we are going to ask questions and look at disclosures before and after an incident,” said Avakian.

The SEC is cognizant of the fact that enforcement in the form of fines on public companies can lead to negative consequences to seemingly innocent parties, such as shareholders. However, the SEC has brought several enforcement actions against registered firms, including a $1 million fine related to allegations of a failure to meet the “safeguards” rule under the Gramm-Leach-Bliley Act. As the SEC’s focus shifts more resources to cybersecurity enforcement, it would not be surprising to see the agency examine disclosures relating to data breaches, or the timing of disclosure of such incidents, more closely. Now more than ever, companies may be held accountable if they fail to invest in data security, or prepare and respond to cyber-attacks adequately. While the companies may view themselves as victims, the market, and those tasked with protecting investors and the market, seemingly do not.  MORE

Latest News Cybersecurity Compliance Gets Tougher

Another high-profile corporate hack puts cybersecurity back into the spotlight as thieves made off with 1.5 TB of data from HBO, including scripts of upcoming Game of Throne episodes.

The bad news for financial institutions is that this elevated focus on cybersecurity will make meeting their cyber-security regulatory mandates only more challenging as more jurisdictions ramp up their cyber-security requirements.

The laws are changing all the time as New York, Colorado, and Connecticut enhance their cybersecurity laws, said Chad Pinson, managing director at Stroz Friedberg during a panel discussion hosted by the US Securities and Exchange Commission and FINRA. “It is hard to keep up with what those different states require.”

There is little to no chance that financial firms will find relief from any Federal preemption law that would supersede state data protection and data breach notification laws added fellow panelist Richard Johnson, an attorney at the law practice Jones Day.

“That is something that has been talked about, but that is not even under consideration at the moment,” Johnson said.

As a result, firms that experience a breach that involves consumer information will have to comply with as many state laws as locations where they have customers, he added.

To complicate cyber-security compliance even further, each regulator brings its own focus to cybersecurity that makes it difficult to harmonize with other regulators.

State regulation tends to focus on protecting the consumer and help state attorneys general get re-elected, according to Pinson.

At the Federal level, the US Department of Justice is more interested in who orchestrates the data breaches, added Shamoil Shipchandler, Regional

Industry regulators, such as the SEC and FINRA, look to acknowledge a firm’s cybersecurity status, but they do not issue overly prescriptive check list that every regulated firm must meet.

“We are not going to come close to doing that,” said Shipchandler. “And the reason is that we do not speak like that because everyone is different in shape of their organizations, their structure, and their assets. The more prescriptive we get, the more likely we are going to force firms to incur costs that are going to be passed down to the very individuals that our mission says we have to protect.”

FINRA shares the same reasoning for not issuing a prescriptive list of cybersecurity mandates, according to David Kelley, surveillance director at FINRA.

“It would be hard to write a rule that that says you have to do these particular items,” said Kelley. “It just does not make any sense right now.”

However, Kelley noted that FINRA issues a report on cyber-security practices in February 2015, which should give firms the areas in which FINRA is interested.

The best response would be for firms to triangulate their cyber-security strategies with the various compliance requirements, according to Johnson.

“I think firms want to be in the position, just to minimize their possible legal and regulatory liabilities, to be checking a lot of the boxes that are in common across the board,” he said.  MORE

Director, Fort Worth Regional Office, at the SEC and who moderated the panel.

Protect against the fastest-growing crime: cyber attacks

  • Cyber attacks are increasing in size, sophistication and cost.
  • Experts give advice on how financial advisors and their clients can improve cybersecurity.

Cyber theft is the fastest-growing crime in the U.S., and cost the global economy more than $450 billion in 2016, with more than 2 billion person records stolen.

By 2021, cyber crime damage costs could hit $6 trillion annually, according to a report by Cybersecurity Ventures. 

And companies are experiencing larger breaches, reported IBM. The average size of data breaches increased 1.8 percent in 2017 to more than 24,000 records, according to its 2017 cost of data breach study.

Financial advisors are increasingly aware of this threat, with 81 percent saying cybersecurity is a high priority. Yet, just 29 percent say they are "fully prepared to manage and mitigate the risks associated with cybersecurity," according to a study released last September by the Financial Planning Association's Research and Practice Institute. 

However, just in the past year, advisors have been upping their security, said Dan Skiles, president of Shareholders Service Group and a past national board member of the FPA. Not only because of what they've seen in the news, but also because some large firms have taken hits and witnessed fraud attempts firsthand.

"The first thing I remind advisors is that … everybody is on the playing field," Skiles said. "There's no spectators in this game, so an advisor cannot be sitting there thinking 'well I'm glad my IT firm is on this' or 'I hope my technology expert is taking care of this,' because the reality is these cyber security attacks can happen to anybody within the firm."

How firms can increase cybersecurity

The difficult part about cybersecurity is that the process matters more than the technology, Skiles said.

"Advisors can spend thousands of dollars on great technology infrastructure … but if one of their associates doesn't follow the rules … and they inadvertently click on a defective link, or they inadvertently respond to a fraudulent email, there's no tech spin that's going to protect you from that."

Staff training and technology go hand in hand in fighting off hackers, he said. Yet about one-third of employees aren't receiving any training related to cybersecurity, the FPA study found. And for the employees that do get trained, the average team member receives less than two hours of training per year. MORE