Cybersecurity tips for advisors, and clients

Cyberattacks are growing in volume and sophistication and the need for the wealth management business to safeguard clients, portfolios and industry has never been greater.

In 2017 alone, more than 143 million Americans were affected by cybercrimes, a jump of 30% from 2016. As threats increase and fraudsters become more sophisticated, financial advisors and their clients must be proactive in protecting themselves and sensitive data. The process begins with education. Today’s cybercriminals use common, effective methods to acquire personal information. Malware (malicious software) can be delivered to devices via suspect websites, public Wi-Fi networks, and communal charging stations, presenting common hazards that might be sidestepped with the right information.

Below are helpful tips advisors can use to start a conversation with their clients about cybersecurity and help avoid potential catastrophe.

Software and online security

Keep your software, operating system and browser up to date. Companies continuously add security updates with every software upgrade they release. Installing updates immediately can help clients prevent a malware infection. 
Set up multi-factor authentication to login to any website or application clients use for financial transactions that contain personal data. 
Run a reputable, American anti-virus product on a home PC or laptop. This will help prevent a device from becoming infected with malware and may clean up an existing infection

As threats increase, the need to safeguard clients, portfolios and industry has never been greater, writes Rachel Wilson, head of cybersecurity for Morgan Wealth Management Technology.

Cybersecurity in public environments

Avoid using public Wi-Fi hotspots — such as the ones at coffee shops, airports, or hotels. If a client does use a public Wi-Fi hotspot, advise them to use a virtual private network (VPN) so that others cannot intercept their communications. As an alternative, clients can stick to the mobile network and create a personal Wi-Fi hotspot with their phone.
Don’t use public charging cords or USB ports to charge a device. Publicly available power outlets are generally fine, but avoid using publicly available cords and ports. These can be used to deliver malware or silently steal data.

If you’re a broker-dealer, you must be compliant with SEC Rule 17a-4. Make sure you know the regulations for Electronic Storage Media (ESM), and why it’s necessary to work with a Designated Third Party (D3P) to safeguard your electronic records.

Daily online activities

Don’t click on links or open attachments in unsolicited emails or text messages. Doing so may install malware on a device. 
Don’t reuse the same or similar username and password across multiple websites and applications. If clients reuse the same username and password and a hacker gains access to just one of the accounts, the hacker may be able to access their other client accounts as well.
Use a password manager. These apps create unique, complex passwords for clients and then store those passwords in a cryptographically sound way. 
Create and save bookmarks for the important banking and brokerage websites that clients visit often to avoid inadvertently entering credentials on a fraudulent site. 
Only download applications from Google Play or the App Store and never from a third-party app store. Third-party app stores, or apps that pop up and encourage a download, are much more likely to contain malware. 
Only give applications the permissions they really need. Granting an application access to photos, location, camera, contacts, makes data and information available to the application owner.
Limit how much information is shared on social media, and lock down the privacy settings on social media accounts. The information clients share online could be exploited to gather information for fraud schemes.

Tools to combat cybercrime

Use a current and reliable email provider that has basic, built-in security features. Using an older email account that has not incorporated security protections will greatly increase the likelihood of your email account being taken over and used to impersonate you or to spam your contacts.

Shred financial documents before discarding them, as these contain valuable information that could be used by fraudsters. Leverage online statements and paperless options, like eSign, eDelivery and eAuthorizations and Digital Vault, as these include important security features. Leverage online statements and paperless options. Additionally, clients should secure sensitive documents within their home.

These basic tips can help avoid some of the most common cybersecurity threats, but the need for vigilance and continued education is paramount. Advisors should maintain an ongoing dialogue with their clients to ensure their personal data, wealth information and financial transaction data are properly safeguarded.

SEC Enforcement’s Annual Report Prioritizes Retail Investors, Cryptocurrency, Cybercrime, and Individual Accountability

The Enforcement Division of the United States Securities and Exchange Commission (“SEC”) recently released its annual enforcement report(“Report”) for fiscal year 2018. The Report reflects an increased focus on retail investors, cryptocurrency, cybercrime, and individual accountability. Further, it showcases that SEC enforcement continues to be robust under the Trump administration, despite industry and media expectations to the contrary.

Cybercrime is also a growing area of concern for the SEC, with more than 225 active investigations this past year. Notably, in many of these investigations, companies that were victims of cyberattacks are now under investigation for how they responded to the attacks. The Enforcement Division brought proceedings against companies based on failures in those companies’ cybersecurity policies and procedures related to cyber intrusions. MORE

How to Choose a Cyber Liability Insurance Policy

As more and more data breaches and ransomware attacks make headlines around the world, the need for digital asset protection has become top of mind for many financial advisors and business owners. In yesterday’s post, I outlined some cyber liability insurance basics, including what may and may not be covered if your RIA–broker/dealer has its own policy. Today, I’ll dig a bit deeper into the topic, including how you can assess your risks to determine what coverage you may need so you can choose the right cyber liability policy.

Scenario: Cyberattack!

It’s 6:00 A.M. on a Monday morning. You hit snooze a few times before sitting up and grabbing your smartphone. A notification catches your eye. No, you’re not dreaming. Your business has been hit by a cyberattack.

How did this happen? You’ve put considerable effort into mitigating the risk of cyberthreats—staff education, encryption, and password polices, to name a few. Unfortunately, even with such protections in place, you can still become the victim of a cyberattack.

But hang on! You have cyber liability insurance. There’s no need to worry, right? That depends. Do you know the extent of the damage? Do you know what your policy covers? The answers to those questions will determine how concerned you should be.

What Went Wrong?

First, you’ll need to find out what information was involved in the cyberattack to determine if any confidential data was compromised. You’ll also want to look into how the breach happened. Was it because a scammer gained access to your firm’s data following a phishing attack? Was one of your employees the weak link?

If the incident occurred at your broker/dealer, which has its own cyber liability insurance policy, your B/D would likely cover data forensic expenses, extortion, notification costs, and credit monitoring for the affected individuals. If the breach happened on your end, however, you would be liable for the damages. If your firm is at fault, you will need to prove that your business did everything possible to prevent the breach and help minimize risk, such as taking proactive measures to ensure that proper security policies are in place and up to date.

Whether you are at fault or not, cyber liability insurance can’t mend a broken reputation. It can, however, help neutralize some of the costs associated with a cyberattack and help restore your business operations.

How to Choose the Right Coverage

Given everything we’ve discussed here and in yesterday’s post, you may be leaning toward purchasing a cyber liability policy. But how much coverage should you purchase? Following the three-step process described below can help you arrive at the best decision for your firm.

1) Assess your risk. If your office collects, transmits, stores, views, or interacts with personal information that hackers could use to identify a client, you are at risk for a cyberattack and need to ensure that your business is protected from what could go wrong.

Begin your assessment by getting a handle on your vulnerabilities. Do you, for example, have a hardware firewall and up-to-date antimalware and antivirus protection? Do you encrypt your hard drives and portable media? Do you regularly train your staff to be aware of information security issues? Have you enabled multifactor authentication, where possible, for all of your devices?

Answering no or I’m not sure to any of these questions means your—and your clients’—information may be at risk and you could benefit from cyber liability coverage. But even with the most robust information security programs, there’s always the chance that something might slip through the cracks. Taking a good look at scenarios that could leave your business vulnerable to attack can help you determine which coverage plans may be best for your firm.

For the second part of your assessment, you’ll want to evaluate whether you’ve done as much as possible regarding:

  • Governance and risk assessments: This includes creating an inventory of all the software and hardware in your office, as well as any device that’s connected to your network; developing policies for bringing devices to work and displaying information on screens or desks; and maintaining a data-retention policy.

  • Access rights and controls: This includes encryption, firewalls, password policies, and the like.

  • Data loss prevention: This includes verifying the identity of clients who request asset transfers and regularly updating your software.

  • Vendor management: This includes doing appropriate due diligence on potential vendors and signing contracts that govern data usage.

  • Training and awareness: This includes regular training on information security concerns for you and your staff, as well as training and best practices for your clients.

  • Incident response: This includes having an appropriate backup system in place, along with formal business continuity and incident response plans.

By understanding the controls you already have in place and the areas where you may be at risk, you can look to purchase a cyber liability policy that focuses on the coverage you need.

2) Research carriers and policy options. According to the 2017 Cost of Data Breach Global Study, the average cost of a data breach is $225 per client. So, although you may be reluctant to pay the premiums for yet another insurance policy, that cost is minimal compared with the out-of-pocket expenses your office could incur if it experiences a cyberattack.

Policy cost varies depending on the depth of coverage you select and the carrier you choose. When speaking to a potential insurance carrier, ask about the types of incidents covered and whether any “events” are specifically excluded from coverage. Because each financial services office is different and cyber liability insurance coverage varies from vendor to vendor, be sure to vet multiple policy options. You’ll also want to get the best value and price for what your business needs, so discuss pricing in detail with the carriers and inquire about deductibles.

3) Apply for your top choices. Once you have vetted a few insurance carriers, fill out an application with the companies whose quotes best fit your office’s needs. Ensure that the applications have been completed correctly, answering questions based upon the cybersecurity protocols your office employs. Once you are approved for a few policies, you can choose the right cyber liability policy for your needs based on the deductible, premiums, and coverage with which you are most comfortable.

A Plan for Prevention and Recovery

In today’s increasingly digital world, having a top-notch information security program in place is essential for protecting your business’s assets and your clients’ personal data. But as the threat of a cyberattack or breach grows, it’s best to be prepared not only to prevent an attack, but to make a full recovery from one as well. If you follow the steps outlined above and choose the right cyber liability policy for your business’s needs, you’ll be well equipped to handle any threat that comes your way. Posted by Rachel Sonia

SEC RIA Enforcement Actions Increased 31.7% in the 2017 Fiscal Year

On November 2, 2018, the Securities and Exchange Commission ("SEC") released its 2018 enforcement report which highlights the 821 enforcement actions pursued during its most recent fiscal year. This latest annual report shows continued focus from the SEC "on the Main Street Investor" and it seems likely that such focus is unlikely to change in the coming years. During the 2018 fiscal year, the SEC filed 490 stand alone enforcement actions, 210 follow-on administrative proceedings, and 121 enforcement actions related to delinquent filings. Stand alone enforcement actions pursued against investment advisers or investment companies totaled 108 which represents a 31.7% annual increase compared to the 82 stand alone enforcement actions filed in the 2017 fiscal year. The SEC Division of Enforcement also notes that its been forced to operate efficiently as total headcount for the division is down roughly 10% compared to the 2016 fiscal year. As such, the division has "paid careful attention to case selection, attempting to open and pursue investigations that are likely to have the most meaningful impact for investors and the markets." 

Increased Enforcement Actions Against RIA Firms

As seen in the recently released 2018 North American Securities Administrators Association ("NASAA") enforcement report which looks at enforcement activity at the state level, the number of registered investment adviser ("RIA") and investment company enforcement actions is increasing:

Source: 2017 and 2018 SEC Division of Enforcement Annual Reports

Given the increasing number of SEC-registered RIA firms and increasing SEC RIA examination frequency, it's possible this trend may continue in future years. Since 2012, the number of SEC-registered investment advisory firms has increased 13.7% from 11,658 firms to 13,250 firms as of October 31, 2018. In addition, the volume of federally-registered investment adviser examinations has increased 117.0% from 974 audits conducted in the 2012 fiscal year to 2,114 audits performed in the 2017 fiscal year. However, it is important to note that the percentage of examined firms referred to the Enforcement Division has actually declined from 13% in the 2013 fiscal year to 7% in the 2017 fiscal year.

Focus on the Share Class Selection Disclosure Initiative

On February 12, 2018, as part of its focus on protecting the "main street investor," the SEC Division of Enforcement announced the Share Class Selection Disclosure Initiative ("SCSD Initiative"). As part of the initiative, RIA firms had until June 12, 2018 to self-report potential violations related to mutual fund share class recommendations. The 2018 report states "scores of investment advisers participated in the SCSD Initiative, which will result in charges against them." 

This latest enforcement focus on mutual fund share recommendations follows a series of previous guidance issued by the SEC Office of Compliance and Inspections ("OCIE") including a July 13, 2016 risk alert noting "the staff will focus on the adviser’s practices related to share class recommendations and compliance oversight of the process." Furthermore, SEC OCIE staff has continually listed mutual fund share class selection and broader disclosure related to the costs of investing as a top examination priority in recent years including in 2017 and 2018.

Mutual fund share class selection is and will remain in the SEC spotlight. Any RIA firm in a position to choose between different share classes for its clients needs to fulfill its fiduciary obligation and continue to stay focused on ensuring proper regulatory compliance.

Cyber-Related Misconduct

For a number of years, the SEC OCIE Division has continued to discuss its concern and focus on RIA information security which has included a series of cybersecurity-focused examination sweeps. These efforts have led the OCIE division to issue a series of risk alerts on February 3, 2015September 15, 2015, and August 7, 2017. In addition, the OCIE Division has continually listed cybersecurity as a top examination priority in recent years including in 2017 and 2018.

While the SEC Enforcement Division notes it presently has "more than 225 cyber-related investigations ongoing," to date there have not been a large number of investment adviser cybersecurity-related enforcement actions. However, this is likely to change moving forward given the continued examination focus and large volume of ongoing investigations. In addition, the enforcement report notes that during the 2018 fiscal year, the SEC Enforcement Division took its "first action charging violations of Regulation S-ID, known as the Identity Theft Red Flags Rule, which is designed to protect customers from the risk of identity theft." 

Be sure to check back soon as we continue to provide more detailed data and information on RIA regulatory compliance enforcement focus areas and trends. As always, the Chief Compliance Officer ("CCO") of every investment advisory firms needs to continue to ensure that compliance programs and are being designed and implemented to help prevent activity which could lead to potential enforcement action. In particular, CCOs should continue to pay close attention to new and emerging regulator focus areas. MORE

Can your small business afford to risk the imminent threat of a cyber incident?

Cybersecurity incidents are occurring on a daily basis and at an increasingly growing rate. Yet, many small businesses still have not obtained adequate (or any) cyber insurance to address these risks and the costly impacts to the business that will result. In a recent study completed by the Insurance Information Institute1, only about a third of all small businesses polled responded that they have cyber insurance in place, with 70% of respondents replying that they have no plans to purchase a cyber insurance policy in the next 12 months. Most of the businesses indicated that they do not believe they have any need for cyber insurance, yet almost half of those same companies stated they are unprepared to handle cyber threats. A main reason for not purchasing cyber insurance was a lack of understanding about this type of insurance and coverages available.

The Risks for Small Businesses

These statistics are alarming considering that the average cost of a cyber-related loss for a small business has increased 250% in the past two years, and now totals $188,400. In determining whether insurance coverage should be purchased, companies typically assess the perceived risks to the company, the likelihood of such risks occurring, as well as any costs or expenses that may result. For example, most companies regularly obtain a property policy to cover a fire or other casualty that may damage its business location even though such an event is unlikely or unexpected. Yet, cyber incidents are just as likely, if not more likely to occur, and the impacts to a company in the event of an incident are far worse. Many incidents result in a complete suspension of the daily operations of the company for several days or longer.

In addition to financial loss, companies may face the following as a result of a cyber incident:

  • Theft, breach or loss of information and data;

  • Damage to the company’s reputation, brand or image; and

  • Regulatory, governance and legal issues.

How Cyber Insurance Can Help

Cyber insurance policies can be obtained to address the losses related to a data breach and may include costs for investigating a breach, notifying people affected by a breach of personally identifiable information, managing the potential damage to reputation and other crisis-management expenses, recovering lost or corrupted data, and related legal expenses. More importantly, well-drafted policies can afford coverage for business interruption losses; i.e. those expenses and lost revenue resulting from a breached system and a company’s inability to continue its usual operations. Coverage may also be obtained for “cyber extortion”, which covers costs resulting from an extortion event such as ransomware or fraudulent wire transfers.

It is important to keep in mind that cyber insurance is only one component to consider when developing and implementing an overall risk management strategy to prevent cyber incidents. However, taking into account the exposure to a company if and when a cyber incident occurs, it is highly advisable to have this coverage in place.

Ohio Gives Breach Safe Harbor for Companies with Written Data Security Program

Putting it Into Practice: Unlike other states which require companies to have a written security programs in place (Alabama, Massachusetts, and Oregon), Ohio’s new law seeks to provide a strong incentive to companies to put into place a similar a program without actually making having a written program a requirement.

Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, and that failure resulted in a breach. The definition of breach (and personal information that if impacted gives rise to a duty to notify) is identical to Ohio’s existing breach notification law. The defense is available if the company has a written program in place, and that program conforms to “industry-recognized frameworks” like the National Institute of Standards and Technology’s Framework, ISO 27000, FedRAMP, PCI Standards, the Security Rule of the Health Insurance Portability and Accountability Act, or the Safeguards Rule of the Gramm-Leach-Bliley Act. Anticipating that these frameworks may be amended from time to time, the law gives companies a year to modify their programs to get into compliance with the amended law. Programs must meet minimal criteria to qualify. This includes (1) protecting the security and confidentiality of the information, (2) protecting against anticipated threats or hazards, and (3) protecting against unauthorized access to and acquisition of the information. The program would be right-sized to take into account the size of the business, nature of its business, type of information, cost of protection tools, and resources available to the company. The drafters emphasized that this provision does not give rise to a private right of action. MORE

For first time, state regulators pursue more cases against RIAs than broker-dealers

In its 2018 enforcement report, the North American Securities Administrators Association said that, for the first time, state regulators pursued more registered investment advisers in disciplinary cases than broker-dealers.

In 2017, there were 377 RIA firms and investment advisers named in enforcement actions, a 32% increase over 2016, and 270 brokerages and their registered representatives named, an 11% decline. The 2018 NASAA report reflects 2017 results.

The crackdown on RIAs makes sense, given that the the total number of RIA firms has grown by 20% — from 25,073 in 2008 to 30,193 in 2017 — while the number of brokerage firms has declined by 24% — from 3,969 to 3,132 — over the same period, according to an analysis by the consulting firm RIA in a Box based on an industry snapshot by the Financial Industry Regulatory Authority Inc.

Growth of the RIA sector probably won't slow down, and neither will RIA enforcement.

"This is unlikely to be a one-year anomaly, but more likely a continuing trend," said GJ King, president of RIA in a Box.

The migration of RIAs from registration with the Securities and Exchange Commission to the states has also contributed to the increase in enforcement cases, according to Christopher Gerold, chief of the New Jersey Bureau of Securities and chairman of the NASAA enforcement committee.

The number of state-registered advisers grew from 13,799 in 2008 to 17,534 in 2017. The biggest jump came from 2011 to 2012, when about 3,000 RIAs switched from SEC to state registration due to a Dodd-Frank law requirement that advisers with less than $100 million in assets under management move to state oversight. Previously that threshold was $25 million.

"States are catching up with their examination programs and bringing more actions," Mr. Gerold said. "State regulators are taking their examinations very seriously."

In putting together its enforcement report, NASAA did not survey states on the types of actions filed against RIAs. But in his practice, one compliance lawyer said the primary compliance problem he sees with small RIAs is conflicts of interest.

"A good number of IAs tend to have the same conflicts they had as B-Ds, and they're not really mitigating those conflicts," said Brian Hamburger, president of MarketCounsel. "Just because you're smaller, it doesn't give you a pass on mitigating conflicts."

An emerging problem area for state-registered RIAs is senior financial abuse. The NASAA model rule to combat senior exploitation has been adopted by 18 states. Texas opened 24 such cases in 2017.

"You're going to see more enforcement actions on senior protection at the state and federal level," Mr. King said. "RIAs can be vulnerable given the amount of retirement business a lot of them do."

As more RIAs are subject to enforcement and more brokers become RIAs, the debate over whether RIAs or brokers are more heavily regulated is likely to heat up.

"Another contributing factor is that broker-dealers tend to have more robust internal compliance departments with policies and procedures in place that prevent securities violations and subsequent enforcement actions," Eleonora Zlotnikova, a securities attorney at Sam P. Israel, wrote in an email.

Mr. Gerold said the increase in state RIA enforcement reflects the fact that states are the only regulator with responsibility for small RIAs.

"I'm not saying that IAs are better or worse than B-Ds or vice versa," he said. "It's a product of who is the primary regulator of the segment of the financial market." MORE

SEC Does Not 'Dictate' Cyber Controls, Cyber Chief Says

The SEC is more focused on preparedness, cyber chief Robert Cohen said at a NASAA Cybersecurity Roundtable.

n assessing firms’ cyber preparedness, the Securities and Exchange Commission is “looking for firms that have significant risks that they aren’t disclosing,” Robert Cohen, head of the agency’s cyber unit, said Monday.

Speaking on a panel at the North American Securities Administrators Association’s cyber roundtable in Washington, Cohen stated that it’s not the “SEC’s approach to dictate specific [cyber] controls” on regulated entities. “I don’t know that that’s the most effective way to ensure compliance. We do more, especially for the financial industry, through exams, to see what they’re doing and see if they’re prepared.”

“For the commission to dictate you must do this, you must do that, sometimes we’ll publicize best-practice issues … but generally, if the commission dictated something, I’d be concerned that it gets out of date really quickly.”

The best source of expertise in the cyber realm, he added, “is within the industry and the consultants they employ.”

What does the SEC look for when assessing firms’ preparedness?

“Really you can learn a lot just by asking firms what they do to prepare” for cyber breaches, Cohen said.

Cohen cited the recent charge against Voya Financial Advisors Inc. for violating Regulation S-P or the Safeguards Rule and the Identity Theft Red Flags Rule, as “a classic mistake that we see.”

Des Moines-based broker-dealer and investment advisor Voya, which agreed to pay $1 million to settle charges for cybersecurity failures that led to a cyber intrusion that compromised thousands of customers’ personal information, “had policies and procedures and controls, but really didn’t enforce it across the board,” Cohen said.

The Voya case was the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. “This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Cohen, when the complaint was filed in late September. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

FBI Has Doubled Agents in Cyber Program

Meanwhile, Supervisory Special Agent Matthew Floyd of the FBI stated at the roundtable that cybercrime causes “billions of dollars of losses every year,” and is the FBI’s third priority behind counterterrorism and counterintelligence.

“We’re continually banging our heads against a wall to try to figure out how we can better combat this,” he said, adding that over the last several years the FBI has doubled the number of agents in its cyber program.

“As we look into cybercrime, very rarely does it not cross international borders,” he added.

Business email compromise continues to be one of the top scams, with an average loss of $130,000.

Also “synthetic ID” is becoming a more prevalent scam against financial institutions, he said.

“An actor will take a real Social Security number and changing some of the variants of the personal identifying information and creating a ‘synthetic ID’ — a nonexistent person — they apply to some different credit lines, they had no credit to begin with … but then once you get denied credit, it actually creates a credit file. … Once they have that credit file established, they will attach it to someone else’s credit — someone with good credit — … and over the course of six months that score will go from 300 up to 750, they’ll detach it, and then they’ll start opening bank accounts, credit cards…”

Financial institutions are “really struggling with this,” Floyd said.

NASAA Initiatives

NASAA President-elect Frank Borger-Gilligan, who also serves as the assistant commissioner of the Tennessee Securities Division, within the state Department of Commerce & Insurance, noted at the roundtable that “last year, more than half of the adult online population in the U.S. were victims of cybercrimes,” according to a 2017 Norton Cybersecurity Insights report.

Globally, cybercriminals stole $172 billion from 978 million consumers in over 20 countries in 2017. Cybercriminals, it was estimated, cost the world economy more than $600 billion last year, Borger-Gilligan said.

More alarming, he continued, financial services firms were “three hundred times more likely to be targeted than traditional American companies.”

Last year, 61% of cyber victims were small businesses — which continue “to be the low-hanging fruit for cybercriminals,” Borger-Gilligan said. “Smaller companies often lack the IT resources, the robust network defenses, and they mistakenly assume that they’re too small to be targeted.”

Couple this with the fact that 78% of nearly 18,000 state-registered investment advisors are one to two person shops, he added. “So it is clear how important the issue of cybersecurity is for our regulators.”

More work is planned in the year ahead. This year, Borger-Gilligan said, NASAA is considering whether to adopt a model rule, which will provide “more direction to advisors and baseline protection for investors.”

He noted that NASAA’s Investment Adviser Section also recently published a model rule for public comment, which would require advisors to “adopt policies and procedures regarding information security,” and will require them to deliver the policy annually to clients.

The comment period closes on Nov. 26. MORE

Practice What You Preach: Having Cybersecurity Policies and Procedures That Don’t Do What They Are Supposed To Do Can Result in Fines

In the first enforcement of the Identity Theft Red Flags Rule, the U.S. Securities and Exchange Commission (SEC) fined Voya Financial Advisors, Inc. $1,000,000 for failing to provide training on and reasonably design its written policies and procedures to mitigate identity theft. On September 26, 2018, the SEC announced a settled enforcement action against Voya, a dually registered broker-dealer and investment advisor, arising from a cyber intrusion that compromised personal information of thousands of customers.

The SEC’s order describes a six-day period in 2016 during which cyber intruders impersonated Voya contractors by calling Voya’s support line and requesting that their passwords be reset. With the new temporary passwords, the intruders obtained access to the personal information of 5,600 Voya customers. From there, they were able use that information to create new online customer profiles and get access to account documents for three customers. There were no unauthorized transfers of funds or securities from Voya customer accounts.

The SEC alleged that Voya had violated the Safeguards Rule, which requires broker-dealers and investment advisers adopt written policies and procedures that provide for the protection of customer records and information, and the Identity Theft Red Flags Rule, which requires them to develop and adopt a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft.

Voya had written policies and procedures, but the SEC alleged that in light of Voya’s business model and risk profile, they were not reasonably designed to: “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Significantly, several of Voya’s cybersecurity policies and procedures were not reasonably designed to be applied to its contractor representatives or to their remote systems, and they were not updated to reflect changes in risks to customers from identity theft. Moreover, Voya failed to provide training specific to preventing identity theft. Accordingly, the intruders were able to obtain access because of Voya’s weaknesses in those procedures, some of which had been exposed by previous fraudulent activity. The SEC order includes a detailed description of how the intruders obtained access, and should be required reading for everyone who establishes or oversees a cybersecurity program. MORE

New NASAA president Michael Pieciak puts cybersecurity at top of agenda

It's often the smallest investment advisory firms that are the most vulnerable to online threats, and that's why it's natural for rule-making to start at the state level, according to a top state regulator.

The North American Securities Administrators Association last week released for public comment a proposed cybersecurity rule. It would require advisers to adopt policies and procedures to safeguard information physically and online and to inform clients about their privacy policies annually.

The potential model rule is a top priority of new NASAA president Michael Pieciak. The Vermont commissioner of financial regulation was inaugurated for a one-year term on Sept. 25 at the organization's annual conference in Anchorage, Alaska.

State regulators are responsible for overseeing approximately 18,000 investment advisers with less than $100 million in assets under management. Many of them are one- and two-person operations, which can be juicy targets for online predators. But they also lack the cyber defense resources of major financial firms, Mr. Pieciak said.

"I'd like to see a model rule in place that does a good job of right-sizing the need to secure firms' important data," he said. "I don't see this as an issue where it's regulators versus industry. I see it as an issue where it's regulators and industry versus the cybercriminal."

The comment period lasts until Nov. 26. After digesting the feedback, NASAA could propose a model cyber rule for state legislatures to consider. There are cyber regulations in New York, but a model rule could expand the number of states with cyber oversight.

If NASAA proceeds, it could launch a cyber rule before the Securities and Exchange Commission and the Financial Regulatory Authority do. The SEC and Finra examine for cyber deficiencies.

"Maybe it makes sense that we're first," Mr. Pieciak said. Small advisers regulated by states "are some of the most vulnerable shops. The SEC and Finra have a different contingency they're trying to protect."

NASAA will host a cybersecurity roundtable in Washington on Oct. 15.

First millennial to lead NASAA

Mr. Pieciak, 35, is the first millennial president of NASAA, giving him a perspective that will influence both his leadership style and his regulatory agenda.

He said that his generation is often mislabeled. He has found his cohorts to be independent, detail-oriented and collaborative. That last trait will be helpful as the head of NASAA, a group in which the president is just "first among equals."

"That collaborative decision-making style is something I think is a hallmark of the millennial generation and something I hope to bring to this position," Mr. Pieciak said.

Millennial investors also pose a regulatory challenge given that they are often saddled with big student loans, put off buying homes and saving for retirement, and are attracted to online investments that may pose threats, such as cryptocurrencies.

"We see a lack of financial literacy and basic financial skills among the younger generation, particularly when it comes to thinking about some of the big life decisions like buying a home, which is usually someone's most important asset," Mr. Pieciak said. "We're going to have a specific millennial focus on our investor education and outreach initiative to educate and also protect millennial investors."

Other items on Mr. Pieciak's agenda include working on programs related to financial technology and cryptocurrency, leading a NASAA strategic planning process and fighting to preserve state regulatory authority.

Voya cybersecurity blunder should serve as a wake-up call to the entire industry

The stakes are high: Procedures have to be reviewed and tested on a regular basis

By nowanyone responsible for cybersecurity at a financial advisory firm is probably tired of hearing about the subject. But the recent $1 million fine levied against Voya Financial Services should serve as a wake-up call to everyone in the industry for several reasons.

Cybercrime details

For one, it describes in detail an actual cybercrime and how it occurred — and how the firm failed not only to prevent it, but to shut it down adequately once being alerted that the breach was happening.

The Voya story also represents the first time the Securities and Exchange Commission has fined a company under its Identity Theft Red Flags rule, and puts all firms on notice that the regulator is ramping up cybersecurity enforcement. In other words, expect more fines in the future.

Procedures in place

Like most other firms, Voya had security procedures in place that should have guarded against the breach that occurred back in 2016. In this case, cybercriminals posing as advisers asked for and received usernames and new passwords from Voya support personnel, giving them access to the personal information of 5,600 customers.

Even after one of the real advisers who had been targeted in this identity theft scam reported that he had not requested a new password, the scheme was not thwarted. Over the next several days, two more advisers were impersonated. In fining Voya, the SEC said the breach occurred, in part, because its personnel did not have a full understanding of how its own portal worked.

Prevention and response

One hard lesson Voya learned is that having procedures and protocols in place is not enough. Procedures have to be reviewed and tested on a regular basis to make sure personnel are trained and are following protocols correctly — and that the procedures and protocols in place are still effective in both preventing and responding to cyberattacks.

(More: How a hacker led to Finra censuring and fining a broker-dealer)

Companies also need to be more proactive in anticipating cyberattacks. Thieves can be creative. If you stop them from breaching your systems one way, they will try to get their hands on your protected data using different methods. They won't stop, so companies can't let down their guard.

Need for review

It is not enough simply to draw up a cybersecurity plan and put it on the shelf to show regulators when they ask for it during an exam; it must constantly be updated using the latest information on what cyberthieves are up to.

That brings us to yet another lesson. Cybersecurity comes with a cost. But it is a cost that cannot be ignored. The SEC's regulations apply to all firms in the industry, no matter their size. And remember, the stakes are high.

Clients and investors will usually forgive a security breach one time. But if it reoccurs, they will flee to a competitor with a better record on security. And who can really blame them? MORE

Financial Advisors Should Question Tax Preparers About Protecting Data

CPAs continue to be tempting targets for cybercrooks looking to steal data to file tax returns and steal identities. High-net-worth clients’ information is especially prized, and the IRS and other tax agencies have made recommendations and established electronic requirements for tax preparers to protect that data.

“In addition to the obvious financial information handled by tax oriented CPAs and other practitioners, practitioners often serve as advisors to client businesses and other financial affairs,” said Dr. Sean Stein Smith, a CPA and assistant professor at the department of economics and business at Lehman College in New York. “Data security and protecting information is a high profile issue, and clients -- especially HNW individuals -- certainly understand the value that comprehensive security policies provide.” MORE

SEC charges Voya Financial Advisors with deficient cyber-security procedures

In the Securities and Exchange Commission's first enforcement action for violations of the Identity Theft Red Flags Rule, Voya Financial Advisors has agreed to pay $1 million to settle charges for having deficient cyber-security policies and procedures concerning a cyber intrusion that compromised the personal information of thousands of customers.

The SEC on Sept. 26 charged the broker-dealer and investment adviser with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft. According to the SEC’s order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.

The SEC’s order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers. The order also finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cyber-security procedures, some of which had been exposed during prior similar fraudulent activity.

According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA’s workforce. “This case is a reminder to brokers and investment advisers that cyber-security procedures must be reasonably designed to fit their specific business models,” said Robert Cohen, Chief of the SEC Enforcement Division’s Cyber Unit. “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1 million penalty and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.

Financial Industry Takes Most Heat for Data Breaches: Study

Of all the industries prone to data breaches — maybe better make that of all industries, period, since hacking and other incursions have become so prevalent — the financial industry stands out, and not for a good reason.

In fact, according to a report from eMoney Advisor, financial services firms are the most susceptible to the bad publicity that results from an exposure of what should have been private data. In fact, at 5.7%, the industry has the highest abnormal churn rate — a measure of lost customers — in the U.S. economy.

And even though cyberattacks make lots of headlines, that doesn’t mean that firms are prepared to ward them off. Says the report, they lack the resources, infrastructure or experience to keep them at bay.

The average financial firm breach costs nearly $7 million, while a recent report finds that in 2017, 25% of such firms were hit; in 2016, 20% of firms suffered a breach.

The purpose of data breaches can vary depending on the industry, with hackers of retail and government systems usually looking for data to sell online. Within the financial industry, hackers are typically looking to steal money or data directly from customers, eMoney says.

Some of the tricks hackers use are the business email compromise (BEC), which tricks someone in the company into sending funds to a bogus account; ransomware, shutting down a company’s systems until a ransom is paid; and phishing, which is the most common in financial sector companies. Phishing emails lure the recipient into clicking on a link, attachment or website that can then infect the computer with malware.

Attacks are getting more sophisticated and more common, with the risks including having to deal with irate clients and offering free or discounted services to them, time spent dealing with the situation, reputational damage and the cost of lost customers.

Some of the measures eMoney Advisor suggests to protect data include two-factor authentication, which makes it more difficult for bad guys to gain access to client accounts; encryption, which keeps hackers from being able to make sense of data if they’ve hacked in directly; and backups, which can protect against ransomware by allowing companies to restore their own data.

Vendors need to be monitored and a disaster recovery plan just for cyberattacks should be in place, and companies should also be prepared to review “lessons learned” in the wake of a problem.

Last but not least, “cybersecurity hygiene” that keeps systems and security measures current and active; better training of users to avoid their being taken in by tricks; and testing security to make sure that everything is working and protected as it should be have to be on a company’s list of protective measures. MORE

New Ohio law incentivizes businesses that comply with cybersecurity programs

On Aug. 3, 2018, Gov. John Kasich signed Senate Bill 220, also known as the Ohio Data Protection Act. Under the Act, eligible organizations may rely on their conformance to certain cybersecurity frameworks as an affirmative defense against tort claims in data breach litigation. The Act is intended to provide organizations with a legal incentive to implement written cybersecurity programs. 

In order to qualify for this new defense, the organization must implement a written cybersecurity program designed to 

  • Protect the security and confidentiality of personal information.

  • Protect against anticipated threats or hazards to the security or integrity of personal information.

  • Protect against unauthorized access to and acquisition of personal information that is likely to result in a material risk of identity theft or fraud. 

The scale of the cybersecurity program should be appropriate to the organization based on its size and complexity, the nature and scope of its activities, the sensitivity of the personal information protected under the program, the cost and availability of tools to improve its information security, and the resources available to the organization.

Additionally, the organization’s cybersecurity program must “reasonably conform” to one of the following cybersecurity frameworks:

  • National Institute of Standards and Technology’s (NIST) Cybersecurity Framework.

  • NIST special publication 800-171, or 800-53 and 800-53a.

  • Federal Risk and Authorization Management Program’s Security Assessment Framework.

  • Center for Internet Security’s Critical Security Controls for Effective Cyber Defense.

  • International Organization for Standardization (ISO)/International Electrotechnical Commission’s (IEC) 27000 Family – Information Security Management Systems Standards.



DHL breaks ground on $20M Westerville headquarters


Countdown: Here are Columbus' top restaurants, according to OpenTable


Salesforce Administrator

The Business Journals


Taco wars: Cleveland's Barrio sues Columbus' Condado


Could Columbus handle Amazon's HQ2? A look at housing and offices 


Here's what Jeff Bezos finally had to say about HQ2 during D.C. speech


Cardinal Health CEO Mike Kaufmann sharpens focus in unsteady times 

For organizations that accept payment cards, their cybersecurity programs must also comply with the Payment Card Industry’s Data Security Standards (PCI-DSS) to qualify for the affirmative defense. Similarly, organizations subject to certain state or federally mandated security requirements may also qualify, such as the security requirements in the Health Insurance Portability and Accountability Act (HIPAA), Title V of the Gramm-Leach-Bliley Act (GLBA), the Federal Information Security Modernization Act (FISMA), or the Health Information Technology for Economic and Clinical Health Act (HITECH).

The legislation expressly states that it does not “create a minimum cybersecurity standard that must be achieved” or “impose liability upon businesses that do not obtain or maintain practices in compliance with the act.” Rather, it seeks “to be an incentive and to encourage businesses to achieve a higher level of cybersecurity through voluntary action.”

This law will be the first in the nation which incentivizes businesses to implement certain cybersecurity controls by providing them with an affirmative defense. States like New York require certain businesses to meet specific cybersecurity compliance standards, without providing a specific affirmative defense as an incentive to do so.

Qualification for this new safe harbor will not be automatic and may be challenging to establish. Many of the specified frameworks, like NIST, do not have a standard certification process, so proving that a security program conforms to the applicable framework may prove difficult. However, given the increasing risk that cybersecurity presents for many organizations, the Ohio Data Protection Act may grant some relief.

The SEC, Cybersecurity, and Registered Investment Advisers: All in the Same Boat Fighting Cybercrime

Why Ignoring OCIE On Cybersecurity Could Lead to Catastrophe

The Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (SEC) has recently started to examine the capabilities of domestic organizations to fend off attempted cyberattacks and respond quickly to successful ones to ensure the confidence of investors, limited partners, and public markets in general. Since these attacks can be devastating, OCIE has created guidelines for companies and firms intended to help prevent cyberattacks and minimize risk. Failure to follow these guidelines will likely result in OCIE issuing critical inspection reports or even making referrals to enforcement offices. To guard against disastrous cyberattacks, minimize both organizational and reputational risk, and prevent OCIE or enforcement penalties, companies and firms should understand and implement these guidelines at their earliest opportunity. This benefits both the organization (to avoid potential regulatory fines and penalties, and liability to other parties affected by a breach) and any investors and limited partners, who could potentially lose millions should there be a successful breach.


OCIE is the arm of the SEC that goes out to registered entities to evaluate many aspects of operations and regulatory compliance. The SEC has charged OCIE with the task of evaluating the readiness of regulated investment advisory firms in relation to cybersecurity. In addition to entities such as registered investment companies, registered advisers, broker-dealers, and transfer agents, these firms also include alternative investment and hedge funds, wealth management firms, and private equity funds. The SEC’s National Exam Program (NEP), run by OCIE, aims to protect investors, maintain market integrity, and promote responsible capital formation using risk-focused strategies. These strategies, if implemented properly, should improve compliance, prevent fraud, monitor risk, and inform policy. On July 21, 2010, the passing of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank) granted OCIE additional authority over more people and entities.

For many years, OCIE has issued an annual exam letter detailing priorities for examinations it will conduct during the year. Since 2010, OCIE has made computer security issues an important item on its list of topics. OCIE has been working with organizations to help them self-assess their ability to mitigate risk and defend against cyberattacks, and to improve their practices in these areas. In 2011, referrals from NEP in cooperation with the SEC’s Division of Enforcement resulted in a significant number of enforcement actions. These cases reportedly stopped Ponzi schemes, identified material disclosure omissions and misinterpretations, and illuminated hidden fees/undisclosed remuneration and expenses charged to investors. The SEC uses the data collected from NEP to recognize and monitor risk, brief rule-making initiatives, pursue misconduct, and improve industry practices guided by NEP’s general principles: to be data-driven, risk-based, and transparent; to have maximum efficiency with its resources; and to embrace new technology. More recently, OCIE referrals have led to enforcement actions related to poor cyber-security, and to actions derived from actual breaches that have harmed companies or investors.

National Exam Program Risk Alert, 2015:

In April 2014, OCIE published its first comprehensive Risk Alert addressing how SEC-led examinations would help to identify cybersecurity risks and determine the degree of cybersecurity preparedness in the securities industry. In February 2015, OCIE published its conclusions from these observations. This publication deliberated upon legal, regulatory, and compliance issues relating to cybersecurity. After examining 57 broker-dealers and 49 investment advisors, OCIE came to these general conclusions:

  1. 93 percent of broker-dealers and 83 percent of investment advisors examined adopted written security procedures and policies, and a large group of the firms operated regular audits to determine compliance with procedures and policies.

  2. Many firms used external standards and other outside resources to guide their information security processes and architecture.

  3. Most of the examined firms engaged in regular risk assessments to find cybersecurity threats, vulnerabilities, and business consequences.

  4. Most firms examined conducted inventorying, cataloguing, and/or mapping of their technological resources.

  5. Almost 75 percent of the examined broker-dealers, but less than 25 percent of the investment advisors, implemented mandatory actions regarding cyber risk into their contracts with partners and vendors.

  6. Almost all firms used encryption.

  7. Many firms provided clients with advice to protect information, but more broker-dealer firms did so than investment advisors.

  8. More than half of the broker-dealers had cybersecurity insurance, but very few investment advisory firms had it.

These results show that cybersecurity and risk management improved in these firms, but further improvement is needed to prepare for and defend against cyber incidents. Furthermore, it was shown that broker-dealers generally have cybersecurity practices that are much better suited to the modern world, which is riddled with cyber-risk, than those of investment advisor firms. In response to these 2014 findings, OCIE continued to emphasize cybersecurity compliance and controls in its 2015 Examination Priorities.

The Continuing Examination Process

OCIE devised its Cybersecurity Examination Initiative to further develop its examination practices in response to ongoing security breaches and threats, and to determine the level of cybersecurity preparedness within the securities industry. This includes firms’ ability to safeguard broker-dealer customer and investment advisor client information. Public reports have found cybersecurity breaches concerning vulnerabilities in rudimentary controls often went unattended or were simply ignored. As a result, OCIE suggested that examiners collect data on cybersecurity-related controls in addition to examining the implementation of specific firm controls. To encourage improved compliance practices and to improve the SEC’s comprehension of cybersecurity preparedness, the SEC release noted that its cybersecurity initiative will emphasize the following areas: governance and risk assessment, access rights and controls, data loss and prevention, vendor management, and incident response.  Below is additional information about each of the areas under consideration by the SEC:

Governance and Risk Assessment

The SEC emphasized that examiners should consider whether registrants possess cybersecurity governance and risk assessment processes in relation to the topics discussed. This could reveal whether firms are regularly examining cybersecurity risks and whether controls and risk assessment processes fit the business needs of the firm. The SEC further suggested that the degree of communication to and participation of senior management (as well as the board of directors) should be thoroughly reviewed. Communication is crucial because the board of directors, management companies, and senior managing directors often hold immense power to effect change within the organization. If they are not informed and updated on the proper cybersecurity protocols, the lack of proper cybersecurity oversight could potentially inflict considerable damage on the organization if there is a breach. Also, adequate communication enables the proper personnel to address the incident as swiftly as possible. The difference between a minor setback and a major disaster in the cybersecurity world could be a matter of mere hours, so continuous communication is a necessity.

Access Rights and Controls

Firms leave themselves especially vulnerable to data breaches if they fail to establish basic controls designed to prevent unauthorized access to private systems and data. Some examples of these important controls are multifactor authentication and updating access rights based on personnel/system changes (meaning authorized current users are given just enough access to do their jobs, but no more). It is important for examiners to review how firms control access to various systems and data through management of user authentication, credentials, and authorization methods. This may include reviewing controls in relation to remote access, consumer logins, and firm protocol when addressing consumer login issues, passwords/passphrases, network segmentation, and tiered access.

Recognizing that many recent cyber invasions to capture data or extort system operators have exploited human weaknesses that allowed access to systems, recent OCIE examinations have shown increased attention to the training provided to organization personnel. As discussed below, training to prevent successful “phishing” attacks and insertion of “malware” into systems is receiving enhanced attention.

Data Loss Prevention

Data breaches can occur due to a lack of strong controls in patch management and system configuration. To minimize data loss, the SEC suggested that examiners assess the method in which firms supervise the volume of content transferred outside the firm by its employees or through third parties. This content includes email attachments and uploads, among other things. It is also important for examiners to assess the methods by which firms watch for unauthorized data transfers and to review how firms authenticate consumer requests to transfer funds.

Vendor Management

Among the largest data breaches (prior to OCIE’s NEC Risk Alert Volume IV, Issue 8) were those that resulted from the hacking of third-party vendor platforms, the greatest threat to firms in 2015 according to Booz Allen Hamilton. Despite this threat, PwC found through its 2015 U.S. “State of Cybercrime Survey” that 23 percent of firms did not examine third-party vendors, 19 percent of CIOs had no concern for supply-chain risks, more than half of respondents surveyed did not consider supplier risks at all, and most companies did not create a process for determining the security capabilities of third-party vendors before associating with them. Of course, allowing trusted third parties to have access to the firm’s network may create real efficiencies for all parties involved, but OCIE recognized that such access could create a “back door” entry into the firm’s network using compromised credentials. Recent examinations of registered entities are now asking registrants what they do to inspect or otherwise evaluate the controls in place at vendors who are granted access to the organization’s systems, and vendors hired to operate systems, provide software, or host data for the registrant. Some of these providers, in order to enhance their own security, are reluctant to share such information with registrant-customers, but OCIE is not always satisfied with that response from the registrant.


Firm employees and vendors can benefit greatly from appropriate training on how to mitigate data risk. Data breaches can result from unintentional employee actions, such as misplacing or losing a device (e.g., a laptop, phone, tablet, etc.), viewing confidential or classified information while connected to an unsecured internet source, or opening messages/downloading attachments/clicking on links from an unknown source. To protect against these potential data breaches, well-trained employees will have location services turned on for all their devices, possess the ability to wipe the data remotely, and confirm the connection is secure (e.g., through a VPN) before viewing confidential/classified information. Finally, through regular employee training and awareness, employees should be equipped to spot suspicious downloads, attachments, links, etc. from unknown sources, and verify that they are safe before opening them. Likewise, good employee training and awareness will help employees understand the potential dangers associated with social media browsing and “watering hole” attacks.

Incident Responses and Business Continuity

In general, firms recognize the growing risk of cybersecurity threats and breaches. Management should be aware that OCIE will want to determine if firms have established policies, assigned roles, evaluated and addressed system vulnerabilities, and created plans to combat and respond to future incidents, as well as to recover from them quickly. OCIE and the SEC are now using extremely complicated data analytics to select exam targets, to focus the scope of examinations and to achieve the most efficient use of SEC resources. Organizations can use similar analyses to help decide which firm data, assets, and services (i.e., “the crown jewels”) should be assigned the most security to stop attacks from inflicting severe damage.14 Business continuity plans allow the firm to prioritize critical systems and get them up and running as soon as possible.

2018 NEP Examination Priorities

OCIE has published five priorities regarding the focus of the NEP for 2018. These priorities follow (in no specific order):

  1. Matters of importance to retail investors, seniors, and people saving for retirement

  2. Compliance and risks in critical market infrastructure

  3. Financial Industry Regulatory Authority (FINRA) and Municipal Securities Rulemaking Board (MSRB)

  4. Cybersecurity

  5. Anti-money laundering programs

It is prudent for individuals, companies, and firms to emphasize strengthening compliance infrastructure, especially in areas of OCIE focus. Though compliance with OCIE’s cybersecurity initiatives cannot successfully ward off all breaches, adherence to the SEC’s cyber suggestions could make firms more resilient, and hopefully more secure. Efforts that match industry best practices will help minimize the risk that the SEC will pursue more severe sanctions in the event of an unpreventable breach.

OCIE’s Continuing Focus Relating to Cybersecurity

OCIE examinations relating to cybersecurity will continue to include risk assessments, governance, vendor management, data loss prevention, access rights and control, incident response, and training. Due to this prioritization of cybersecurity, the SEC has fined organizations for ignoring responsibilities in cybersecurity procedures and policies. A common fine levied by the SEC is for the violation of Rule 30(a) of Regulation S-P, otherwise known as “The Safeguard Rule.” This rule mandates that investment companies, investment advisors, and registered broker-dealers adopt written policies and procedures that facilitate the protection of customer data. OCIE also stated that an organization can still be charged with cybersecurity-related infringements even if the client does not experience financial loss. For example, the SEC fined R.T. Jones Capital Equities Management $75,000 for its lack of cybersecurity procedures and policies relating to a breach of a third party’s web server. These fines are arguably nominal compared to the disaster that results from data breaches. Apart from the damage done to consumers, firms often must pay costly legal fees and payouts resulting from consumer lawsuits, repair their damaged reputations, and upgrade their security while investigating the breach (the latter two also being very expensive).

While following OCIE’s guidelines effectively does require time and money, doing so can not only spare companies from incurring fees if the guidelines are neglected but also help mitigate cyber risk, prevent cyberattacks, and control the damage resulting from a successful attack. If a successful cyberattack goes unaddressed, the ensuing legal fees, payouts to victims, etc. may damage an organization severely, possibly to the point of no recovery. In other words, spending some resources on cybersecurity and risk management now may significantly lower the risk of losing everything later.

Wealthy Investors Have a Big Cybersecurity Problem

Cybertheft is important to all investors, but especially to high-net-worth individuals who might have greater exposure, less knowledge and more endpoints of access for thieves, according to Aon’s Cyber Solutions CEO Jason J. Hogg.

In fact, more than half of 664 high-net-worth respondents of a 2017 Aon online survey said they had either experienced a cybersecurity event or knew someone who had.

Most interesting to Hogg was the survey found that 77% of respondents were concerned about risks posed to their finances by cybersecurity, and 78% were concerned about related issues on identity theft, numbers far above traditional financial worries such as market volatility (60%), or changing interest rates (39%).

“People are more concerned about cybersecurity than they are with regard to their actual wealth,” Hogg told ThinkAdvisor. “That was incredibly telling and most resonating to me.” MORE

Five RIA Cybersecurity Myths - Busted!

From Bentley Long

In the course of my work, I regularly speak with RIAs of all sizes and AUM on cybersecurity risk management and compliance. Every firm is concerned about cybersecurity - sometimes driven by confusion about regulatory guidance, other times driven by fear of damage to the firms reputation from a data breach.

The Investment Advisers Association recently published their 2018 Compliance Testing Survey, and for the fifth year in a row cybersecurity was the No. 1 concern, cited by 81% of survey respondents

And yet, convincing firms to make additional investments in information security remains a challenge. I attribute a lot of the push back to "cyber fatigue". The cybersecurity industry has done itself a great disservice by selling on fear. The result is that many firms have become desensitized to a very real, and imminent danger.

The antidote to cyber fatigue is education against a non-apocalyptic backdrop. Cyber attacks are a fact of life in the 21st century, there is no choice but to address the threat. In this article, I will deconstruct some of the most common excuses that I hear for not taking action to continuously improve cybersecurity practices.


#1 - I have a Firewall and Use Antivirus Software so I'm Protected

Antivirus software and a network firewall offer the most basic elements of cyber risk mitigation. However, they are only a small piece of a comprehensive solution.

Antivirus programs rely on databases of "signatures" that screen for malware or suspicious behaviors that are known to the good actors in the software development community. That's a problem: if a threat is unknown, it can't be detected. Increasingly often, we are finding that antivirus products can take months before adding the algorithms to recognize the more complex threats, leaving endpoints unprotected. Moreover, if you don't regularly update your antivirus, or accidentally disable it, you won't be getting full protection.

The greatest threat to investment advisers is a phishing attack, and antivirus programs offer almost no protection against fraudulent emails that trick users into releasing sensitive information to attackers. The best defense against phishing emails is to conduct regular Security Awareness Training, and run simulated phishing attacks to teach users to recognize malicious emails.

A firewall is the first line of defense for your network, but needs to be regularly checked for proper configuration. If a port is opened for a vendor, or software program, and not closed then that becomes a vulnerability. Periodic vulnerability and penetration tests will detect improper configurations so that they can be fixed. Best practices would also dictate the use of Network Intrusion Detection Software (NIDS) in conjunction with a firewall, as well as Host Based Intrusion Detection Software (HIDS) and/or Host Based Intrusion Prevention Software to protect servers.

In summary, antivirus and a network firewall are important pieces of your overall strategy, but they are not "set it and forget it" tools. They require periodic updates and maintenance, and must be augmented with other elements of a robust cyber strategy.

# 2 - My IT Services Provider Has Addressed the SEC's Guidance on Cybersecurity

I have observed an inherent gap between IT and compliance. Managed Service Providers (MSPs) tend to view the world in terms of network security and endpoint management, while compliance officers often lack the technical expertise to advise on cybersecurity issues. MSPs often bundle point solutions from multiple vendors into a one size fits all cybersecurity suite that is part of their monthly fee. The suite is designed to be industry agnostic, which allows the MSP be to enjoy volume discounts, and avoid the difficulty of managing multiple tools that serve the same function. This makes perfect business sense.

For RIAs, this approach is lacking since the SEC has provided very specific guidance on cybersecurity via its Office of Compliance and Inspections (OCIE). Moreover, in an SEC examination on cyber, you will be asked to produce a Written Information Security Policy (WISP) based on their guidance. You will also be asked to provide evidence that all firm employees understand and are following these policies.

Adding it up, the SEC recommends 34 specific elements for your security program which can be broken down into six subgroups: Governance and Risk Assessment, Access Rights and Controls, Data Loss Prevention, Vendor Management, Training, and Incident Response.  

MSPs are an important part of your cyber compliance plan, but at most they address some of the Access Rights and Controls, and some of the Data Loss Prevention subgroups. What about the other pieces?

In addition, the periodic risk assessments recommended by the SEC cannot be performed by the same entity that sets up and maintains your network. The assessments needs to be performed by an independent 3rd party to to ensure unbiased results.

#3 - Our Business is Way to Small to Be a Target

First of all, you work in Financial Services which means you work in one the top 3 industries targeted by hackers. Initiating fraudulent wire transfers through phishing can be surprisingly easy and quite lucrative.

Secondly, because you area small business, you are more likely to have not invested in cybersecurity. This make you an easier target.

Lastly, hackers have begun using bots and artificial intelligence to sniff out vulnerabilities on public facing networks, and can even engage potential targets in social engineering attacks. This means that hackers can scale their efforts exponentially. No one is immune.

If you want to read the sobering statistics on SMBs and cybersecurity from Ponemon Instititue you can find it here. But the bottom line is that you are an attractive target to hackers.

#4 - We Only Access Secure Portals, So Our Enpoints (Devices) Don't Need Protection

Another variant of this is, "I don't need to worry about my devices since all my data and applications are in the cloud. There's nothing valuable on them.”

Au contraire. Users, and by proxy their endpoints, are the weakest link in securing your firms sensitive information. How do you know that the endpoint hasn't been compromised when you are accessing a secure site?

Devices can be infected via a usb drive, email attachment, website, or simply connecting to an unsecured WiFi network. Once infected, the device can then transmit key strokes and login credentials that allow the hacker to access your data in a secured portal.

Even if your applications are cloud based, many of them keep a local copy of your data to give you access when you are offline. If your email client stores your messages in a local folder, that information can be treasure trove for hackers. It can be used to impersonate you for fraudulent purposes, as well as to phish all of your contacts, among other things.

Think about all of the devices that you use to access work applications and data. Smartphones, tablets, laptops, and desktops all need to be encrypted, monitored, and protected with antivirus and MDM software.

#5 - We Don't Need Cyberinsurance

The term "Cybersecurity" is something of a misnomer. It implies that your information can be totally secured. In reality, you reach a point of diminishing returns with point solutions. It becomes increasingly expensive to achieve marginal gains, and you can never get to 100% secure. That's why you need cyberinsurance.

Purchasing a cyber insurance policy is not tantamount to throwing in the towel on securing sensitive information. It is, rather an acknowledgement that cyber attacks are a growing threat to your business in the same way that fire, theft, and workers comp claims are.

Many firms assume that they already have coverage under their general liability policy. This can be a costly assumption. Most traditional commercial general liability policies do not cover cyber risks, such as property damage, personal and advertising injury claims arising from access or disclosure of confidential information.

In addition, many of the cyber policies written to date are not worth the paper they are printed on. They have a long list of exclusions and high retentions (deductibles) that make them unlikely to pay out in the event of a breach.

Take the time to talk to a cyber insurer that specializes in RIAs. The time to find out about gaps in coverage is not after you have had a breach.

Myth Busting

Don't perpetuate these myths. Realize that most myths are really "partial truths". That means that these misconceptions start with reasonable assumption, but fail to take account of the bigger picture. A comprehensive cybersecurity risk management and compliance program has multiple elements. The biggest myth is that you can find one silver bullet that will make you secure.

And remember, the threat is constantly evolving, so an annual assessment of your policies, procedures, protections, and risks is the only way to keep current. Stay safe, my friends.

States taking control of data and cybersecurity requirements

Cybersecurity continues to be a concern for government and the private sector. It has enormous implications for government security, economic prosperity and public safety.

States are addressing cybersecurity through various initiatives, such as providing more funding for improved security measures, requiring government agencies or businesses to implement specific types of security practices, increasing penalties for computer crimes, addressing threats to critical infrastructure and more.

2018 Introductions: At least 36 states, D.C. and Puerto Rico introduced/considered more than 265 bills or resolutions related to cybersecurity. Some of the key areas of legislative activity include:   SUMMARY BY STATE

Some Examples:

NEW YORK - NYDFS Cybersecurity Deadline Approaching 

COLORADO - Ramping up for Data Privacy Compliance

CALIFORNIA - California Passes Landmark Law Creating Broad Data Privacy Rights for California Resident

OHIO - Cybersecurity Safe Harbor Against Data Breach Lawsuits Becomes Ohio La

NAPFA ADVISOR: Keep regulators happy with your firm's cybersecurity

Simply keeping your clients safe from fraud, as suggested in "6 ways to keep your client accounts safe from fraud" (page 16) is not enough to make the regulators happy with your firm's handling of cybersecurity.  That was the bottom line of "Cybersecurity and Compliance Issues for RIA's" at NAPFA Spring Conference session presented by Mark Brown and Dan Konzen of Advisor Armor, a cybersecurity and compliance firm.  READ ARTICLE