Regulated investment firms use the web to gather market intelligence, to access data aggregation tools and business apps, and to communicate via webmail and social media.
While many (if not most) business functions have shifted to the web and cloud apps, including IT security, the primary tool used by research analysts and investment managers remains stuck in IT’s past: the locally installed browser. A holdover from the 1990s, the local browser’s inherent weaknesses make it notoriously difficult to manage, monitor, and secure against web-borne exploits.
This has created a growing compliance blindspot for buy-side and sell-side firms. At the same time, the pressure from federal and state regulators is steadily increasing. Registered investment advisers are one example. By subjecting 17% of firms to OCIE examinations in FY 2018, the SEC already exceeded its own ambitious goal (15%) in this group alone for this year.
Chief Compliance Officers, CISOs and CTOs in the industry have been put on notice. One simple page view request on an infected website can result in malware or spyware spreading through the firm’s network, resulting in data breaches and financial and reputational damages. One post on a social media platform or in a chat room may invite the scrutiny of regulators.
How can firms ensure oversight and governance when team members go online? In this post, we highlight surveys, reports and whitepapers that provide useful facts and actionable insights to help practitioners answer this question:
1) SEC Enforcement: More Pressure for Investment Firms
The Securities and Exchange Commission’s Enforcement Division has published the FY 2018 Annual Report of its ongoing efforts to protect investors and market integrity.
The report presents the activities of the division from both a qualitative and quantitative perspective. In FY 2018, the SEC continued to bring enforcement actions relating to a wide variety of market manipulations, misconduct and compliance violations. It obtained judgments and orders totaling more than $3.945 billion in disgorgement and penalties.
Policing “Cyber-Related” Misconduct
The report also documents the Division’s increasing focus on misconduct in the digital realm. In FY 2018, the SEC brought 20 standalone cases, including such involving ICOs and digital assets. At the end of the fiscal year, more than 225 cyber-related investigations were underway. 2018 saw the SEC’s first enforcement action charging violations of Regulation S-ID, known as the Identity Theft Red Flags Rule, which is designed to protect customers from the risk of identity theft.
While an agency-wide hiring freeze since late 2016 led to a 10% staff reduction since, this seems not to have resulted in less pressure on regulated securities investment firms. The Division’s annual report documents significant continued enforcement-related activities.
From a compliance perspective, one item in the “Other Noteworthy [Enforcement] Actions” section of the report may deserve more attention than it received so far: it points to “13 registered investment advisers who repeatedly failed to provide required information that the agency uses to monitor risk.”
When regulators request such information from entities under investigation, disparate data sources and a lack of compliance-ready IT tools may prevent firms to “promptly produce” (SEC lingo) the data and documents. The use of local browsers, in particular, can become an audit impediment, because it prevents a unified view into a firm’s activities on the web, for example when team members post on social media or pull research data from third-party aggregators.
A compliance-ready browser built in the cloud, provided as a service offsite and centrally managed by IT, removes such hurdles. With Silo, the cloud browser, all user actions are logged and encrypted, to facilitate at-a-glance compliance reviews and post-issue remediation.
Read / download:
Division of Enforcement of the U.S. Securities and Exchange Commission: Annual Report 2018 [PDF]
2) Vigilant Regulators, Weak Policy Implementation
In November, international law firm Proskauer Rose LLP released its 2018 Proskauer Annual Review and 2019 Outlook for Hedge Funds, Private Equity Funds and Other Private Funds.
The yearly report provides a summary of significant regulatory changes and developments that occurred in the past year in the private equity and hedge funds space. It also includes an overview of SEC examination priorities and enforcement developments impacting the private funds industry.
“SEC’s Enforcement Program Remains Robust”
The SEC brought 821 enforcement actions in 2018, “the second highest total ever,” the authors point out. This included more than 100 enforcement actions involving advisers and investment companies, a 32% increase from 2017 and the second largest category of actions brought by the SEC in 2018.
Noteworthy in particular from the compliance and IT perspective is the extensive review in this report of a $1 million settlement with the SEC by broker-dealer and adviser Voya Financial Advisors (VFA). Following a data breach that compromised the personal information of 5,600 customers, the SEC had alleged failures in the firm’s cybersecurity policies and procedures.
The firm had over a dozen policies and procedures in place governing cybersecurity, the Proskauer report explains. It lays out in detail why “[t]he SEC found that these policies were not reasonably designed to apply to the systems that independent contractors used.”