INSIGHT: Parallels in the SEC’s Approach to Cybersecurity for Market Intermediaries and Issuers

From Securities & Capital Markets on Bloomberg Law

Stay up-to-date with the latest developments in securities law through access to both news and all statutes and regulations. Find relevant corporate filings through a searchable EDGAR database. And...

 

By Vince Martinez and McNair Nichols

Introduction

When it comes to cybersecurity, the Securities and Exchange Commission (SEC) has a limited regulatory hand. First, for virtually all of its registrants, the SEC has no regulation that articulates specific cybersecurity requirements (with the possible exception of Regulation SCI, which applies to a very limited number of SEC registrants). Second, SEC regulatory processes move more slowly than the pace of technological change. Accordingly, any regulation mandating specific technological measures runs the risk of being obsolete on arrival. Despite these issues, the SEC has a relatively clear and discernable approach to cybersecurity. This article discusses how the SEC has crafted staff and interpretive guidance in lieu of regulation mandating prescriptive technological requirements in order to fashion a uniform approach to cybersecurity that is thematically consistent across its registrants, from market intermediaries (such as broker-dealers, investment advisers, and investment companies) to issuers (public reporting companies).

SEC Regulations Applicable to Market Intermediaries

Rule 30 of Regulation S-P, known as the “Safeguards Rule,” requires firms to implement policies and procedures to: insure the security and confidentiality of customer records and information; protect against anticipated threats; and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to a customer. See 17 C.F.R. § 248.30 (2004). To date, the SEC has brought most of its cybersecurity-related enforcement actions as violations of Rule 30, including most recently R.T. Jones Capital Equities Management, Inc., Investment Advisers Act Rel. No. 4204 (Sept. 22, 2015); Craig Scott Capital, Securities Exchange Act Rel. No. 77595 (Apr. 12, 2016); andMorgan Stanley Smith Barney LLC, Securities Exchange Act Rel. No. 78021, Investment Advisers Act Rel. No. 4415 (June 8, 2016).

However, Rule 30 is limited in two important ways. First, its information protection requirements apply to the information of “customers” and “consumers,” the latter of which is defined as “an individual who obtains or has obtained a financial product or service from you that is to be used primarily for personal, family, or household purposes, or that individual’s legal representative.” 17 C.F.R. § 248.3(g)(1) (2009) (emphasis added). Second, the rule specifies no means for accomplishing its objectives. Instead, it requires registrants to create “reasonably designed” policies and procedures. In other words, Rule 30 merely articulates a principles-based standard. However, a registrant must act at least negligently to violate Rule 30. See NEXT Financial Group, Inc., Admin. Proc. File No. 3-12738, at 23 (June 18, 2008). To illustrate the SEC’s difficulty in creating specific technological measures in its regulations, the SEC has tried without success to amend Regulation S-P three times.

Other applicable regulations are less specific. Rule 206(4)-7 under the Investment Advisers Act of 1940 requires registered investment advisers to adopt and implement policies and procedures “reasonably designed” to prevent securities law violations, to conduct an annual review, and to designate a Chief Compliance Officer to administer compliance policies. Likewise, Rule 38a-1 under the Investment Company Act of 1940 imposes a similar policies and procedures requirement on registered investment companies. The only indication that these rules encompass cybersecurity is that cybersecurity-related concepts―such as “[s]afeguards for the privacy protection of client records and information” and “[b]usiness continuity plans”―are mentioned among the considerations that registrants are expected to address in the preamble to the final rule. Advisers Act Rel. No. 2204 (Dec. 17, 2003). Otherwise, the mandate of these rules is a simple direction to ensure that the registrant is adhering to its obligations under the federal securities laws.

Nonetheless, it is through these broad prescriptions that the SEC staff has pursued the agency’s basic approach to integrating cybersecurity into the business processes of market intermediaries. In April 2015, the SEC’s Division of Investment Management (IM) issued a “Cybersecurity Guidance Update,” which described measures that “funds and advisers may wish to consider” regarding their cybersecurity. SEC Division of Investment Management,Guidance Update: Cybersecurity Guidance, No. 2015-02 (Apr. 2015). Most instructive is the following passage:

In the staff’s view, funds and advisers should identify their respective compliance obligations under the federal securities laws and take into account these obligations when assessing their ability to prevent, detect and respond to cyber attacks. Funds and advisers could also mitigate exposure to any compliance risk associated with cyber threats through compliance policies and procedures that are reasonably designed to prevent violations of the federal securities laws.

Id. at 2. In effect, IM is stating that although cybersecurity is not a regulatory requirement itself, it is necessary in this day and age to ensure that a registrant is able to meets its obligations under the federal securities laws. More simply put, the SEC is bootstrapping cybersecurity onto other regulatory requirements.

SEC Cybersecurity Guidance for Issuers

This same bootstrapping concept informs the agency’s approach to issuers, for whom the regulatory ties to cybersecurity are more limited. Unlike market intermediaries, the SEC does not regulate the businesses of issuers. Instead, the regulation of public reporting companies is limited to imposing standards on the quality of disclosures, books and records, and internal controls. Accordingly, the agency’s ability to integrate cybersecurity into the conduct of issuers is much less substantial.

In February 2018, the SEC issued a “Statement and Guidance on Public Company Cybersecurity Disclosures.” Securities Exchange Act Rel. No. 82756 (Feb. 21, 2018). Although, like staff guidance, it does not have the force of law or regulation, it does represent the agency’s considered views on the place of cybersecurity in issuer disclosure practices. Further, like the April 2015 IM Guidance discussed above, it creates a linkage between cybersecurity and an issuer’s regulatory obligations―in this case disclosure controls. The February 2018 Interpretation largely reiterated guidance issued by the staff of the SEC’s Division of Corporation Finance (CorpFin) in October 2011, but added a new section on disclosure controls and procedures. Most instructive is the following passage:

Cybersecurity risk management policies and procedures are key elements of enterprise-wide risk management, including as it relates to compliance with the federal securities laws. We encourage companies to adopt comprehensive policies and procedures related to cybersecurity and to assess their compliance regularly, including the sufficiency of their disclosure controls and procedures as they relate to cybersecurity disclosure. Companies should assess whether they have sufficient disclosure controls and procedures in place to ensure that relevant information about cybersecurity risks and incidents is processed and reported to the appropriate personnel, including up the corporate ladder, to enable senior management to make disclosure decisions and certifications …. When designing and evaluating disclosure controls and procedures, companies should consider whether such controls and procedures will appropriately record, process, summarize, and report the information related to cybersecurity risks and incidents that is required to be disclosed in filings. Controls and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. Pursuant to Exchange Act Rules 13a-15 and 15d-15, companies must maintain disclosure controls and procedures, and management must evaluate their effectiveness. These rules define “disclosure controls and procedures” as those controls and other procedures designed to ensure that information required to be disclosed by the company in the reports that it files or submits under the Exchange Act is (1) “recorded, processed, summarized and reported, within the time periods specified in the Commission’s rules and forms,” and (2) “accumulated and communicated to the company’s management … as appropriate to allow timely decisions regarding required disclosure.”

Id. at 18-20. Again, the agency’s approach is not to impose cybersecurity requirements directly. Nor does it seek to define specific technological measures. Instead, the February 2018 Interpretation makes the case that cybersecurity is a necessary part of a public reporting company’s ability to ensure that it is detecting disclosure-worthy cyber events, and making timely and appropriate disclosures.

Coincidentally enough, the SEC drove these points home shortly after issuing the interpretation by bringing an enforcement action for a failure to disclose a data breach. On April 24, 2018, the SEC announced a settlement under which Altaba (formerly Yahoo! Inc.) agreed to pay a $35 million penalty in response to charges that it failed to disclose a significant data breach of personal information from user accounts. SeeAltaba Inc., f/d/b/a Yahoo! Inc., Securities Act Rel. No. 10485 (Apr. 24, 2018). According to the SEC’s order, members of the company’s senior management and legal department were informed of the breach, but the company nevertheless failed to “properly assess the scope, business impact, or legal implications of the breach.” Id. at 6. In short, this is an instance of an asserted failure to properly implement controls reasonably designed to ensure that material information is timely and effectively disclosed. That fact was made clear by Jina Choi, Director of the SEC’s San Francisco Regional Office, who stated in the accompanying press release that “Yahoo’s failure to have controls and procedures in place to assess its cyber-disclosure obligations ended up leaving its investors totally in the dark about a massive data breach. Public companies should have controls and procedures in place to properly evaluate cyber incidents and disclose material information to investors.” SEC Press Release, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (Apr. 24, 2018).

How Will the SEC’s Approach to Cybersecurity Unfold over Time?

It is difficult to predict how a regulatory approach grounded in staff and interpretive guidance coupled with the indirect application of principles-based regulations will manifest itself. Still, recent SEC staff practices offer some important clues.

With respect to market intermediaries, the SEC has been signaling its expectations for a little over four years. Beginning on April 15, 2014, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a “Risk Alert” announcing its first “Cybersecurity Initiative,” the results of which it announced publicly on February 3, 2015 in a subsequent Risk Alert. OCIE issued another Risk Alert to announce a second “Cybersecurity Examination Initiative” on September 15, 2015, which also led to published results on August 7, 2017. All of these Risk Alerts can be found on the SEC’s website. Attached to the Risk Alerts announcing each initiative was an Appendix which listed specific questions and topics that firms could expect to encounter in an OCIE examination that included a cybersecurity component. These Appendices were based in part on the February 12, 2014 “Framework for Improving Critical Infrastructure Cybersecurity,” issued by the National Institute of Standards and Technology. Both Appendices were offered by OCIE with the stated purposes to “empower” and “assist” firms in evaluating their own cybersecurity preparedness. Significantly, the guidance articulated in the Appendices became more precise and prescriptive over time, venturing from general questions about policies and procedures to specific questions about controls and documentation.

While OCIE’s guidance is a laudable effort to help firms increase their cybersecurity preparedness, it carries potential risks; namely, it can create de facto standards with respect to policies, procedures and technological measures that firms must become familiar with, and upon which they may be judged. In other words, these staff-created measures may well become the standards by which “reasonably designed” policies and procedures are evaluated.

Certainly, recent enforcement actions for violations of the Rule 30 of Regulation S-P reflect an intention to define “reasonable design” in light of failures to apply specific technological measures including encryption, access restrictions and monitoring controls. See R.T. Jones at 3; Morgan Stanley at 5-6. It is fair to predict both that cybersecurity examination components will become more frequent and detailed, that enforcement actions will not be limited to firms that have been attacked (e.g., Craig Scott), and that OCIE and the Division of Enforcement will find deficiencies and violations based on concepts articulated in staff guidance.  MORE

 

Cybersecurity Is Still Advisors' Top Compliance Worry: IAA Poll

Other notable concerns are the SEC’s Advertising Rule and new Form ADV disclosures.

Cybersecurity continues to be registered investment advisors’ top compliance challenge, with 81% of advisors polled in a just-released Investment Adviser Association survey placing it at the top of their list, the fifth year cyber has held the spot, and nearly two-thirds indicating that their firms increased compliance testing in this area over the past year.

IAA’s 13th annual poll, the 2018 Investment Management Compliance Testing Survey, conducted jointly with ACA Compliance Group, found that other compliance hot topics include complying with the Securities and Exchange Commission’s Advertising Rule as well as the new disclosures relating to separately managed accounts on Form ADV.

The poll found that advisors are concerned about findings raised in the SEC’s September 2017 Risk Alert, which detailed deficiencies examiners found in Advertising Rule compliance. Advisors are also bracing for the SEC’s potential amendments to the Advertising Rule.

As Sanjay Lamba, IAA’s assistant general counsel noted in a recent legal brief, the agency’s Advertising Rule “has been on the books substantially unchanged for nearly six decades!” The good news, he says, is that the SEC’s regulatory priorities for 2018 include amending the rule to “enhance marketing communications and practices by investment advisors.”

Other areas of concern related to custody, identified by 28% of survey respondents, as well as issues relating to privacy.

Compliance professionals at 454 investment advisory firms participated in the survey.

The survey found that the majority of CCOs (66%) continue to wear more than one hat, with 20% also serving in some legal capacity.

“Among the many key takeaways of this year’s survey is that the job of a CCO is becoming more complex and varied, as demonstrated by the wide range of legal and compliance areas CCOs are responsible for, with new ones being added every year,” said Karen Barr, IAA’s president and CEO, in releasing the survey findings.

Enrique Alvarez, senior principal consultant at ACA, added that “as with previous years, we found that the role of the CCO and compliance in general has continued to grow in complexity. This is mostly due to regulatory changes and the expanding scope of responsibilities that compliance teams have taken on.”

To address this, he continued, “we found that participants are not adding more resources and instead are implementing and using technology and service providers to fill the gaps where needed.”

Other notable findings were:

Cryptocurrency: Despite the SEC’s recent focus on issues relating to cryptocurrency, virtually all survey respondents reported that their firms do not trade in cryptocurrency. A majority of survey respondents reported that their codes of ethics relating to employee trading do not contemplate cryptocurrencies; only 10% require pre-clearance for initial coin offerings.

Cybersecurity: Eighty-three percent of firms reported conducting cybersecurity assessments, including software patches (76%), network penetration tests (73%), and vulnerability assessments (72%). Nearly two-thirds of respondents increased the type, scope and/or frequency of compliance testing in the area of cybersecurity. A common response to how firms have enhanced their cybersecurity program is that they now conduct phishing tests of employees.

Form ADV amendments: When asked about the most onerous part of preparing the new Form ADV, disclosures relating to separately managed accounts (SMAs) came in first — specifically, increased SMA reporting of derivatives and borrowing (37%), determining the classification of investment types held in SMAs (21%), determining what is an SMA for purposes of Form ADV (13%), and disclosures relating to SMA custodians (7%).

ESG: Forty-six percent of respondents do consider environmental, social and governance (ESG) factors in managing client portfolios; 27% of “ESG advisors” signed to the United Nations-supported Principles for Responsible Investment (PRI) Initiative and 10% are considering doing so.  MORE

SEC Prioritizes Data Security and Expects More Mature Cybersecurity Programs

Investment advisers and broker-dealers can expect more scrutiny of their data security from the Securities and Exchange Commission. Our Cybersecurity Preparedness & Response and Investment Management, Trading & Markets teams explore how multiple SEC divisions will be assessing capital market participants’ cybersecurity risk management.

  • Be sure to inform your investors of cyber risks
  • Practical considerations
  • The GDPR and global reach of regulators

In the first half of 2018, the Securities and Exchange Commission (SEC) has reaffirmed its focus on data security and the importance of cybersecurity preparedness through its draft Strategic Plan for fiscal years 2018 through 2022 and interpretative guidance for public company disclosures. Taken together with preexisting guidance, it is clear that the SEC expects more mature cybersecurity programs from its registrants and that it will continue to prioritize data security as fundamental to the U.S. capital markets and market participants.

Multiple divisions and offices of the SEC have now provided guidance and a series of risk alerts regarding its cybersecurity regulations, including the Office of Compliance Inspections and Examinations (OCIE), Division of Investment Management, and, most recently, Division of Corporation Finance. In addition to numerous speeches by commissioners and division directors and an enhanced website, the SEC’s approach to cybersecurity risk management and compliance continues to leverage existing regulations and statutes to police market participants’ preparedness and responses to new and emerging cyber threats.

Because of the importance of “data collection, storage, analysis, availability, and protection,” market participants can expect the SEC to continue to use all tools at its disposal to ensure that market participants “are actively and effectively engaged in managing cybersecurity risks” for the foreseeable future. In addition, the SEC will seek to ensure that market participants as well as public companies “are appropriately informing investors and other market participants of these risks and incidents.” For instance, public companies are expected to disclose material risks and material cybersecurity events, a process that usually depends on internal procedures and controls for assessing materiality and disclosure thresholds. For public companies not otherwise subject to OCIE examination, the SEC has limited its activities to the oversight of disclosures via enforcement action in cases where it has deemed the disclosure of a material cybersecurity event to have been inadequate.

Investment Advisers and Broker-Dealers Under Scrutiny

Written guidance, OCIE examinations of investment advisers and broker-dealers, and the increasingly active Division of Enforcement’s Cyber Unit are the key ways the SEC is addressing cybersecurity preparedness for its registrants. In recent remarks, SEC Chairman Jay Clayton reiterated the work of the Division of Enforcement’s Cyber Unit, and in particular noted that intrusions into online retail brokerage accounts are an area of focus for the specialized unit. Coupled with the FBI’s recent release of its 2017 Internet Crime Report, it is clear that both regulators and law enforcement are focused on cybersecurity threats that rely on investment services platforms and resources to target or harm the investing public. For registered investment advisers and broker-dealers, the primary implication of this focus is that the SEC will continue to expect more mature cybersecurity programs that adapt to the changing threat environment and appropriately manage and communicate risks to investors and other market participants, as discussed below.

Over the last three years, the SEC has sanctioned firms for a range of specific alleged cybersecurity-related violations. These have included the reliance on ineffective limitations on access rights that failed to prevent a firm employee from inappropriately accessing confidential customer data and for failing to audit or test those limitations to access rights. Other allegations have included the failure to conduct periodic risk assessments, employ firewalls to protect servers that contain sensitive personally identifiable information (PII), encrypt PII at rest, and establish procedures for responding to a cybersecurity incident. The SEC has also brought an action alleging that an adviser’s policies and procedures failed to designate a responsible supervisor and address how customer records and information are to be handled when transmitted, were incomplete, and were not tailored to the actual practices of a firm.

The SEC continues to be focused on technology-based market disruptions as well. In June 2016, the Division of Investment Management released guidance following an August 2015 market disruption caused by a systems malfunction at a financial institution that affected hundreds of mutual funds and exchange-traded funds. The SEC guidance noted that “some funds could have been better prepared for the possibility that one of their critical service providers would suffer an extended outage.” The guidance suggested that advisers of fund complexes, CCOs, and fund boards should reexamine their oversight of critical service providers as they strengthen their business continuity and disaster recovery plans, with a particular focus on communications protocols across the fund complex, with the board, and externally with the affected service provider and other stakeholders. The guidance highlighted the importance of understanding how the business continuity plans of the critical service providers relate to the fund and how that impacts the fund’s backup procedures. Finally, the guidance suggested that funds consider how a variety of critical service provider disruptions could impact fund operations and investors and to be prepared to manage the response, whether the disruption occurs at a critical service provider or at the fund itself.

MORE

Five Ways to Improve Compliance—And Not Feel Overwhelmed

Abiding by expanded regulations will take more time, input, effort and oversight—said differently, maintaining the status quo will require more investment.

Compliance is a constant struggle in the financial services sector. As soon as one audit is done another arises, locking brokers into an endless effort with hefty consequences for failure. And that effort evolves and expands with new communication tools.

Every year, FINRA evaluates about 10 issues to consider for updated regulation. This year, that list includes both anti-money-laundering initiatives and the issue of suitability. Depending on how new regulations shake out, brokers and financial advisors could face burdensome requirements for data management.

Detecting money laundering requires massive amounts of data, which advisors will have to capture and store. Detection also requires access to any and all relevant business communications, which creates another archiving obligation. In order to prove to regulators that nothing untoward is occurring, financial professionals already provide a lot of verification.

Proving that investments are suitable to a client based on fiduciary principles creates a similar burden. Brokers use all manner of electronic communication to provide clients with recommendations. Saving all these communications demonstrates to regulators that every recommendation is, in fact, suitable. As baby boomers become the “Silver Tsunami,” the issue of suitable, late-life investments for seniors will likely be a priority for regulators and investors alike.

 Regulators Aren’t the Only Risk

There is a whole raft of regulators who mandate and monitor that financial service providers are archiving their information properly—SEC, FINRA, DOL and state governments. Each has its own mechanisms to apply pressure, but the most common is to levy fines.

Some companies consider regulatory fines to be the cost of doing business. That attitude may change as the cost rises. In 2016, FINRA issued $173.8 million in fines to broker/dealers, which was an 85 percent increase over the previous year. Any cost rising that fast will create financial strain.

There is also the remote but still real risk of having a trading license revoked. That would happen for only an especially egregious offense, but it would effectively put a trader out of business. And even though regulators tend to threaten this action rather than actually revoke licenses, it still underscores the danger of not getting regulatory requirements right.

Finally, there is the client cost to consider. Clients are understandably sensitive when their own data is involved. Learning that their trusted broker/dealer failed to archive important communications and comply with security standards raises troubling questions about security overall, not to mention ethics. It’s not a surprise that clients tend to flee from brokerages that are on the wrong side of regulators. 

Consistent Compliance with Less Time and Effort

Brokers find themselves in a tricky position. Compliance is a requirement, but it’s also a workload. Abiding by expanded regulations will take more time, input, effort and oversight, said differently, maintaining the status quo will require more investment. The key is to look for evolving approaches to compliance that will satisfy regulators without overwhelming brokers and their staff. Here are some suggestions: 

  • Revise Written Supervisory Procedures Regularly. Because WSPs essentially dictate every aspect of the broker-client relationship, they must incorporate any new rules related to electronic communications. Reviewing these documents and updating them as needed is recommended semiannually, but a quarterly review is ideal. Relying on a supervision interface ensures that updates are applied across client groups and to all relevant WSPs. Without this asset, it may be prohibitive or impossible to make revisions as often as required. 
  • Work with a Group of Peers. Every broker can struggle with compliance, and perfection is unattainable. This is especially true when new and unfamiliar regulations hit the books. Partnering with a regional FINRA group or another association of peers allows participants to discuss revisions and share issues, ideas and approaches. That way, an individual broker’s approach evolves in parallel with the best practices of the industry.
  • Bring in a Consultant. Financial experts are not experts in financial regulations. Bringing in a consultant ensures that brokers don’t suffer because of a lack of in-house resources or planning that takes place in a vacuum. Consultants specialize in regulatory minutiae, work with multiple brokerages and offer realistic solutions. Partnering with counsel is often essential and always an asset. 
  • Implement New Tools. Tech vendors have designed a number of tools specifically to meet the information-collection mandates placed on the financial services sector. If the old approach to compliance was already inconsistent or ineffective, it won’t accommodate new requirements. Finding a vendor who understands these pain points and can engineer solutions to accommodate them is essential.
  • Respond to the Regulators. Take advantage of the fact that regulators are eager to improve stability and security, not to act punitively. If regulators offer a warning before a fine, it can empower brokers to improve their approaches to compliance.

It’s uncertain when new regulations will hit the books or what forms they will take. What is certain, however, is that new rules are coming. European regulators recently updated requirements to include the archiving of voice. Similarly, the U.S. will make updates to adjust to the way brokers are communicating.

Regardless of the regulations that will follow, information preservation is clearly a global financial priority. It’s up to brokers and advisors on how they will approach compliance and whether they will take advantage of new tools and best practices to better serve their clients and their business. MORE

Cyber assailants targeted in important new security sweep

The skill and sophistication of attackers are often outpacing firms' ability to protect themselves

According to compliance and cybersecurity experts, financial industry regulators are embarking on a new cybersecurity sweep, with a focus on registrants' data loss prevention, oversight of third-party service providers and incident response planning. 

 

And with good reason. Cyber assailants continue to perpetrate increasingly sophisticated attacks on U.S financial institutions, including exploiting weaknesses to steal valuable data and breaching third-party information service provider systems. Yet many firms remain woefully ill-prepared to fend off the latest threats and lack actionable incident response plans to recover from a breach.

In the wake of minor malware attacks just five years ago, a newer breed of cyberthreats is a growing national concern. The latest of these include opportunistic phishing attacks, which are broad efforts to infect as many computers as possible. In contrast, more targeted "spear-fishing" attacks focus on specified individuals to perpetrate higher-value crime that is much harder to trace. An example of the latter includes organized crime rings that search social media sites to identify financial industry executives such as hedge fund managers, to compromise their accounts. 

Equally as clever, criminals often create fake email accounts that are very similar to those of their targets, changing just one letter in the email address, an activity referred to as "typo-squatting." 

Michael Brice, co-founder of BW Cyber Services, has seen multiple cases of fraudulent capital calls in which investors were duped into sending wire transfers to illicit accounts. And these activities are not insignificant, with wire transfers ranging anywhere from hundreds of thousands to millions of dollars irretrievably lost. 

For cryptocurrency funds, the cyber stakes may be even higher. Not only are individual criminals involved, but organizations and countries like Korea are being traced to crypto-cyber malfeasance. 

 

The skill and sophistication of attackers are often outpacing registrants in their ability to protect themselves. "Some simple security practices and operational precautions related to the collection and storage of personally identifiable information — a top regulatory priority — will go a long way to mitigating regulatory and even litigatory issues should a breach occur," Mr. Brice said.

Another regulatory focus area involves third-party service providers. When companies engage information technology service providers, they should review their cybersecurity policies and procedures, and not assume a provider is up to the task of protecting their data. 

"Firms should require that their vendor either has deep technical expertise or enhanced security protection for systems and data as there is a strong possibility they are not doing it or not doing it very well," Mr. Brice explained. 

Thus, even firms that are making their best effort to minimize cyberrisk may be operating with a false sense of security because executives often make incorrect assumptions regarding the risks they are dealing with. For instance, cyber insurance policies rarely cover wire transfers, Mr. Brice added. Yet this is one of the primary reasons organizations get cybersecurity policies in the first place. 

As outlined in their respective 2018 examination priorities notifications, the Securities and Exchange Commission and the Financial Industry Regulatory Authority Inc. are focusing their resources on examining the quality of registrants' written cybersecurity policies and procedures. 

 

In February, the SEC issued guidanceto encourage companies to assess the sufficiency of cybersecurity policies and procedures in part to satisfy federal securities law disclosure obligations. One goal of the guidance is to prevent directors and other insiders from making selective disclosures about cybersecurity risks or incidents and then trading on that information. 

An important part of a firm's cybersecurity plan, vulnerability assessments and supporting penetration testing, or pen tests, aim to reveal security weaknesses before attackers do. The SEC allows leeway as to how firms conduct cyber pen testing but expect registrants to engage third-party experts to assist in this process. Doing so ensures both the quality and independence of testing results. 

The cybersecurity plan must be customized to each firm and encompass a holistic approach to periodically assess, remediate and test the organization. Many firms engage cyber experts and compliance professionals to develop a cybersecurity plan as part of the compliance program. 

Experienced professionals can ensure that a registrant's compliance program and cybersecurity plan address regulators' top focus areas — data loss prevention, third-party service providers, and response planning — and that the technical testing matches the registrant's risk profile. 

The costs of retaining experts entails cost upfront, but those costs could be far outweighed by the reputational and financial impact of a breach. Moreover, it will help firms maintain an audit-ready posture.  MORE

SEC outlines cybersecurity changes after probe of EDGAR hack

As the SEC brings to a close its review of the 2016 breach of its EDGAR filing system, the commission is proposing reforms to its cybersecurity practices and also says it is investigating whether anyone gained from illicit trading activity based on the hacked information.

In testimony submitted to the House Financial Services Committee, SEC Chairman Jay Clayton outlined changes the commission is putting in place in response to the incident. He acknowledged that the SEC is still working to get its house in order on the cyber front as it prods the firms that it oversees to take steps to shore up their own systems.

"I want to continue to work with companies and the investing public on how we should be approaching this issue," Clayton told members of the committee.  MORE

YOU’VE BEEN BREACHED: EIGHT STEPS TO TAKE WITHIN THE NEXT 48 HOURS

INTRODUCTION

“A data breach itself is the second worst possible event that can occur in an organization; the mismanagement of the communication about the response is the worst.” This observation comes from Exabeam chief security strategist Steve Moore, who has tracked criminal and nation-state adversaries and led the largest healthcare breach response in history. Moore added that the time spent on a breach, including audit, regulatory, and litigation support, can last not months but years.
I previously covered 5 ways you can prepare for a breach, which can help reduce risks. If a breach still occurs despite those precautions, however, here are eight things you should do within 48 hours to manage and contain the situation as best as you can.  Regardless of the type of breach, these steps should apply—whether it involves a single device, a series of
systems, or a company-wide intrusion.  MORE
 

 

SEC Chief Clayton Wants More Funds for Advisor Exams

The Securities and Exchange Commission would use some of its $1.6 billion budget request for fiscal 2019 to restore seven positions to its Division of Investment Management to help advance “investor-focused rule-writing priorities,” such as its standards of conduct proposal for investment professionals, the agency’s chairman,  Jay Clayton, told lawmakers on Tuesday.

Clayton told members of the Senate Appropriations Subcommittee on Financial Services and General Government that the agency is going to “take at least the 90 days” for comments on the three-pronged advice standards package, “but I’m not going to take forever. This issue has been out there a long time, and I think it’s time to bring a focal point for the many regulators in this space.”

The FY 2019 funding would also be used to help the securities regulator to “continue to increase investment advisor examination coverage levels, while at the same time being careful to avoid decreasing examination quality,” Clayton said.

The funding, he continued, would restore 24 positions within the SEC’s National Exam Program, including six additional staffers for its Technology Controls Program, “which monitors critical securities market infrastructure for significant cyber events and outages. I believe this area will continue to warrant close attention, and I have shared these views with other regulators, particularly in areas where we have overlapping responsibilities and oversight.”

Cybersecurity, Clayton told the lawmakers, also continues to be “a priority area,” and the funding request would provide additional staff positions to enable the agency “to expand its cybersecurity protections, particularly with regard to incident management and response, advanced threat intelligence monitoring and enhanced database and system security, and to focus on the security of specific systems.”

The budget request, he continued, would allow the SEC to hire additional staff positions under the chief risk officer — a new position — “to strengthen and advance the agency’s risk management capabilities.”

Julie Erhardt was named on May 31 as acting chief risk officer, to serve while the agency completes its search to fill the new position.

The chief risk officer post, Clayton told the lawmakers, is a “step to strengthen our cybersecurity and risk management efforts.”

Erhardt will coordinate the SEC’s efforts to identify, monitor and mitigate key risks across the commission’s divisions and offices.  MORE

This is the No. 1 cybersecurity threat to financial advisers, experts say

Phishing, or sending emails from supposedly reputable companies in order to get individuals to reveal personal information, leads the list of scams

Phishing, the fraudulent practice of sending emails from supposedly reputable companies in order to get individuals to reveal personal information, is still the biggest cybersecurity threat financial advisers and their clients face in 2018, according to a panel at the Financial Services Institute annual meeting in Dallas on Tuesday.

"Let's be honest, phishing by far is the biggest threat in our adviser world," said Annie Groleau, compliance officer for cybersecurity at Securian Financial Services Inc.

Last July, the Financial Industry Regulatory Authority Inc. issued an investor warning for people looking for jobs that individuals claiming to be involved in the hiring process for legitimate organizations — including Finra — have turned to Skype and other online video call platforms as a way to phish for personal information and money.

According to Finra, scammers also may use fraudulent emails or copycat websites to get unsuspecting consumers to provide valuable personal information, and then use it to steal their money or identity.

"Phishing tends to be number one out there and I still think it's going to be number one," said David Kelley, surveillance director in the Kansas City office of Finra. "You may think that's a minor thing, but it's so easy for the bad guys to find something to initiate a phishing attack."  MORE

New Cybersecurity Laws Provide Direction, and Hurdles, for Advisors

States are developing their own cybersecurity regulations. Here's what advisory firms should know.

 

As a report from Accenture laid out earlier this year, not only are financial services firms targeted by cybercrime more than any other sector, but breaches have actually tripled over the past five years. Technology has revolutionized this sector, but in doing so, it has opened financial advisors and other industry professionals to threats and liabilities in ways never before imagined. Potential consequences range from the unnerving to the catastrophic.

The Cybersecurity Regulation Benchmark

Fortunately, advances in codifying a defense system to protect the industry from these incursions are also developing at a rapid pace. As with much of this nation’s critical legislative framework, the impetus for development in this area comes from the state rather than the federal level.

In fact, New York state began the charge in this area with their cybersecurity regulations, first announced and published in September 2016. The steps specified by these first-in-the-nation cybersecurity rules establish quite an exhaustive checklist for protection:

  • Requiring the development of cybersecurity programs and policies
  • The undertaking of periodic risk assessments
  • The appointment of a chief information security officer
  • Imposing technical security requirements
  • Adding record keeping, compliance, oversight and incident reporting requirements.

Those covered by the New York regulations will be required to be in compliance with all its sections by March 1, 2019, while meeting milestones in the interim as well.

More states are beginning to firm up their requirements around safe operations in this area. In fact, in the summer of 2017, Colorado and Vermont published regulations patterned on New York’s, and legal thinking is that the popularity and adoption of these regulations will continue to snowball as time goes on.

While New York’s regulations, and those structured in their likeness, do require a marked commitment to fulfill, they also go a long way toward clarifying the situation regarding cybersecurity in this industry in the aggregate.

A Focus on Cybersecurity

Both the Financial Industry Regulatory Authority (FINRA) and the Securities Exchange Commission (SEC) have stressed the importance of advisors placing a focus on cybersecurity. However, they have not codified their intentions on the matter to a large extent.

FINRA has laid down certain rules in the area of post-incursion activity but has been light on defensive measures; the SEC, meanwhile, is focused on enforcement actions to target and hold accountable cyber-related misconduct. The state-driven mandates fill the gap by clearly illuminating the finish line — at least, where it stands today.

So, given that compliance is the coming trend, there is no time like the present to begin moving toward an accord with these standards. The level of actual difficulty that you can expect to have meeting the bar set by the New York state regulations varies, depending on the size and culture of your practice.

Advisors and Cybersecurity

Large advisories, for example, may find that the first step in embracing an environment that is forward-thinking with respect to cybersecurity is in hiring a chief information security officer who can spearhead the charge toward compliance in all areas. Smaller advisories, meanwhile, may want to consider hiring a third-party service provider to guide your activities.

If you are a small practice, don’t make the mistake of thinking that these rules either do not apply to you or that surely cybersecurity dangers will not threaten your activities. In fact, while some sections of New York state’s regulations exempt smaller covered entities from compliance, the majority of the standard set by the New York State Department of Financial Services requires compliance from every firm, regardless of size.

Across the board, the vulnerability of small businesses to cybersecurity threats is anything but small — and that includes financial services firms. In fact, a recent report from Ponemon Institute noted that small- and medium-size businesses are particularly vulnerable to cyber attacks: 61 percent experienced an attack in 2017, and 54 percent experienced a data breach. When you consider these statistics together with the fact that the same report states that the financial services industry is the highest-targeted sector, it is clear that regardless of your business’ size, it’s important to take measures quickly.

Regardless of which course you choose to pursue with your cybersecurity planning, it is also a good idea to review your errors and omissions insurance while you are at it. Check to ensure that your current policy includes a cybersecurity rider, and if it does not, make the upgrade. Among other things, this rider could prove critically important in the unfortunate event of a breach at a third-party service provider, limiting your liability if your clients’ personal information is disclosed through no fault of your own.

With every advance comes additional responsibilities. Internet-based technology enables progress in many respects for financial advisory clients. Now, it is time to commit to their safety in light of this progress and, while doing so, invest in your own safety as well.  MORE

NASAA Releases 2018 Investment Adviser Annual Report

 

Recently, the North American Securities Administrators Association ("NASAA")released its 2018 Investment Adviser Annual Report which is its first ever "annual report identifying the contours of the state-registered investment adviser population and the related regulatory activities of state securities regulators." While the report highlights the previously released top registered investment adviser ("RIA") regulatory compliance deficiencies by category, it also provides a wealth of valuable data about the total number and characteristics of both state and federally-registered RIA firms. In addition, the report summarizes the work of the various NASAA project groups including cybersecurity and technology, operations, regulatory policy and review, resources and publications, and training.

Of particular note is that 25% of examined firms were deficient in cybersecurity compliance practices.  This is likely understated as well considering this being the first time examined and the relative immaturity of examiners in this area.

Download Our Free RIA Cybersecurity Compliance Checklist

General Data Protection Regulation Affects Investment Advisors with EU Clientele

The European Union (“EU”) recently enacted the General Data Protection Regulation (“GDPR”) which will take effect in May 2018. The GDPR is a sweeping regulatory regime designed to protect the personal data of EU residents (i.e. natural persons residing in the EU) and to give them control over their personal information. Although the regulations were enacted in the EU, any entity around the world that processes the personal data of EU residents is subject to the GDPR. In other words, any investment advisor with clients in the EU must comply with the GDPR.

Penalties for violating the GDPR can be quite punitive, with fines up to €20 million or four percent (4%) of an entity’s annual worldwide revenues. Given the wide reach and potential consequences of non-compliance, it is important that investment advisors with EU clients be aware of the GDPR’s requirements and have proper programs in place to adequately safeguard the data that falls within its ambit.

U.S. federal and state law requires businesses to safeguard the personal data of their clients. Under the Gramm-Leach Bliley Act, financial institutions must adopt security measures to safeguard client information (as with the GDPR, this requirement applies to clients who are natural persons). Pursuant to the Gramm-Leach Bliley Act, the SEC released Regulation S-P, which sets forth the privacy policies that an SEC registered investment advisor must adopt to adequately protect the non-public information of its clients (investment advisors not registered with the SEC must comply with the Safeguards Rule promulgated by the FTC). Such policies include: the adoption of written policies and procedures, the identification of potential risks that could compromise confidential information and the periodic assessment of compliance procedures to ensure that adequate protections are in place. While the requirements of Regulation S-P will likely overlap with some of the provisions of GDPR, the GDPR will also impose additional requirements on investment advisors with respect to their EU clients.

Rather than providing a checklist of action items deemed to be adequate safeguards of personal data, the GDPR identifies a set of principles including data security, accountability, lawfulness, purpose limitation and data minimization. Given the general nature of the principles, the method of compliance with the GDPR is open to interpretation. EU Member States are currently adopting laws and regulations that implement the GDPR principles.

Although the GDPR does not provide much specific guidance for compliance, particularly for investment advisors outside of the EU, investment advisors can take concrete steps right now to better prepare themselves. These steps include the following:

  • One of the key components of the GDPR is that EU individuals must provide their affirmative consent for their personal data to be used. Obtaining such individuals’ general permission to use their personal data will not be sufficient; rather, these clients must consent to the specific intended uses. Subscription agreements may need to be updated to ensure that client consent is given in the appropriate manner with representations that adequately specify the potential use of client data (e.g., to satisfy KYC obligations).
  • All personal data of clients must be accurate and up-to-date. Investment advisors should take an inventory of their client data and update it as necessary to ensure that all information is current and correct. While it remains unclear how frequently such an inventory will be required under the GDPR, a good starting point is for investment advisors to review such information in the course of their next regularly scheduled compliance review.
  • Investment advisors should ensure that their service providers are aware of the GDPR and that they are taking the appropriate steps to implement the Regulation. The GDPR requires that personal data may be processed only within the parameters of clear instructions with respect to such data. Contracts with third party service providers may need to be amended to reflect the new requirements.  MORE

NASAA Releases Snapshot of State Advisor Landscape, Including Top Exam Infractions

At public policy event, NASAA President Joe Borg shares his views on cyber, crypto currencies, fintech, and other hot topics

The North American Securities Administrators Association released its  first annual report Monday, providing a snapshot of state-registered investment advisors, their top exam deficiencies — including cybersecurity-related infractions — and the priorities of state securities regulators.

As it stands now, there are 17,688 state registered advisors, the report says — 44 more than last year — with 78% of state-registered advisors being part of shops with one to two people.

The top five states with the most state-registered advisors are California, 2,998; Texas, 1,279; Florida, 1,099; New York, 876; and Illinois, 778.

The top five exam-deficiency categories for advisors last year, according to the report, were books and records, 64.6%; registration, 54.3%; contracts, 45.4%; fees, 27.2%; and custody, 27.2%.

The report states that cyber-infractions “made its debut as a deficiency category and came in a close sixth place,” with state securities examiners reporting almost 700 cybersecurity-related deficiencies during 1,200 examinations of state-registered investment advisors in 2017.

The top five infractions were: no or inadequate cybersecurity insurance, no testing for potential cybersecurity vulnerabilities, inadequate procedures with securing or limiting access to devices, failure to retain an IT or technology consultant, and inadequate procedures related to hardware/software upgrades.

Joe Borg, NASAA president and Alabama Securities Commissioner, explained at NASAA’s public policy event in Washington Monday that cyber is “always going to be a big issue for regulators.”

Robert Cohen, head of the Securities and Exchange Commission’s Cyber Unit (created last fall with 30 employees in five offices), said at the event that the unit is focused on three key areas: digital assets, trading-related cyber issues and cybersecurity.

The regulatory group sees “more and more trading misconduct having cyber issues in it, and often that conduct is coming from overseas,” Cohen explained. As for cybersecurity reviews, these involve “controls at financial institutions that the SEC regulates and also cybersecurity issues at public companies,” he said.

NASAA’s Cybersecurity and Technology Project group created a cybersecurity checklist for advisors last year. The self-assessment lets small firms identify, respond and recover from cybersecurity weaknesses; it mirrors the National Institute of Standards and Technology (NIST) framework.

According to its report, NASAA’s Cybersecurity and Technology Project Group will “continue to monitor the industry in the area of cybersecurity, develop and reassess practices and procedures.”

Crypto Currencies

The “idea of digital currency is probably here to stay,” Borg said, adding that “regulation always follows technology.” Blockchain “certainly is here to stay,” he continued.

“I think the crypto currencies, possibly down the road, backed by U.S. government control [and] proper IDs, might have some space,” he explained; Initial Coin Offerings could serve as a way to raise funds, “assuming you comply with the securities laws, the commodities law and the money transmitter laws.

At some point, Borg surmised, “there’s going to be some regulation that says ‘here’s the path forward.’”

Borg added: “I do think that digital currencies are here to stay, I just can’t say it’s the ones that are here now.”

Fintech as a disruptor is really “an evolution,” he said, stating that state securities regulators will be performing “basically the same jobs we’ve done with new tools” in a decade.

NASAA’s Project Group, in collaboration with the Operations Project Group, is now working to develop new tools for examiners that provide information for better assessment of unethical business practices, fiduciary duty and advertising, the report notes.

The Project Group also conducted extensive research into investment advisor policies and procedures, including the need for more guidance regarding supervision, compliance, ethics and cybersecurity.

Another priority for state securities regulators this year, according to Borg, is voicing their opinions on the Securities and Exchange Commission’s new conduct standards — namely Regulation Best Interest, which “is a good first start,” but “has a long way to go.”

Borg and state securities regulators will also be watching H.R.5037, the Securities Fraud Act of 2018, which he told The New York Times ”is going to put investors at not only a disadvantage, but deep in harm’s way.”  MORE

 

Is the cybersecurity threat real?

Most of us have heard the news and seen the headlines about yet another cybersecurity or data hacking incident. 

Some of us may even have been affected directly, either working in a company that has been a target, or having had our own data hacked and made public.

Companies including Equifax and Uber have been the high-profile victims of data breaches, while even public sector organisations, such as the NHS have fallen victim to hacking.

But is the cybersecurity threat real?

Surely, these companies simply were not prepared enough for such incidents and had not invested in the right systems. 

But perhaps what this shows is that if it can happen to large companies and corporates, then the chances are it can affect a business of any size, including small financial planning firms.

Data loss

“The threat is real, and an attack should be considered to be inevitable at some point; only the extent, the seriousness of the disruption, and the reputational risk are variables,” warns Mark Ehlinger, head of regulatory and professionalism services at Focus Solutions.

Figures from the Financial Conduct Authority (FCA) show reported data hacking attacks against financial services companies quadrupled in the past year, according to RSM.

RSM obtained the figures from a Freedom of Information request and reported them in February 2018.

It reveals incidents of loss of data resulting from hacking rose from four in 2016 to 17 in 2017 and there were also two separate incidents of ‘data leakage’ reported to the regulator.

The retail banking sector suffered the highest number of reported attacks at 17 last year, followed by retail lenders at 16 and investment management firms, also at 16 and there were a further 11 incidents reported to the FCA by insurance firms.

 

 

Source: FCA/RSM

Steve Snaith, technology risk assurance partner at RSM says: “We have previously raised concerns that there is likely to be significant under-reporting of cyber attacks by regulated financial services firms. Nevertheless, these new numbers do reveal some important trends.

“The jump in incidents of data loss resulting from hacking attacks should be particularly concerning to the financial services sector, given we are just months away from the new GDPR regime coming into force.”

Where any data is held, a cybersecurity threat is real, Steve Casey, marketing director at Square Health notes, and that includes financial adviser firms.

“A financial planning firm could hold all types of data, including possibly medical data in the form of a copy of an application form, so an obvious example would be to steal this data and then publish this on the web,” he explains.

If adviser and financial planner firms are not concerned about the threat, then they should be and GDPR is the perfect opportunity to demonstrate they are doing something about it.

Jon Szehofner, observes that risk managers are worried about cybersecurity and for good reason.  MORE

Complacency Is Weakest Cybersecurity Link: Dalbar/ThinkAdvisor Study

The State of Authentication in Financial Services report highlights what advisors need to ask partner institutions in order to best protect client data and assets from potential cyber vulnerabilities.

Despite the increasing fear Americans have of personal and financial information being stolen, most financial-services firms have been complacent on updating or implementing state of the art — or even basic — cybersecurity technology, according to a recent study by Dalbar/ThinkAdvisor, “The State of Authentication in Financial Services.”

The most significant finding of the research is “generally how passive people are about the subject,” says Lou Harvey, president and CEO of Dalbar, a Boston-based independent financial-services market research firm.

“The more we’ve examined, the bigger the shock it is as [cybercrime] keeps growing. Look at the number of incidents,” he explained in an interview. “Think about the last day you didn’tsee a news item about cybertheft. I imagined everyone would be up in arms with [cybersecurity], but they were not, and that certainly caught my attention.”

The survey of broker-dealers, sponsored by ThinkAdvisor, Dalbar and 15 financial-service firms, aimed to identify the greatest deficiencies in cybersecurity authentication and to “create a roadmap to improving protection,” Harvey says.

The research revealed that 74% of firms have the same practices they’ve had for the past five years, and only a “paltry” 4% are planning to adopt new practices, Harvey says, adding that he did not anticipate these results.

“No one wants to make a big ado about the threat,” he explained. “When something goes wrong or issues arise [it’s] outside of the financial-services [industry], so it doesn’t grab the attention it should.”

“Unless it happens to a firm or an advisor, it happens in the outside world. There’s a huge difference with someone who has come face-to-face with cybertheft, as opposed to a vast majority who have not,” Harvey explained. “Those who have had accounts opened or money withdrawn are passionate about the issue, but that has not translated to a general concern.”

Most firms have run across the phishing of their accounts, but nothing in a big way, like 10,000 accounts being affected. “Until someone like Julian Assange gets out of playing with the government and starts playing with money,”  firms likely will not move to make changes, Harvey says.

More Key Findings

The most widely used authentication practices within the industry are procedures for failed logins (66.1%), while the termination of sessions after a period of inactivity is used by 60.4%, according to the study.

In addition, 57.3% of firms have the ability to cancel, replace and communicate about a password if an account has been compromised.

The best-fortified businesses are retirement service providers, which take advantage of 30.1% of authentication practices, followed by investment providers (29.7%) and life & annuity providers (28.7%).

Key points of access by bad actors include websites (at 34.3%), followed by mobile devices (28.7%), interactive voice response (22.9%), phone centers (21.6%) and electric statements (24.7%).

Phone centers that employs humans thwarts thieves, since an account or other change must go through a real representative and not just a computer, which Harvey refers to as a “picket fence” defense. The “stone wall” defense is an aggregation of all defenses stacked together, he says, not just one or two.

Financial advisors should be very concerned about the cyber defense of their broker-dealers and other institutions that hold client assets, such as investment firms, insurance companies and record-keepers, Harvey points out.

“Advisors have a role in all of this. The advisor is going to be called to account if something in fact goes wrong. If a client turns assets over to an advisor, the advisor puts them somewhere, and they get [stolen], the client will blame the institution, but doesn’t the advisor have complicity for having it [at that broker-dealer or other firm] in the first place?” he asked.

His answer is “yes.” Advisors generally believe that client assets are safe thanks to the diversification of their investments, “but are you [diversifying the] institutions you use [for cyber defense]?” the Dalbar executive inquired.

Other Research

According to a recent study by the American Institute of CPAs, eight in 10 Americans are concerned about the ability of businesses to safeguard their financial and personal information, and three in five say they or an immediate family member have been the victim of some scheme to defraud them, ranging from a letter or phone call from someone impersonating an IRS agent to someone opening a line of credit in their name.

In late March, New York Attorney General Eric T. Schneiderman released a report stating that there were 1,583 data breaches reported in New York State in 2017, exposing the personal data of 9.2 million New Yorkers — four times the number impacted in 2016.

To prevent the loss of investor assets, advisors need to question their BDs about to their cybersecurity practices. “It should be a part of every RFP,” the Dalbar chief explained.

Though many firms have been hacked for clients’ personal information, it will take a major financial loss to move the bar. “It seems to me that once we have an ugly scandal with money lost as opposed to personal information [being taken], this will get people’s attention,” said Harvey.

***

The key findings of the Dalbar/ThinkAdvisor survey on how firms use certain authentication practices are listed below; a mark (X) in the Usual Practices column means more than a-third of respondents use the practice and therefore it is considered usual.

IDAuthentication PracticeNumber Responding% in UseUsual Practice

1Username/Password for identification  294 54.1%X

2Confirmation process for changing username/password/email  29447.6%X

3PIN for authentication  29419.7%

4SSN for identification or authentication  23830.7%

5Two Factor Authentication – a process that involves both: Factor 1 – information that the user knows (like account number) and – Factor 2 – something that they have (such as a token) or a separate channel (such as email or text message)  28225.5%

6Multi-tiered authorization (i.e. Tier 1- Account info; Tier 2- Personal data/transactions)  22833.8%X

7Personal security questions  28241.8%X

8Separate on-file medium for authentication (phone/email/etc.)  28236.2%X

9Voice ID  2829.6%

10Fingerprint  17615.9%

11Facial Recognition  1763.4%

12Other biometric (please specify)  2260.0%

13Patterns in login history to alert for possible risk   7828.2%

14Detection of change to flag possible risk (Device/IP address/etc.)  17634.7%X

15Challenge-response test such as Captcha  2269.7%

16Changes in volume mix of activity  22423.2%

17Same IP address in activities in other accounts  12020.0%

18Terminate session after timed period of inactivity22459.4%X

193rd party user management/authentication solutions28022.5%

203rd party fraud prevention solutions  28030.7%

21Procedure for undelivered email  28038.6%X

22Procedure for undelivered standard mail  28051.8%X

23Procedure when there are no logins for an extended time  22419.6%

24Procedure for multiple failed logins  22463.8%X

25Temporary password for immediate access  22441.1%X

26Ability to cancel, replace and communicate password if account is compromised  28056.4%X

27Password expiration after a period of time or set number of uses  22423.2%

28Multiple source verification for transactions (i.e. advisor and client)  22627.0%

29Restrictions on transactions that could be used for fraudulent purposes (address/registration change, etc.)  22653.1%X

30Limit access for high profile accounts   28022.5%  MORE

Top 2017 NASAA RIA Compliance Deficiencies: Cybersecurity

Last October, the North American Securities Administrators Association ("NASAA") released its 2017 Investment Adviser Coordinated Examinations Report. The biannual report is a must read for registered investment adviser ("RIA") firms. As RIA compliance consultants, we recommend that the Chief Compliance Officer ("CCO") of all investment advisory firms review the regulatory exam summary report to determine if any compliance changes need to be implemented at their firm.

In this week's installment of our break-down of the new 2017 report, we focus on one of NASAA's most common RIA regulatory compliance deficiency categories: cybersecurity. Of the 1,227 investment advisory firms examined in 2017, 23.4% of all firms examined with regulatory assets under management ("AUM") had at least one cybersecurity-related regulatory deficiency. In total, there were 590 cybersecurity-related items noted across all firms which were audited.

In addition to NASAA releasing its 2017 Investment Adviser Coordinated Exam Report, the organization also released a detailed information security checklist for RIA firms. The checklist is designed to "help state-registered investment advisers identify, protect, and detect cybersecurity vulnerabilities; and to respond to and recover from cyber events" and can be accessed here. Given that 2017 was the first official year cybersecurity-related deficiencies were noted, we do not have year over year data for a comparison. 

In 2017, the top 5 cybersecurity-related deficiencies were:

  1. No or inadequate cybersecurity insurance (15.8%)
  2. No testing of cybersecurity vulnerability (11%)
  3. Procedures: Securing / limiting access to devices (7.3%)
  4. No IT or technology specialist / consultant (7.1%)
  5. Procedures: Hardware / software updates, upgrades. etc (6.3%)

Given this is the first year cybersecurity-related deficiencies have made NASAA's lnvestment Adviser Coordinated Exam Report,  it's evident that investment advisory firms need to take a step back and ensure they are meeting the requirements to stay in compliance with the relevant state or federal regulatory requirements. NASAA recommends RIA firms implement information security policies, procedures and measures. With increased cyber threats, we encourage all CCO's to remain vigilant. As RIA compliance consultants, we recommend that the Chief Compliance Officer ("CCO") of all investment advisory firms review this checklist to determine if new practices should be implemented or existing practices changed as it relates to the firm's information security program.

It’s 2018: Do you know where your client data is?

No financial technology innovation has saved advisors more time than when custodians began transmitting data files to firms.

Prior to this change, client data was updated by taking statements and keying them into the portfolio accounting system. At the end of each quarter, statements were stacked thick and the data entry sprint began so that client reporting and billing could be completed.

Today, these data files circulate through systems that are in many cases developed and hosted by third party fintech companies. Fintechs have been able to take this data and provide additional value and ease of use for firms that seemed hardly imaginable just a couple of decades ago. But that convenience has given rise to new concerns about data security and control.

Last fall I had the opportunity to moderate the Tiburon CEO Consumer Panel. The No. 1 concern brought up by the consumers on the panel was data security. Beyond the concerns of a hacker getting access to passwords, they worried about outright theft due to a security breach. As a result, the consumers complicated their lives by doing business with multiple security firms to help mitigate the risk.

Despite this concern, one detail that clients and advisors alike may overlook is the contractual relationship that exists between custodians, fintechs, advisors, and the client regarding data.

When the advisor asks the custodian to share their data with a third party vendor, is the advisor holding the custodian harmless against breaches that may arise? And, what happens when an advisor authorizes a third party to share the data with, well, another third party? Each of these relationships can be viewed very differently, and as a result the ultimate responsibility for data security may be defined in the small print and not well known.

Knowing where your data ends up is a big deal, not just to your clients but also to your firm, since you may be the one left being asked to make the client whole.

What can be done about it? Let’s start by looking at what data is being shared. In most cases, that means files that include a client’s name, address, account number, social security number or tax ID, their date of birth and the account value. Essentially, any and all personally identifiable information utilized to safeguard accounts. The keys to the kingdom, so to speak.

Without the sharing of this information, we would go back to the dark ages of manually keying in data. One could argue that in most cases, third party software providers may not need many of these data elements, but in many cases they do. What can be done about it, and what things can we look for to help ensure that client data is protected? Certainly asking your vendors some questions about security information will help begin to put you at ease:

  1. Do you encrypt the data at rest in your database?
  2. Do you have encrypt the data during transit?
  3. How do you safeguard my data from employee theft?
  4. Do you offer multifactor authentication for logins?
  5. Do you have a code scan done to look for vulnerabilities?
  6. Are you sharing my client data with any third parties (developers, consultants, etc.)
  7. What do you do to safeguard my client data on your development and test platforms?
  8. Do you have an SSAE 16 / SOC Type 1 and 2 report that I can review, and how often is this done?
  9. Do you have an ISO 27001 Certification?
  10. What other third parties do you bring in to audit the security measures you are taking with my client data?
  11. Will any of my data be exposed outside of the United States? 

If you are thinking that some of the above may not be critically important, imagine telling your client after their funds were stolen that your firm exposed their personally identifiable information to someone outside the country where little if any recourse is available.

If tracking down white collar crime here in our own country is difficult, it’s worse elsewhere. Yes, firms can easily add an extra 20% to their bottom line by offshoring data-related tasks, but how will your client feel about someone in another country having access to their account number, social security, date of birth, and other identifiers without the appropriate security protocols in place?

The current evolution of advisor technology is exciting, but I have significant concerns about where client data is ending up, as well as the general lack of awareness about responsibilities.

If nothing else, please spend some time to understand your contractual agreements as they relate to client data, what the third party vendors that you work with are doing to safeguard it, where your data resides and who specifically has access to it.  MORE

Eric Clarke is CEO and founder of Orion Advisor Services.

You’ve Been Hacked! What Do You Say?

Over the past few months Advisor Armor has seen a dramatic increase in email hacks including those associated with key-logging.  We want to remind all that those are hacks and an investigation is required to assess impact and required responses.

Getting hacked is not only expensive in remediation costs and reputational damage. Now public corporations could also face regulatory penalties if they don’t explain the breach the right way and quickly.

US compliance managers, legal counsel and IT managers of public firms need to devise a strategy for who tells whom, what and when about the breach, says the Securities and Exchange Commission. The US regulatory agency has just updated its 2011 guidance on how public firms notify investors about actual and attempted cybersecurity breaches, as well as how to slam the door on potential insider trading before the breach is made public.

The SEC’s guidance comes in the wake of a series of highly publicized delays in data breach disclosures and suspiciously timed trading. Yahoo, for one, waited until 2016 to disclose data breaches in 2013 and 2014. C-level executives at Equifax made undisclosed stock divestitures totaling over US$1.8 million last year before news of its data breach was made public.

Public firms have been singled out by the SEC for disclosure guidance and trading prohibitions. Although the regulatory agency requires registered investment advisers (RIAs) to create cybersecurity programs to prevent data breaches, it has not come up with detailed disclosure guidelines. Neither has the Financial Industry Regulatory Authority for broker-dealers. However, RIAs and broker-dealers are expected to inform clients affected by cybersecurity breaches of the incidents to fulfill their legal obligations to disclose conflicts of interest. Those which are also public must also follow the new SEC guideline.

“The guidance shouldn’t severely impact how firms already behave since they should already be disclosing breaches to the public as soon as they are known and not allowing insiders to trade on non-public information,” says Jeremy Wittkop, chief technology officer for InteliSecure, a Denver-based security data protection firm. “The guidance simply clarifies how companies are expected to behave.”

Still public firms shouldn’t take the SEC’s guidance lightly. Although guidance doesn’t have the force of law, the regulatory agency could now fine a public firm for misleading investors about its cybersecurity practices or a data breach.

Telling investors a breach has occurred is the easy part. Explaining the impact of such a breach will be far harder to do, because the SEC considers cybersecurity breaches to be part of investment risk. Investors have a right to promptly know how severe the financial damage really was and the likelihood a firm might be hacked in the future. Public firms must also take steps to prevent investors from being harmed by C-level executives using insider information to trade in the firm’s shares.

“Compliance managers, legal counsel and crisis management experts will need to work quickly on what they want to tell investors because they can’t wait until they have investigated the cybersecurity breach, written platform code to patch up the hole and quantified the potential losses,” says Spencer Feldman, a partner with in the corporate and securities practice of law firm Olshan Frome Wolosky in New York. “The SEC said notification must be timely after a breach was uncovered.”

Public firms will also have to think twice about keeping information about “minor” breeches confidential. Although the SEC’s guidance allows public firms to limit their disclosures to “material” breaches, the SEC’s definition of that word isn’t always based on generally accepted accounting principles.

“The SEC isn’t defining materiality based on the amount of the financial loss involved in a particular incident, but on whether a reasonable investor would view omitted information about an incident as important in making an investment decision or whether the omitted information would have significantly altered the total mix of information to investors,” says Matthew Rossi, a partner specializing in securities litigation and data privacy with the law firm of Mayer Brown in Washington, D.C. “Security incidents are now considered material, because they can impact the value of a company’s stock.”

Once a data breach is uncovered, says Feldman, a public firm must warn all of its C-level executives and employees from trading in any of the company’s shares without the express consent of its chief compliance officer until investors are notified.

The Right Story

Multiple professionals are likely to be involved in communmications after a breach. Compliance managers should have already drafted the procedures on who is notified and when. while the legal counsel handles the disclosure language. Public relations professionals specializing in crisis management might be recruited to craft the press releases and train C-level executives for breach-related media interviews.

The first disclosure will likely be the filing of a Form 8-K with the SEC, which is used to promptly report current events that may be of interest to investors. Drafting this document and a press release can easily take up to take several days after the breach is discovered even if the full extent of the damage isn’t known. Further information must be disclosed as the investigation of the incident is underway.

The dissemination of information to the public also requires managing the message within the company. Public firms should have documented policy, in advance, of a step-by-step process for IT and cybersecurity managers  to notify chief compliance officers, legal counsel, chief executive officers, chief operating officers and boards of directors. C-level executives can’t be kept in the dark for too long.

How much should the public firm disclose to investors? “For the Form 8-K document, disclosing at least the bare minimum of material information is likely the best approach because the extent of the financial loss won’t be known,” says Saleemah Ahamed, a managing principal at Adherence LLC, a New York regulatory compliance firm. What’s the bare minimum? “A data breach has occurred and the firm is doing its best to mitigate the financial loss to its investors and customers,” says Ahamed.”Consumer-based companies could even say they are offering customers credit checks for free.”

What then? The quarterly Form 10-Q and annual Form 10-K reports are next in line to include a more detailed discussion of just what occurred, including specifics on the the financial impact. The dollars-and-cents figure must include expenses for investigations, remediation of the breach, litigation and revenues losses. Of course, the public firm can’t quantify reputational harm, but must include mention of that fact. “Public firms must also explain the possibility that a breach could take place in the future and which assets — data– are at risk of being stolen,” says Rossi.

When it comes to explaining how critical data will be protected from a cybersecurity attack, the SEC is allowing some discretion. “Firms won’t be required to spill the beans about every precautionary step they are taking because that would give hackers too much information,” says Rossi.

What if a public firm has never experienced a cybersecurity breach, or at least is not aware of it? The good news is that the firm won’t be in the hotseat from investors, customers and regulators on how much information to disclose. The bad news is it will still have to devise language to explain the future possibility of a cybersecurity breach and whether they have purchased cybersecurity insurance. The firm must also admit that such insurance may not cover all financial losses to investors.

Although the SEC’s guidance focuses on what to do after a cybersecurity breach has taken place, Wittkop recommends that firms review their entire cybersecurity program before they’re faced with a breach. “They must ensure that they have sufficient incidence report procedures to investigate potential breeches quickly, to confirm or deny them, as well as reporting breaches within the timeframes established by the guidance,” he says.

 

Data Breaches: A Major Risk for Financial Professionals

Dealing with cyber threats and staying compliant with government and industry requirements are now inherent risks of doing business for financial professionals. While some insurance and financial services professionals have awakened to this reality, most have significant work to do to protect themselves and their clients.

In today’s digital age, maintaining a formalized information-security plan and staying compliant with federal, state and industry data breach regulations have not only become essential management practices, but possibly a matter of survival, as well.  Here’s why.

Financial industry targeted

The financial industry is highly targeted by cyber criminals because of the valuable personal, financial and health-related information handled on a daily basis, and because brokers and agents are often the most vulnerable and least prepared to prevent or respond to cyber-attacks.

The industry has been rocked over the last two years by an onslaught of data breaches, resulting in well over 100 million Americans’ personal, financial and healthcare data being exposed.  Making things worse, criminals are looking to access larger businesses and their data by targeting insurance, brokerage, financial, legal, and accounting firms.

This is putting increased pressure on the industry to not only meet new client expectations for data privacy, but to also comply with government and industry standards for protecting confidential information.

Regardless of the types of products you provide, your clients expect you to keep their personal and confidential information private and secure.  Business clients in particular are becoming increasingly concerned about security risks with their third-party service providers, and are starting to require agents and brokers to answer lengthy security questionnaires about their cybersecurity and risk-management practices before doing business.

If you haven’t already begun receiving information-security assessments from key clients, including the requirement to sign an information-security agreement, be assured that this is the future of building and maintaining client relationships.

It’s ironic that after years of worrying about “differentiation” and what makes one broker or advisor better than the other, gaining and keeping clients may boil down to a measurable distinction between the firms that might get hacked and the firms that might not.

Brokers and agents who are serious about their business are now taking this expectation seriously, including obtaining security and compliance certifications based on regulatory and industry standards.  Some brokers are now starting to promote this type of security certification in marketing materials and client pitches as a competitive differentiator.

Regulatory requirements

In addition to client expectations for better security, personally identifiable information (PII), such as Social Security Number, date of birth, financial and insurance information, medical information, and other confidential data must be properly protected under various federal and state laws.

Well-known examples of federal laws include HIPAA-HITECH and GLBA that require insurance and financial-services firms to implement safeguards to protect confidential information they handle in the normal course of business in the health-benefits or financial-services markets.  These include insurance and financial-services brokers, as well as agents and producers.

In addition, 47 states have enacted laws that require all businesses to protect the PII of consumers and businesses within the state.  Brokers, advisors and agents in these states, or those who have customers in these states, must comply with the respective state laws or face civil and/or criminal penalties.

Some states have enacted rigorous laws, such as Colorado, California, and New York, where the Department of Financial Services recently implemented new cybersecurity regulation requiring banks, insurance companies, licensed financial professionals and others to establish and maintain a cybersecurity program to protect consumers.  This law applies even to those who do business within the state.

Financial industry standards

Since 2005, SEC and FINRA have required broker-dealers, investment advisers and other financial firms to protect confidential customer information from unauthorized release to unaffiliated third parties (S-P Safeguard Rule 30 (a)).  This includes the adoption of a formalized information-security plan with written policies and procedures for protecting client information.

In light of the increasing number of data breaches in the financial- services industry, it’s not surprising that SEC and FINRA have recently stepped up efforts to enforce fines and penalties on firms whose security controls are lacking.

Additionally, NAIC has consistently advocated for better information security standards for the industry.  In the coming months, NAIC is set to finalize a comprehensive Model Law that establishes the exclusive industry standards for data security and breach response.  This will apply to all insurance licensees, including not just insurers, but agents, brokers and other parties.

NAIC’s model law requires all licensed persons and organizations to create a comprehensive, written, information-security program that details the administrative, physical and technical safeguards for protecting personal information, including a breach response plan.  It would also require owners and boards of directors to approve and oversee implementation of the program and compliance with the law.  The model cybersecurity standards are aimed at encouraging state insurance regulators to incorporate these elements into their regulatory framework.

Cybersecurity and Compliance Best Practices

The development, implementation and ongoing management of your information security plan should follow the standards and best practices outlined in federal, state and industry requirements.

Here’s a checklist to use as a starting point:

  1. Management commitment, creating a culture of security
  2. Conducting regular security risk and compliance assessments
  3. Creating and maintaining information security policies and procedures
  4. Implementing necessary cybersecurity technology and defenses
  5. Conducting regular security vulnerability assessments
  6. Providing security awareness training for all personnel
  7. Managing third-party service provider/vendor risks
  8. Having a breach incident response plan
  9. Obtaining appropriate cyber-liability insurance
  10. Getting third-party compliance certifications

Failure to implement and maintain these essential practices can cost you business and can significantly reduce your legal defensibility in the event of a data breach incident.

Remember that cybersecurity and compliance are not something you “set and forget.” They constitute an ongoing process that must be tested, maintained and updated.

On the road to compliance

Data breaches have created a new business-management responsibility to properly protect confidential information. The first step is to assess where you stand today.  Where are your current vulnerabilities?  What regulatory, legal and industry requirements are you not adequately following or failing to address?

You may have to admit that you are not an expert in cybersecurity or data-breach compliance and may not be qualified to handle this alone.  Your IT staff or a tech-savvy friend may be able to help some, but this is not just an IT issue.  If you do not have the inside expertise in cybersecurity and compliance management, get outside help.  You may want to consider outside experts anyway, as they likely have more experience and a broader array of tools and resources.

Cyber Incident & Breach Trends Report

Review and analysis of 2017 cyber incidents, trends and key issues to address

This year marks the Online Trust Alliance’s tenth annual publication related to cyber incidents and breach readiness. Now an initiative of the Internet Society, OTA reviews cyber incident and breach events to extract key learnings and provide guidance to help organizations of all sizes around the world raise the bar on trust through enhanced data protection and increased defense against evolving threats. This Cyber Incident & Breach Trends Report builds on last year’s expanded recognition of threats beyond just data breaches to include ransomware, business email compromise (BEC), distributed denial-of-service (DDoS) attacks and connected device vulnerability. MORE