Policing Cyber-Related Misconduct Since the formation of the Cyber Unit at the end of FY 2017, the Division’s focus on cyberrelated misconduct has steadily increased. In FY 2018, the Commission brought 20 stand alone cases, including those cases involving ICOs and digital assets. At the end of the fscal year, the Division had more than 225 cyber-related investigations ongoing. Thanks to the work of the Unit and other staff focusing on these issues, in FY 2018 the SEC’s enforcement efforts impacted a number of areas where the federal securities laws intersect with cyber issues. MORE
NEWS AND NOTES RELEVANT TO CYBER/DATA SECURITY AND COMPLIANCE
NEW YORK(Thomson Reuters Regulatory Intelligence) - The greatest cyber security risk to an investment advisory firm may be its staff, therefore a training and education program that addresses relevant cyber threats is vital.
In 2019, investment advisers must, among its most important cyber security steps, train staff to identify phishing emails, secure and protect company devices and take steps to verify the movement of client funds. The increased use of automation and reliance on electronic communications can cause a firm employee to unknowingly allow an unauthorized party to access company systems and ultimately access client’s non-public information or funds. Therefore, a firm that includes the education of firm staff in the firm’s overall plan against cyber-attacks will be best prepared to keep the firm’s infrastructure intact.
Cyber security is one of the greatest risks currently facing the financial-services industry, and a perennial examination priority for the Securities and Exchange Commission.
The SEC has prioritized cyber security during adviser examinations with an emphasis on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.
Specifically, in the 2019 exam list, the SEC has added emphasis on the cybersecurity practices of investment advisers with multiple branch offices, including those that have recently merged with other advisers.
The forms of electronic communication have expanded; however, email continues to be the primary channel for most investment advisers. Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information. A firm’s email administrator or system may not always identify these types of emails, therefore firm associates must be able to recognize them before any action is taken. In many cases, once the sensitive information is given to the scammer, they will then have access and be able to use account numbers, passwords, usernames, and more to commit fraud.
A firm’s associates should be aware of suspicious emails that do not use the individual’s name, for example if a bank or brokerage firm was notifying an individual of an issue, the firm would know and use the customer’s name.
Also, the sending email name should match the sender. Therefore, ensuring the senders email in the header matches the display name is prudent.
In addition, a phishing email will often be unsolicited or unexpected and contain grammatical or spelling errors and unnecessary capitalization. A firm individual must be weary of attachments or links as well. An unexpected attachment or prompted download can inadvertently install malware or ransomware.
When a link is present, it’s always best policy to open a new browser tab and manually search and access the link in a personal browser.
Lastly, a firm individual must alert the compliance department or proper authority once a phishing email is identified and phishing attempts can also spill into social media, so diligence must expand beyond email. MORE
The following list identifies core controls that are needed to be evidenced demonstrating a firms’ cybersecurity program. To establish an effective program, however, firms will need to consider these measures in the context of their business model and technology infrastructure.
Patch Maintenance. Enable the automatic patching and updating features of operating systems and other software to help firms maintain the latest security controls.
Secure System Configuration. When configuring systems and software, use vendor guidance or industry standards, such as those published by the Center for Internet Security (“CIS”)
Identity and Access Management. Limit access to confidential customer and firm information based on business need. Tightly restrict use of “admin” or highly privileged entitlements and regularly review user accounts and privileges to modify or delete those which are no longer necessary to achieve business objectives.
Vulnerability Scanning. Use Commercial Off-The-Shelf (“COTS”) software or third-party vendors to continuously scan for vulnerabilities and quickly address detected discrepancies.
Endpoint Malware Protection. Install COTS software on firm computers, servers and firewalls to detect and block viruses and other malware.
E-mail and Browser Protection. Install software or use services to block web-based e-mail programs and unsafe content received through e-mail (e.g., phishing attacks) or accessed via web browsers.
Perimeter Security. Use network access controls, such as firewalls, to block unnecessary connectivity between firm systems and outside systems. If feasible, incorporate an Intrusion Detection and Prevention.
Security Awareness Training. Provide cybersecurity training to all employees upon their employment and at least annually thereafter (but preferably more often) to ensure all users are aware of their responsibilities for protecting the firm’s systems and information. Training should address common attacks, how to avoid becoming a victim and what to do if you notice something suspicious. Consider implementing an ongoing phishing awareness campaign.
Risk Assessments. Conduct annual risk assessments and testing of firm controls to verify effectiveness and adequacy. This assessment may be accomplished using third-party or firm security experts.
Data Protection. Encrypt critical data, back it up frequently and store copies of back-ups offline. Regularly test the firm’s ability to restore data. Consider blocking USB ports and use of all removable data storage devices, including CDs and flash drives
Third-Party Risk Management. Review System and Organization Controls (SOC) or SSAE 18 reports for third party vendors and other partners with access to confidential firm and customer data to ensure they have security controls commensurate with, or better, than the firm’s. All contracts should have provisions to enforce controls to protect data, including prompt notification of any changes to those controls and vulnerabilities or breaches that may affect the firm.
Branch Controls. Ensure that branches apply and enforce relevant firm cybersecurity controls, which may include many of the controls identified in this list, as well as other relevant controls.
Policies and Procedures. Create policies and procedures that address each category of controls applicable to the firm, such as those identified in this list.
For Investment Advisers: SEC Actions
OCIE Announces 2019 Examination Priorities: The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) released its 2019 exam priorities on December 20, 2018. OCIE’s priorities haven’t changed much from 2018, and include topics addressed in the 2018 Risk Alerts and the feedback received from OCIE’s outreach program. OCIE’s six “themes” for 2019 are:
Protection of retail investors, including seniors and those saving for retirement;
Compliance and risk management for firms responsible for critical market infrastructure, such as clearing firms, securities exchanges, transfer agents, and compliance with Regulation SCI which requires written policies and procedures surrounding technology and systems infrastructure;
Oversight of FINRA & MSRB and their operations, regulatory programs and examination quality;
Scrutiny of broker-dealers, investment advisers, and trading platforms dealing with digital assets, including cryptocurrencies, coins, and tokens;
Cybersecurity issues, focusing on advisory firms with multiple branch offices and firms that have merged with other RIAs. OCIE continues to stress the importance of risk assessments, access rights, vendor management, training, and data loss prevention.
Anti-Money Laundering Programs in broker-dealers, focusing on whether broker-dealers are filing Suspicious Activity Reports (SARs), independently testing their AML program and identifying suspicious and illegal activities.
As discussed in 2018 Risk Alerts, OCIE will continue to focus on disclosure of fees and expenses and conflicts of interest. Unsurprisingly, the receipt of 12b-1 fees and mutual fund share class selection continue to be hot topics, along with arrangements with affiliated service providers. A newer area of concern is securities-backed non-purpose loans and lines of credit. OCIE will be reviewing the incentives received by advisers and broker-dealers for recommending these loans. Financial exploitation of seniors is another area of concern, so firms should address this issue in their compliance programs. Contributed by Heather Augustine, Senior Compliance Consultant
Regulatory Review 2018: HCC put together a list of the top regulatory hot buttons from 2018 to help you focus your compliance efforts in 2019.
11 Key Takeaways for Updating your Compliance Program in 2019: HCC put together a review of the regulatory landscape in 2018, with a list of 11 recommendations for updating your compliance program.
Investment Advisers Compliance to Do List for 2019: For investment advisers, private and hedge fund managers: a handy list of regulatory deadlines for 2019 for updating your compliance calendar.
Form ADV Update deadline: Procrastinators beware! Investment advisers with a fiscal year end of December 31 have until Sunday, March 31, 2019, to file the Form ADV update. IARD will be open on March 31, from 10am-6pm Eastern Time. Consequently, the deadline for filing an annual updating amendment will NOT be extended to Monday, April 1, 2019.
For Broker-Dealers: FINRA Actions
FINRA Provides Additional Guidance to Enhance your Cybersecurity Program: FINRA’s Report on Selected Cybersecurity Practices – 2018 is a follow-up to its initial Report on Cybersecurity Practices, published in 2015. FINRA’s 2018 report highlights effective practices used by member firms to address emerging cybersecurity threats. It focuses on member firms’ primary challenges and the most frequent examination findings. These topics include branch office controls, social engineering by hackers, identification and mitigation of internal threats, penetration testing and managing mobile devices. The Report’s Appendix is a great resource that provides a list of core cybersecurity controls for small firms. As you review your cybersecurity program in 2019, consult FINRA’s Cybersecurity page for additional resources that will help you strengthen your program. Contributed by Rochelle Truzzi, Senior Compliance Consultant
Broker-Dealer Compliance to Do List for 2019: For broker-dealers, a list of regulatory deadlines for 2018.
Broker-Dealer 2018 Regulatory Year in Review: A summary of 2018 rule changes, enforcement actions and regulatory developments for broker-dealers for 2018.
Broker-Dealers! Be Sure to Whitelist email@example.com: FINRA announced, though Firm Gateway, that it will begin sending Information Request email notifications to firms using Amazon Simple Email Service (SES). To ensure you continue to receive FINRA’s notices regarding Information Requests, FINRA suggests that you work with your IT department/provider to whitelist the email address, firstname.lastname@example.org. Contributed by Rochelle Truzzi, Senior Compliance Consultant
2019 Annual Entitlement User Accounts Certification Process: This year, the certification window will open on April 22nd and end on June 21st. FINRA will send a notification to the firm’s Super Account Administrator (SAA) to complete the certification through WebCRD/IARD. Contributed by Rochelle Truzzi, Senior Compliance Consultant
FINRA 2019 Annual Risk Monitoring and Examination Priorities Letter FINRA: On January 22, 2019, FINRA published its annual Examination Priorities Letter. This year FINRA broadened the scope of its priorities letter to include specific areas of focus on risk monitoring. As in prior years, the letter addresses specific examination topics but does not include many of the mainstay topics that have been repeatedly covered. Stay tuned for our blog post on these priorities! Contributed by Doug MacKinnon, Senior Compliance Consultant
For Hedge Fund Managers – NFA Member Firms
NFA Members Need to Update Cybersecurity Programs: On January 7, 2019, the National Futures Association (“NFA”) amended its interpretative Notice 9070 on Information Systems Security Programs, (the “Cybersecurity Notice”). The amendment states that NFA members are required to train their employees upon hiring and at least annually and identify the topics covered by the training program. Members are also required to notify the NFA of cybersecurity incidents (1) resulting in a loss of capital, or a loss of customer or counterparty funds, and (2) if the NFA member is required to notify customers or counterparties under state or federal law. The amendment also changed the approval requirements for a member’s Information System Security Program (ISSP). The Cybersecurity Notice is effective on April 1, 2019. Contributed by Jaqueline Hummel, Partner and Managing Director
CPOs required to Implement Internal Controls: The NFA issued Interpretive Notice “NFA Compliance Rule 2-9: CPO Internal Controls System” (the “Internal Controls Notice”) that requires Commodity Pool Operators (CPOs) to establish a system of internal controls designed to deter fraud, safeguard customer funds, and ensure the accuracy of financial reports. The control system should also assure that the CPO complies with its regulatory requirements. The Internal Controls Notice will be effective on April 1, 2019. Contributed by Jaqueline Hummel, Partner and Managing Director MORE
As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.
The SEC Steps into Cybersecurity
2018 was the year in which the U.S. Securities and Exchange Commission squarely inserted itself into cybersecurity regulatory compliance.
In February 2018, the SEC released its first Commission-level Interpretive Guidance relating to public company disclosures of cybersecurity risks and incidents. Two key compliance takeaways are: (1) investor risk related to known cyber incidents must be fully and timely disclosed; and (2) public companies must police insider trading based on information related to undisclosed cyber incidents. Whether a cyber incident is material and requires disclosure will depend on a host of factors, including the nature, extent, and potential magnitude of the incident. This includes consideration of the type of compromised information (personally identifiable information, intellectual property or other confidential business information); the incident’s impact on operations; the harm to a company’s reputation, financial performance, customer/vendor relationships; and potential liabilities in civil litigation or regulatory enforcement actions. To avoid even the appearance of improper trading, companies “should consider whether and when it may be appropriate to implement restrictions on insider trading” during the investigation and assessment of significant cybersecurity incidents.
Just a month after issuing its Interpretive Guidance, the SEC penalized Yahoo $35 million for failing to timely disclose its data breaches. The cease and desist order was the SEC’s first against a public company for failing to disclose known cyber incidents in its public filings. From 2014-2016, the SEC alleged, Yahoo filed a number of reports and statements with the SEC that misled investors about Yahoo’s cybersecurity history. For instance, in its 2014-2016 annual and quarterly reports, the SEC found that Yahoo included risk factor disclosures stating that the company “faced the risk” of potential future data breaches, “without disclosing that a massive data breach had in fact already occurred.” Yahoo filed a July 2016 proxy statement relating to its proposed sale to Verizon that falsely denied knowledge of any such massive breach. It also filed a stock purchase agreement that it knew contained a material misrepresentation as to the non-existence of the data breaches.
Finally, in October 2018, the SEC released a “Report of Investigation” into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of “business email compromises” (BECs) targeting their personnel. The Report was prompted by the SEC’s investigation The nine companies were victimized by one of two variants of the BEC scheme—involving spoofed or compromised emails from a person purporting to be a either a company executive or a vendor.
The SEC advised companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” The SEC emphasized that these fraud schemes were widely successful because they used “technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.” The victimized issuers had policies and procedures requiring different authorization levels for payments; management approval of outgoing wires; and verification of changes to vendor data. The critical flaw was in employee interpretation of these controls as capable of being satisfied solely through electronic communications—along with their failure to recognize obvious indications of fraud in the emails.
This report follows on the heels of a July 2018 FBI Public Service Announcementthat it had tracked more than 78,000 BECs—totaling more than $12.5 billion in fraud losses—since October 2013. The FBI has identified more than 41,000 BEC victims in the United States—with more than $3 billion in fraud losses since 2013, and $1.6 billion in fraud losses since May 2016.
States Continue to Expand Data Security Laws
Last year saw the creation and significant expansion of data security laws in state houses across the country. The new laws fall into two primary categories: (1) statutory requirements that all organizations must create and implement reasonable cybersecurity programs to protect personal information; and (2) more expansive data breach notification laws.
Data Security Laws
At least twenty states have adopted broadly applicable “data security” statutes that require virtually all organizations that collect or possess personal information to maintain reasonable cybersecurity programs. Delaware’s new law is a good example. It requires “[a]ny person” conducting business and owning, licensing, or maintaining personal information to implement reasonable security measures “to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.” Other states – such as Alabama – enacted “data security” laws that are much more prescriptive, listing factors to be considered in assessing ‘reasonableness.’
Data Breach Notification Laws
At least thirty-one states considered data breach legislation in 2018. With new legislation in South Dakota and Alabama, all fifty states now have data breach notification laws. The biggest changes in 2018 included broad expansions of the definition of protected “personal information;” specified timeframes for notification to consumers and state attorneys general; mandatory credit monitoring for certain types of breaches; and disclosure and investigative cooperation requirements imposed upon third party service providers.
A Landmark Mobile Privacy Decision
The Supreme Court’s 2018 decision in Carpenter v. United States establishes broad digital privacy rights that are sure to extend beyond law enforcement investigations and locational information. The decision significantly expands the Court’s dominant theme of this decade that “digital is different” when it comes to modern privacy law.
The decision itself holds that the Fourth Amendment requires the government to secure a search warrant to obtain a person’s historical cell site location information from a cellular service provider. That undersells its import though. Carpenter remakes the foundational legal principles governing privacy in data shared between device users and their service providers.
It’s how the Court got to that holding that is so groundbreaking. First, the Court declared that “[i]ndividuals have a reasonable expectation of privacy in the whole of their physical movements.” The Court characterized the cell site location information at issue as “detailed, encyclopedic, and effortlessly compiled” – allowing the government (and the service providers) to conduct “near perfect surveillance” on users. Second, this “reasonable expectation of privacy” is not defeated simply because each device constantly shares its location with cellular service providers. Data that must be shared for the proper functioning of technology services does not lose its privacy protection simply because it is possessed by and compiled in the business records of third parties. The spark of this reasoning is sure to spread quickly across the digital legal landscape in 2019 and beyond.
California Continues Pushing the U.S. Forward
California has repeatedly been at the epicenter of privacy and data security legislation in the United States, perhaps most notably by being the first state to enact a breach notification statute. This past year, California once again broke new legislative ground by enacting the California Consumer Privacy Act of 2018 (“CCPA”) and legislation directed at securing IoT devices.
If you are reading this blog post, there is very little chance that you are unfamiliar with the CCPA, such that there is no point in summarizing its provisions. In fact, if we could jump forward five years, the CCPA’s significance will likely not merely be what businesses will need to undertake in 2019 to drive compliance, but rather it will be as a harbinger for the enactment of other privacy-related legislation in this country. One can readily envision that the CCPA will lead either to the enactment of federal privacy legislation or to more state laws directed at privacy. It is not hyperbole to say that how this unfolds in 2019 will set the course for privacy legislation in this country for years to come.
Similarly, California’s enactment of first-in-the-nation legislation directed at IoT device security is significant not just for what the legislation says, but also for what it signals will happen in the coming years. If you have tracked the IoT marketplace, you have heard the projections about the rapid expansion in the number of IoT devices in the next five years. But, at the same time, manufacturers have little incentive to build information security and privacy into those devices. Most commentators seem to agree that this will have to change but it is anyone’s guess as to how. Will industry self-regulate? Will the European Union lead the charge? Will plaintiffs’ lawyers find success in bringing class actions against IoT device manufacturers? Will the federal government pass legislation?
The California legislation offers one potential answer, which is that states will begin to legislate in this field. Indeed, California’s legislation – which originated as a botnet prevention measure – focuses only on a small aspect of IoT device security, namely, passwords. There is fertile ground for states to take up other issues such as requiring manufacturers to provide devices that do not have existing security flaws and requiring manufacturers to provide security patches.
When clients ask what advisers are doing to protect their data, only the firms that can give a satisfying answer will build trust with investors
Advisor Armor Opinion
As the most tenured and largest provider of cyber security compliance in financial services our empirical evidence indicates ZERO correlation between information technology spending and technical controls with data security failures and successful compliance examinations.
Governance procedures and technical controls must be reasonably tailored to conducted assessments. Commonality certainly exists but one size does not fit all and controls must change to model current risks.
Jan 12, 2019 @ 6:00 am By Ryan W. Neal
After spending most of a decade offering guidance and stern warnings, regulators are ready to put enforcement muscle behind cyber security rules.
A flurry of activity in 2018 at federal and state levels has many legal and security experts expecting 2019 to be a watershed year for holding firms accountable for clients' digital data. Penalties are coming for advisory firms that don't do enough to prevent a data breach or don't respond to a breach effectively.
The Securities and Exchange Commission is leading the charge. The agency took several actions in 2018 that should alert every adviser that any grace period in adopting data security controls has expired.
"The honeymoon phase is over," said Askari Foy, managing director of ACA Aponix's global regulatory cyber security practice and a former SEC associate director. "As they identify issues, they're less likely to be friendly, for lack of a better word. They tend to roll up their sleeves and really dig into the issues, particularly if they smell blood or sense potential harm to investors."
No alarm rings louder than the SEC's Sept. 26, 2018, announcement that Voya Financial Advisors would pay $1 million to settle charges relating to a 2016 scam that compromised the personal information of thousands of customers. It was the first time the SEC enforced its "identity theft red flags rule," which has been on the books since 2013.
Even though Voya had a cyber security policy in place and responded to the breach within a matter of hours, it wasn't good enough for the SEC. The regulator said Voya's cyber security policies and procedures were out of date and failed to do enough to ensure they applied to the entire workforce of financial advisers.
This issue of scant policies or ineffective effort is common throughout the industry and it's exactly what the SEC wants to eliminate. For many advisers, cyber security is just another compliance procedure — put a policy in place, do some basic training, check off the box and move on to more pressing business issues.
"Firms have cyber security policies, they get one from an attorney or compliance firm. The policy looks great, but it doesn't actually reconcile to reality in any way," said Sid Yenamandra, CEO and co-founder of cyber security firm Entreda.
For example, the policy may say advisers can only access the firm's network using a secure connection such as a virtual private network, but there are no checks that the policy is actually followed, he said.
Entreda's experts, who have provided data protection software and training services to thousands of advisers, see a lot of lip service paid to cyber security.
"People talk about having a good cyber security policy, but who is actually implementing it? Our view on this entire issue is we tend to see there is a false sense of security that a lot of firms have," Mr. Yenamandra said.
These firms are more vulnerable to an attack, and this year they also could face stiff fines and censure. Regulators' gloves are off, and they are ready to crack down.
Advisor Armor risk assessments and profiles create suitable policies and procedures which describe how firms manage and care for valuable information. These policies are then tested and maintained by Penetration Testing, Endpoint Security Audits and Employee Awareness Training and Testing. Our Assurance Service certifies and attests to the implementation of the described policies and procedures.
2018 warnings to heed
When the SEC first developed regulations regarding email communications, it gave firms a few years to acclimate to the new rules and get programs in place. As guidance became more detailed and rules more specific over time, that's when sanctions started coming. Regulators are following a similar pattern with cyber security, said Kim Peretti, co-chair of law firm Alston & Bird's national security and digital crimes practice and its cyber security preparedness and response team.
"Investment advisers and broker-dealers of all sizes may be under scrutiny and should expect more enforcement actions moving forward," she said. "For registered investment advisers and broker-dealers, the primary implication of this focus is that the SEC will continue to expect more mature cyber security programs that adapt to the changing threat environment and appropriately manage and communicate risks to investors."
The agency last year named cyber security as a priority in its examinations of investment advisers and brokers; asked Congress for an additional $52 million to expand personnel, including four people dedicated to cyber security; and issued new guidance on public companies' obligations to disclose cyber security risks and incidents, updating its previous guidance issued in 2011.
The SEC published a report last year detailing an investigation of nine undisclosed public companies that fell victim to cyberfraud and collectively lost nearly $100 million. Though no charges were filed, the report served as a stern warning to consider cyber security when implementing internal account controls and specified the exact rule — Section 13(b)(2)(B) of the Securities Exchange Act of 1934 — that holds firms accountable.
It isn't just the SEC getting tougher with cyber security. In August, the Financial Industry Regulatory Authority Inc. censured and fined a small broker-dealer $50,000 for having inadequate procedures for preventing hackers from transfering money from client accounts. In December, the self-regulatory organization updated its 2015 report on cyber security best practices for broker-dealers.
State regulators are making their own rules. Since New York issued rules requiring financial institutions to establish cyber security programs, the number of bills and proposals addressing cyber security at the state level has continued to grow. According to the National Conference of State Legislatures, 265 bills were introduced in 2018, up from 240 bills in 2017 and 104 in 2016. As of Nov. 6 (the latest data available), 52 of the bills proposed last year became law.
Advisor Armor Coverage models current state consumer data security protection expectations for All states including those recently instituted by New York, California, Oregon, Massachusetts, Florida, etc.
The increased activity provides a window into where regulators are focusing their energy and what future enforcement actions might involve.
For example, the SEC's February guidance on disclosure obligations and subsequent charges against Yahoo — $35 million for failing to disclose a cyber security breach — show how seriously the regulator wants firms to report data breaches. According to the New York Times, only 24 public companies (across all industries) reported breaches to the SEC in 2017, but researchers believe more than 4,000 breaches occurred.
The Voya charges reveal another common weakness, specifically for financial advisers. It's not enough to just have a cyber security plan in place. Regulators want to see firms continually testing, reviewing and updating cyber security policies and procedures to ensure they remain effective as threats evolve.
Another area of focus, as evidenced by the SEC's investigative report and Finra's updated best practices, is compromised business emails — an increasingly popular attack method in which hackers pose as corporate executives or third-party vendors and use emails to trick other employees.
"There's been an increasing focus on the nexus between cyberintrusion and cyberfraud," Ms. Peretti said.
Preventing harm due to phishing scams requires firms address human susceptibility to such scams in addition to the technology element itself, she said.
Finally, the Voya breach was caused by hackers impersonating an independent adviser and using the custodian's support line to reset passwords and gain access to the system, illustrating the vulnerability from third parties.
Regulators want advisers to have an inventory of everyone who can access their data, including both third-party technology vendors and independent contractors.
Advisor Armor provides Email Enticement (Phishing) Testing and Training. Thousands of customized phishing emails, consistent with and relevant to financial services, provide a realistic challenge that builds practical resistance to the single largest intrusion threat facing financial firms today.
Where advisers can improve
The good news is that the financial services industry has done a pretty good job of adapting to new cyber security requirements, at least in comparison to other industries like retail, said Robert Cattanach, partner at law firm Dorsey & Whitney.
Where it's most often falling apart is with the smaller registered investment advisers and broker-dealers.
"Modest-sized companies lack the resources to really make good on their paper policies," Mr. Cattanach said. "Someone can gin up the right-sounding IT governance policies and procedures. But it's a whole additional step to make sure they are followed."
At smaller firms, there can be a sense of fatigue and helplessness when it comes to cyber security, because even the largest companies get hacked.
"There is this general feeling of, 'Holy cow, how can I, this little RIA out here, protect [against a breach] if these large institutions can't?'" said Wes Stallman, provider of cloud-based cyber security for advisers. "I do think that causes some frustration."
Experts said the adviser mindset should not be fixed on trying to safeguard data 100% because, with attacks always evolving, it's less of a matter of "if" and more of "when" there's a breach.
Regulators understand this, and really just want firms to have checks and balances in place to ensure they are doing the best they can to prevent breaches. More importantly, regulators want firms to have an up-to-date and battle-tested plan for an effective and timely response to a breach.
Advisor Armor has managed hundreds of client data security incidents over the past 3 years. Our history with Red Flags/Identity Theft, allows us to efficiently navigate the murky regulatory requirements for physical and electronic breaches. And our incident response coverage satisfies the regulator requirement for tested procedures.
Finra's December update to its best practices includes a new appendix to help small firms adopt and implement cyber security controls. When used alongside Finra's previously released small firm cyber security checklist, it should give smaller advisers an effective guide to remaining compliant.
The bigger challenge is how to get all financial advisers to move beyond the lip service and actually realize that cyber security is something more important than another compliance chore. The key to that may lie in thinking of cyber security as a competitive advantage, Mr. Yenamandra said.
Clients are going to increasingly ask what advisers are doing to protect data, and firms that can give a satisfying answer will build trust with investors.
"Cyber security needs to be viewed as not only an operational risk but also a strategic function," he said
Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But, a substantial portion of organizations don’t carry coverage for data breaches despite numerous high profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal.
Percentage of companies that had cyber-insurance.1
Percentage of companies that believed their exposure to cyber risk would increase in the next 24 months.2
Percentage of companies that did not plan to purchase cyber insurance in the next 24 months.3
Why is buying cyber insurance difficult?
There is little standardization among competing policies; as a result it is hard to comparison shop.
Policies’ exclusions often swallow coverage; as a result, assessing the value of a policy is difficult unless you have extensive experience with the types of liabilities that arise following data breaches.
Policies often cover security but not privacy risks.
Items to review when shopping for cyber insurance:
Do the sub-limits on coverage match the corresponding risks?
Does the policy include sub-retentions (sub-deductibles) that are unlikely to be reached?
Does exclusion prevent payment for the largest risks, g., charges that arise following a credit card breach, common theories alleged in class actions, etc.?
Is voluntary notification of affected consumers covered?
Will credit monitoring for affected consumers be covered?
Who does the insurer have on panel for legal representation, forensic investigations, and/or crisis management?
Next year’s examination priorities of the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission were announced on December 20, 2018, and cover six broad, albeit non-exhaustive, topics.1
Matters of importance for retail investors, including seniors and those saving for retirement;
Compliance and risks in registrants responsible for critical market infrastructure;
Matters related to the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board;
Digital assets, including cryptocurrencies, coins and tokens (a newly-added priority);
Anti-money laundering (AML) programs.
Many of the six broad topics remain the same as those included in the 2018 OCIE Examination Priorities. It is important to note, however, that the OCIE leadership team specifically indicated that the 2019 priorities reflect meaningful changes from the prior year, particularly as new risks have emerged and existing risks were either heightened or mitigated.
Retail Investors, including Seniors and those Saving for Retirement
The first identified priority is the protection of retail investors. OCIE emphasizes the following areas of focus, most of which continue and/or expand upon existing examination priorities:
Fees and Expenses: Disclosure of the Costs of Investing;
Conflicts of Interest;
Senior Investors, and Retirement Accounts and Products;
Portfolio Management and Trading;
Never-Before- or Not-Recently-Examined Investment Advisers;
Mutual Funds and Exchange-Traded Funds;
Broker-Dealers Entrusted with Customer Assets; and
Compliance and Risk in Registrants Responsible for Critical Infrastructure
The second identified priority is compliance and risks in critical infrastructure. In this area, OCIE will continue to focus examinations on:
“Systematically Important” Clearing Agencies;
Entities Subject to Regulations Systems Compliance and Integrity (SCI), including the effectiveness of the implementation of such entities’ compliance policies and procedures;
Transfer Agents, including “transfers, recordkeeping” and asset safeguarding; and
National Securities Exchanges, including exchanges’ internal audit and surveillance programs as well as funding for regulatory programs.
Focus on FINRA and MSRB
OCIE will continue to examine: (1) FINRA’s operations and regulatory programs and the quality of its examinations of broker-dealers; and (2) the effectiveness of particular MSRB operational and internal policies, procedures and controls.
New to OCIE’s priorities is a focus on the examination of participants in the digital asset market (including broker-dealers, trading platforms, and investment advisers) and the associated risks presented by that market to retail investors. As part of its entry into examining the digital assets space, OCIE intends to “identify market participants offering, selling, trading, and managing these products or considering or actively seeking to offer these products and then assess the extent of their activities.” For those firms that are identified as “actively seeking” to offer digital assets, OCIE examinations will then focus on, among other things, “portfolio management of digital assets, trading, safety of client funds and assets, pricing of client portfolios, compliance, and internal controls.”
Cybersecurity will continue to be a focus of each OCIE examination program, especially registrants’ “policies and procedures related to retail trading information security” and, with respect to investment advisers, cybersecurity practices of advisers with multiple branch offices.
Anti-Money Laundering Programs
OCIE notes that examiners will continue to prioritize broker-dealer compliance with applicable AML requirements, including proper filing of suspicious activity reports and robust and independent testing of their AML programs.
While the priorities indicate where OCIE intends to focus resources in the coming year, registrants should not expect examinations to be limited to the issues highlighted above. It is important to note that the 2019 OCIE priorities not only reflect Chairman Jay Clayton’s prior emphasis on Main Street investors, technological changes and cybersecurity, but also continue to reflect a considerable degree of continuity with the priorities of the SEC under prior Chair Mary Jo White. With this in mind, firms may want to review their policies and procedures and conduct internal compliance reviews.
Though brokers say cybersecurity is one of their top priorities, the Financial Industry Regulatory Authority Inc. says it still sees a lot of problematic practices at firms.
To help them improve, Finra on Thursday updated a 2015 report on cybersecurity that details best practices for broker-dealers.
The "Report on Selected Cybersecurity Practices – 2018" covers five topics addressing the evolving threat of cybercrime and the most frequent findings from its examination program.
"Securities firms rate cybersecurity as one of their top operational risks, and our new report addresses areas that firms tend to find most challenging," David Kelley, surveillance director of member supervision in Finra's Kansas City office, said in a statement.
The topics include cybersecurity controls in branch offices; methods of limiting "phishing" attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintain controls on mobile devices.
The report addresses several critical issues firms are often unfamiliar with, said Bart McDonough, CEO and founder of Agio, a hybrid cybersecurity and managed IT firm. For example, Finra describes the best way of contacting the FBI in the event of a breach.
However, Mr. McDonough said the report could have been presented by simply to increase understanding, especially for firms who don't have a cybersecurity expert who can decipher technical language.
"The report misses an opportunity to highlight the critical need for threat intelligence, where firms have insight into what's happening at other, similar companies," Mr. McDonough said in an email.
"Another shortcoming of the report is that it buries the importance of executive leadership and management support in the middle of the analysis. That has to be a starting point and a tone-setter for the entire firm."
The updated report goes into greater depth and detail than the 2015 report. Finra describes more than 30 specific practices for branch controls that cover written supervisory procedures, asset inventories, technical controls and branch review programs.
Mark Brown, president of cybersecurity compliance firm Advisor Armor, said firms with a "hub and spoke" structure are of particular interest to Finra and the Securities and Exchange Commission, and the additional detail on branch office cybersecurity isn't surprising.
"Finra and [broker/dealers] have been late to this, and registered reps are in a tug a war with who pays for it," Mr. Brown said in an email. "But in the end, the right controls, evidence and auditing of cybersecurity need to be in place."
Finra also highlights how firms can detect phishing attacks, even if they appear to come from trusted sources.
The report includes an appendix covering core cybersecurity controls for small firms, which, in addition to the "Small Firm Cybersecurity Checklist," can help smaller businesses identify possible cybersecurity controls.
"There is no 'one-size-fits-all' approach to cybersecurity, so Finra has made a priority of providing firms with reports and other tools to help them determine the right set of practices for their individual business," said Steven Polansky, senior director of member supervision in Finra's Washington office.
Shan Dagli, head of intermediary solutions at Envision, an IT provider, suspects the increased guidance means Finra's 2018 exams revealed a wide disparity in what firms were doing from a cybersecurity standpoint.
"So Finra is taking it upon themselves to provide more guidance," Mr. Dagli said. "With increased guidance, it could lead to more scrutiny. Or it could simply be a manner of wanting to provide clearer guidance/best practices.
Headlines are full of cybersecurity breaches, and big businesses like Google and Facebook are some of the latest to fall victim to outside attacks. A vulnerability in Google+ is at least partially responsible for the company’s decision to shut down the platform for good, and a recent breach of Facebook’s network security may have compromised the personal information of almost 50 million users.
Of course, for such enormous companies, a breach is an embarrassing blip on the radar. Google is mostly terminating its social platform because no one uses it (the company reported that 90 percent of user sessions last less than five seconds), and the even the notorious Cambridge Analytica scandal cost Facebook a mere $644,000 in fines imposed by British regulators -- peanuts for a company bringing in almost $100,000 in revenue every minute. But what would a $600,000 fine do to your small businesses? MORE
Regulated investment firms use the web to gather market intelligence, to access data aggregation tools and business apps, and to communicate via webmail and social media.
While many (if not most) business functions have shifted to the web and cloud apps, including IT security, the primary tool used by research analysts and investment managers remains stuck in IT’s past: the locally installed browser. A holdover from the 1990s, the local browser’s inherent weaknesses make it notoriously difficult to manage, monitor, and secure against web-borne exploits.
This has created a growing compliance blindspot for buy-side and sell-side firms. At the same time, the pressure from federal and state regulators is steadily increasing. Registered investment advisers are one example. By subjecting 17% of firms to OCIE examinations in FY 2018, the SEC already exceeded its own ambitious goal (15%) in this group alone for this year.
Chief Compliance Officers, CISOs and CTOs in the industry have been put on notice. One simple page view request on an infected website can result in malware or spyware spreading through the firm’s network, resulting in data breaches and financial and reputational damages. One post on a social media platform or in a chat room may invite the scrutiny of regulators.
How can firms ensure oversight and governance when team members go online? In this post, we highlight surveys, reports and whitepapers that provide useful facts and actionable insights to help practitioners answer this question:
1) SEC Enforcement: More Pressure for Investment Firms
The Securities and Exchange Commission’s Enforcement Division has published the FY 2018 Annual Report of its ongoing efforts to protect investors and market integrity.
The report presents the activities of the division from both a qualitative and quantitative perspective. In FY 2018, the SEC continued to bring enforcement actions relating to a wide variety of market manipulations, misconduct and compliance violations. It obtained judgments and orders totaling more than $3.945 billion in disgorgement and penalties.
Policing “Cyber-Related” Misconduct
The report also documents the Division’s increasing focus on misconduct in the digital realm. In FY 2018, the SEC brought 20 standalone cases, including such involving ICOs and digital assets. At the end of the fiscal year, more than 225 cyber-related investigations were underway. 2018 saw the SEC’s first enforcement action charging violations of Regulation S-ID, known as the Identity Theft Red Flags Rule, which is designed to protect customers from the risk of identity theft.
While an agency-wide hiring freeze since late 2016 led to a 10% staff reduction since, this seems not to have resulted in less pressure on regulated securities investment firms. The Division’s annual report documents significant continued enforcement-related activities.
From a compliance perspective, one item in the “Other Noteworthy [Enforcement] Actions” section of the report may deserve more attention than it received so far: it points to “13 registered investment advisers who repeatedly failed to provide required information that the agency uses to monitor risk.”
When regulators request such information from entities under investigation, disparate data sources and a lack of compliance-ready IT tools may prevent firms to “promptly produce” (SEC lingo) the data and documents. The use of local browsers, in particular, can become an audit impediment, because it prevents a unified view into a firm’s activities on the web, for example when team members post on social media or pull research data from third-party aggregators.
A compliance-ready browser built in the cloud, provided as a service offsite and centrally managed by IT, removes such hurdles. With Silo, the cloud browser, all user actions are logged and encrypted, to facilitate at-a-glance compliance reviews and post-issue remediation.
Read / download:
Division of Enforcement of the U.S. Securities and Exchange Commission: Annual Report 2018 [PDF]
2) Vigilant Regulators, Weak Policy Implementation
In November, international law firm Proskauer Rose LLP released its 2018 Proskauer Annual Review and 2019 Outlook for Hedge Funds, Private Equity Funds and Other Private Funds.
The yearly report provides a summary of significant regulatory changes and developments that occurred in the past year in the private equity and hedge funds space. It also includes an overview of SEC examination priorities and enforcement developments impacting the private funds industry.
“SEC’s Enforcement Program Remains Robust”
The SEC brought 821 enforcement actions in 2018, “the second highest total ever,” the authors point out. This included more than 100 enforcement actions involving advisers and investment companies, a 32% increase from 2017 and the second largest category of actions brought by the SEC in 2018.
Noteworthy in particular from the compliance and IT perspective is the extensive review in this report of a $1 million settlement with the SEC by broker-dealer and adviser Voya Financial Advisors (VFA). Following a data breach that compromised the personal information of 5,600 customers, the SEC had alleged failures in the firm’s cybersecurity policies and procedures.
The firm had over a dozen policies and procedures in place governing cybersecurity, the Proskauer report explains. It lays out in detail why “[t]he SEC found that these policies were not reasonably designed to apply to the systems that independent contractors used.”
In a speech on the SEC's priorities for 2019, Clayton also signaled cybersecurity will remain at the top of the agenda, promising that examiners will press advisors and brokers on areas such as risk governance, access controls and data protection.
The SEC is on track to finalize its standards of conduct for investment advisors and brokers next year, Chairman Jay Clayton indicated on Wednesday, calling those rules "a very important and long overdue initiative."
Clayton is also warning advisors and other financial professionals to brace for market turbulence that could emerge from the U.K.’s exit from the European Union and the upcoming abandonment of the Libor benchmark that underlies many of the popular funds advisors rely on as a staple of their portfolio construction.
In a speech on the SEC's priorities for 2019, Clayton also signaled cybersecurity will remain at the top of the agenda, promising that examiners will press advisors and brokers on areas such as risk governance, access controls and data protection.
Clayton called the advisor and broker regulations "a key priority," touting the seven town-hall meetings commissioners and staffers held to gather input from the everyday investors the rules are intended to protect.
QuoteTaking a step back from the SEC's regulatory agenda, Clayton is also cautioning advisors to keep in mind three macro risks to the market that he expects to dominate the years ahead: cybersecurity, Brexit and Libor.
"It is clear, based on these discussions, that we have the right perspective, namely, that the core obligations of investment professionals — and mandatory plain language disclosures —should match reasonable investor expectations," Clayton said in prepared remarks.
Under Mary Jo White, his immediate predecessor, Clayton said that the commission's regulatory agenda had become too "aspirational." In 2016, 32 rules appeared on the agenda, but fewer than a third were ultimately adopted. Many of those initiatives stemmed from legislative directives included in the Dodd-Frank bill, Clayton acknowledged. But he is staking out an approach marked by fewer novel rulemakings. And those initiatives that do appear on the commission's docket, he aims to complete. In the coming year, Clayton says that he is hoping to conclude 80% of the items presently on the regulatory agenda.
Some of the sharpest criticism of the SEC's investment advice proposal has come from consumer advocates who see the provisions relating to brokers continuing to permit conduct that they say is harmful to investors. So instead of applying an advisor-like fiduciary duty to broker-dealers, the proposed Regulation Best Interest would do little to enhance the existing suitability standard that governs the brokerage sector. An advisory panel to the commission has recommended that it revise the regulation to encompass more of the spirit — if not the letter — of the fiduciary standard. MORE
Cyberattacks are growing in volume and sophistication and the need for the wealth management business to safeguard clients, portfolios and industry has never been greater.
In 2017 alone, more than 143 million Americans were affected by cybercrimes, a jump of 30% from 2016. As threats increase and fraudsters become more sophisticated, financial advisors and their clients must be proactive in protecting themselves and sensitive data. The process begins with education. Today’s cybercriminals use common, effective methods to acquire personal information. Malware (malicious software) can be delivered to devices via suspect websites, public Wi-Fi networks, and communal charging stations, presenting common hazards that might be sidestepped with the right information.
Below are helpful tips advisors can use to start a conversation with their clients about cybersecurity and help avoid potential catastrophe.
Software and online security
Keep your software, operating system and browser up to date. Companies continuously add security updates with every software upgrade they release. Installing updates immediately can help clients prevent a malware infection.
Set up multi-factor authentication to login to any website or application clients use for financial transactions that contain personal data.
Run a reputable, American anti-virus product on a home PC or laptop. This will help prevent a device from becoming infected with malware and may clean up an existing infection
As threats increase, the need to safeguard clients, portfolios and industry has never been greater, writes Rachel Wilson, head of cybersecurity for Morgan Wealth Management Technology.
Cybersecurity in public environments
Avoid using public Wi-Fi hotspots — such as the ones at coffee shops, airports, or hotels. If a client does use a public Wi-Fi hotspot, advise them to use a virtual private network (VPN) so that others cannot intercept their communications. As an alternative, clients can stick to the mobile network and create a personal Wi-Fi hotspot with their phone.
Don’t use public charging cords or USB ports to charge a device. Publicly available power outlets are generally fine, but avoid using publicly available cords and ports. These can be used to deliver malware or silently steal data.
If you’re a broker-dealer, you must be compliant with SEC Rule 17a-4. Make sure you know the regulations for Electronic Storage Media (ESM), and why it’s necessary to work with a Designated Third Party (D3P) to safeguard your electronic records.
Daily online activities
Don’t click on links or open attachments in unsolicited emails or text messages. Doing so may install malware on a device.
Don’t reuse the same or similar username and password across multiple websites and applications. If clients reuse the same username and password and a hacker gains access to just one of the accounts, the hacker may be able to access their other client accounts as well.
Use a password manager. These apps create unique, complex passwords for clients and then store those passwords in a cryptographically sound way.
Create and save bookmarks for the important banking and brokerage websites that clients visit often to avoid inadvertently entering credentials on a fraudulent site.
Only download applications from Google Play or the App Store and never from a third-party app store. Third-party app stores, or apps that pop up and encourage a download, are much more likely to contain malware.
Only give applications the permissions they really need. Granting an application access to photos, location, camera, contacts, makes data and information available to the application owner.
Limit how much information is shared on social media, and lock down the privacy settings on social media accounts. The information clients share online could be exploited to gather information for fraud schemes.
Tools to combat cybercrime
Use a current and reliable email provider that has basic, built-in security features. Using an older email account that has not incorporated security protections will greatly increase the likelihood of your email account being taken over and used to impersonate you or to spam your contacts.
Shred financial documents before discarding them, as these contain valuable information that could be used by fraudsters. Leverage online statements and paperless options, like eSign, eDelivery and eAuthorizations and Digital Vault, as these include important security features. Leverage online statements and paperless options. Additionally, clients should secure sensitive documents within their home.
These basic tips can help avoid some of the most common cybersecurity threats, but the need for vigilance and continued education is paramount. Advisors should maintain an ongoing dialogue with their clients to ensure their personal data, wealth information and financial transaction data are properly safeguarded.
The Enforcement Division of the United States Securities and Exchange Commission (“SEC”) recently released its annual enforcement report(“Report”) for fiscal year 2018. The Report reflects an increased focus on retail investors, cryptocurrency, cybercrime, and individual accountability. Further, it showcases that SEC enforcement continues to be robust under the Trump administration, despite industry and media expectations to the contrary.
Cybercrime is also a growing area of concern for the SEC, with more than 225 active investigations this past year. Notably, in many of these investigations, companies that were victims of cyberattacks are now under investigation for how they responded to the attacks. The Enforcement Division brought proceedings against companies based on failures in those companies’ cybersecurity policies and procedures related to cyber intrusions. MORE
As more and more data breaches and ransomware attacks make headlines around the world, the need for digital asset protection has become top of mind for many financial advisors and business owners. In yesterday’s post, I outlined some cyber liability insurance basics, including what may and may not be covered if your RIA–broker/dealer has its own policy. Today, I’ll dig a bit deeper into the topic, including how you can assess your risks to determine what coverage you may need so you can choose the right cyber liability policy.
It’s 6:00 A.M. on a Monday morning. You hit snooze a few times before sitting up and grabbing your smartphone. A notification catches your eye. No, you’re not dreaming. Your business has been hit by a cyberattack.
How did this happen? You’ve put considerable effort into mitigating the risk of cyberthreats—staff education, encryption, and password polices, to name a few. Unfortunately, even with such protections in place, you can still become the victim of a cyberattack.
But hang on! You have cyber liability insurance. There’s no need to worry, right? That depends. Do you know the extent of the damage? Do you know what your policy covers? The answers to those questions will determine how concerned you should be.
What Went Wrong?
First, you’ll need to find out what information was involved in the cyberattack to determine if any confidential data was compromised. You’ll also want to look into how the breach happened. Was it because a scammer gained access to your firm’s data following a phishing attack? Was one of your employees the weak link?
If the incident occurred at your broker/dealer, which has its own cyber liability insurance policy, your B/D would likely cover data forensic expenses, extortion, notification costs, and credit monitoring for the affected individuals. If the breach happened on your end, however, you would be liable for the damages. If your firm is at fault, you will need to prove that your business did everything possible to prevent the breach and help minimize risk, such as taking proactive measures to ensure that proper security policies are in place and up to date.
Whether you are at fault or not, cyber liability insurance can’t mend a broken reputation. It can, however, help neutralize some of the costs associated with a cyberattack and help restore your business operations.
How to Choose the Right Coverage
Given everything we’ve discussed here and in yesterday’s post, you may be leaning toward purchasing a cyber liability policy. But how much coverage should you purchase? Following the three-step process described below can help you arrive at the best decision for your firm.
1) Assess your risk. If your office collects, transmits, stores, views, or interacts with personal information that hackers could use to identify a client, you are at risk for a cyberattack and need to ensure that your business is protected from what could go wrong.
Begin your assessment by getting a handle on your vulnerabilities. Do you, for example, have a hardware firewall and up-to-date antimalware and antivirus protection? Do you encrypt your hard drives and portable media? Do you regularly train your staff to be aware of information security issues? Have you enabled multifactor authentication, where possible, for all of your devices?
Answering no or I’m not sure to any of these questions means your—and your clients’—information may be at risk and you could benefit from cyber liability coverage. But even with the most robust information security programs, there’s always the chance that something might slip through the cracks. Taking a good look at scenarios that could leave your business vulnerable to attack can help you determine which coverage plans may be best for your firm.
For the second part of your assessment, you’ll want to evaluate whether you’ve done as much as possible regarding:
Governance and risk assessments: This includes creating an inventory of all the software and hardware in your office, as well as any device that’s connected to your network; developing policies for bringing devices to work and displaying information on screens or desks; and maintaining a data-retention policy.
Access rights and controls: This includes encryption, firewalls, password policies, and the like.
Data loss prevention: This includes verifying the identity of clients who request asset transfers and regularly updating your software.
Vendor management: This includes doing appropriate due diligence on potential vendors and signing contracts that govern data usage.
Training and awareness: This includes regular training on information security concerns for you and your staff, as well as training and best practices for your clients.
Incident response: This includes having an appropriate backup system in place, along with formal business continuity and incident response plans.
By understanding the controls you already have in place and the areas where you may be at risk, you can look to purchase a cyber liability policy that focuses on the coverage you need.
2) Research carriers and policy options. According to the 2017 Cost of Data Breach Global Study, the average cost of a data breach is $225 per client. So, although you may be reluctant to pay the premiums for yet another insurance policy, that cost is minimal compared with the out-of-pocket expenses your office could incur if it experiences a cyberattack.
Policy cost varies depending on the depth of coverage you select and the carrier you choose. When speaking to a potential insurance carrier, ask about the types of incidents covered and whether any “events” are specifically excluded from coverage. Because each financial services office is different and cyber liability insurance coverage varies from vendor to vendor, be sure to vet multiple policy options. You’ll also want to get the best value and price for what your business needs, so discuss pricing in detail with the carriers and inquire about deductibles.
3) Apply for your top choices. Once you have vetted a few insurance carriers, fill out an application with the companies whose quotes best fit your office’s needs. Ensure that the applications have been completed correctly, answering questions based upon the cybersecurity protocols your office employs. Once you are approved for a few policies, you can choose the right cyber liability policy for your needs based on the deductible, premiums, and coverage with which you are most comfortable.
A Plan for Prevention and Recovery
In today’s increasingly digital world, having a top-notch information security program in place is essential for protecting your business’s assets and your clients’ personal data. But as the threat of a cyberattack or breach grows, it’s best to be prepared not only to prevent an attack, but to make a full recovery from one as well. If you follow the steps outlined above and choose the right cyber liability policy for your business’s needs, you’ll be well equipped to handle any threat that comes your way. Posted by Rachel Sonia
Cybersecurity incidents are occurring on a daily basis and at an increasingly growing rate. Yet, many small businesses still have not obtained adequate (or any) cyber insurance to address these risks and the costly impacts to the business that will result. In a recent study completed by the Insurance Information Institute1, only about a third of all small businesses polled responded that they have cyber insurance in place, with 70% of respondents replying that they have no plans to purchase a cyber insurance policy in the next 12 months. Most of the businesses indicated that they do not believe they have any need for cyber insurance, yet almost half of those same companies stated they are unprepared to handle cyber threats. A main reason for not purchasing cyber insurance was a lack of understanding about this type of insurance and coverages available.
The Risks for Small Businesses
These statistics are alarming considering that the average cost of a cyber-related loss for a small business has increased 250% in the past two years, and now totals $188,400. In determining whether insurance coverage should be purchased, companies typically assess the perceived risks to the company, the likelihood of such risks occurring, as well as any costs or expenses that may result. For example, most companies regularly obtain a property policy to cover a fire or other casualty that may damage its business location even though such an event is unlikely or unexpected. Yet, cyber incidents are just as likely, if not more likely to occur, and the impacts to a company in the event of an incident are far worse. Many incidents result in a complete suspension of the daily operations of the company for several days or longer.
In addition to financial loss, companies may face the following as a result of a cyber incident:
Theft, breach or loss of information and data;
Damage to the company’s reputation, brand or image; and
Regulatory, governance and legal issues.
How Cyber Insurance Can Help
Cyber insurance policies can be obtained to address the losses related to a data breach and may include costs for investigating a breach, notifying people affected by a breach of personally identifiable information, managing the potential damage to reputation and other crisis-management expenses, recovering lost or corrupted data, and related legal expenses. More importantly, well-drafted policies can afford coverage for business interruption losses; i.e. those expenses and lost revenue resulting from a breached system and a company’s inability to continue its usual operations. Coverage may also be obtained for “cyber extortion”, which covers costs resulting from an extortion event such as ransomware or fraudulent wire transfers.
It is important to keep in mind that cyber insurance is only one component to consider when developing and implementing an overall risk management strategy to prevent cyber incidents. However, taking into account the exposure to a company if and when a cyber incident occurs, it is highly advisable to have this coverage in place.
Putting it Into Practice: Unlike other states which require companies to have a written security programs in place (Alabama, Massachusetts, and Oregon), Ohio’s new law seeks to provide a strong incentive to companies to put into place a similar a program without actually making having a written program a requirement.
Effective November 2, 2018, companies that suffer a breach may have certain defenses in Ohio if they have a written cybersecurity program in place. Under this new law, companies can use as an affirmative defense the existence of a cyber program in rebuttal to an argument that they failed to implement reasonable information security controls, and that failure resulted in a breach. The definition of breach (and personal information that if impacted gives rise to a duty to notify) is identical to Ohio’s existing breach notification law. The defense is available if the company has a written program in place, and that program conforms to “industry-recognized frameworks” like the National Institute of Standards and Technology’s Framework, ISO 27000, FedRAMP, PCI Standards, the Security Rule of the Health Insurance Portability and Accountability Act, or the Safeguards Rule of the Gramm-Leach-Bliley Act. Anticipating that these frameworks may be amended from time to time, the law gives companies a year to modify their programs to get into compliance with the amended law. Programs must meet minimal criteria to qualify. This includes (1) protecting the security and confidentiality of the information, (2) protecting against anticipated threats or hazards, and (3) protecting against unauthorized access to and acquisition of the information. The program would be right-sized to take into account the size of the business, nature of its business, type of information, cost of protection tools, and resources available to the company. The drafters emphasized that this provision does not give rise to a private right of action. MORE
In its 2018 enforcement report, the North American Securities Administrators Association said that, for the first time, state regulators pursued more registered investment advisers in disciplinary cases than broker-dealers.
In 2017, there were 377 RIA firms and investment advisers named in enforcement actions, a 32% increase over 2016, and 270 brokerages and their registered representatives named, an 11% decline. The 2018 NASAA report reflects 2017 results.
The crackdown on RIAs makes sense, given that the the total number of RIA firms has grown by 20% — from 25,073 in 2008 to 30,193 in 2017 — while the number of brokerage firms has declined by 24% — from 3,969 to 3,132 — over the same period, according to an analysis by the consulting firm RIA in a Box based on an industry snapshot by the Financial Industry Regulatory Authority Inc.
Growth of the RIA sector probably won't slow down, and neither will RIA enforcement.
"This is unlikely to be a one-year anomaly, but more likely a continuing trend," said GJ King, president of RIA in a Box.
The migration of RIAs from registration with the Securities and Exchange Commission to the states has also contributed to the increase in enforcement cases, according to Christopher Gerold, chief of the New Jersey Bureau of Securities and chairman of the NASAA enforcement committee.
The number of state-registered advisers grew from 13,799 in 2008 to 17,534 in 2017. The biggest jump came from 2011 to 2012, when about 3,000 RIAs switched from SEC to state registration due to a Dodd-Frank law requirement that advisers with less than $100 million in assets under management move to state oversight. Previously that threshold was $25 million.
"States are catching up with their examination programs and bringing more actions," Mr. Gerold said. "State regulators are taking their examinations very seriously."
In putting together its enforcement report, NASAA did not survey states on the types of actions filed against RIAs. But in his practice, one compliance lawyer said the primary compliance problem he sees with small RIAs is conflicts of interest.
"A good number of IAs tend to have the same conflicts they had as B-Ds, and they're not really mitigating those conflicts," said Brian Hamburger, president of MarketCounsel. "Just because you're smaller, it doesn't give you a pass on mitigating conflicts."
"You're going to see more enforcement actions on senior protection at the state and federal level," Mr. King said. "RIAs can be vulnerable given the amount of retirement business a lot of them do."
As more RIAs are subject to enforcement and more brokers become RIAs, the debate over whether RIAs or brokers are more heavily regulated is likely to heat up.
"Another contributing factor is that broker-dealers tend to have more robust internal compliance departments with policies and procedures in place that prevent securities violations and subsequent enforcement actions," Eleonora Zlotnikova, a securities attorney at Sam P. Israel, wrote in an email.
Mr. Gerold said the increase in state RIA enforcement reflects the fact that states are the only regulator with responsibility for small RIAs.
"I'm not saying that IAs are better or worse than B-Ds or vice versa," he said. "It's a product of who is the primary regulator of the segment of the financial market." MORE
The SEC is more focused on preparedness, cyber chief Robert Cohen said at a NASAA Cybersecurity Roundtable.
n assessing firms’ cyber preparedness, the Securities and Exchange Commission is “looking for firms that have significant risks that they aren’t disclosing,” Robert Cohen, head of the agency’s cyber unit, said Monday.
Speaking on a panel at the North American Securities Administrators Association’s cyber roundtable in Washington, Cohen stated that it’s not the “SEC’s approach to dictate specific [cyber] controls” on regulated entities. “I don’t know that that’s the most effective way to ensure compliance. We do more, especially for the financial industry, through exams, to see what they’re doing and see if they’re prepared.”
“For the commission to dictate you must do this, you must do that, sometimes we’ll publicize best-practice issues … but generally, if the commission dictated something, I’d be concerned that it gets out of date really quickly.”
The best source of expertise in the cyber realm, he added, “is within the industry and the consultants they employ.”
What does the SEC look for when assessing firms’ preparedness?
“Really you can learn a lot just by asking firms what they do to prepare” for cyber breaches, Cohen said.
Cohen cited the recent charge against Voya Financial Advisors Inc. for violating Regulation S-P or the Safeguards Rule and the Identity Theft Red Flags Rule, as “a classic mistake that we see.”
Des Moines-based broker-dealer and investment advisor Voya, which agreed to pay $1 million to settle charges for cybersecurity failures that led to a cyber intrusion that compromised thousands of customers’ personal information, “had policies and procedures and controls, but really didn’t enforce it across the board,” Cohen said.
The Voya case was the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. “This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Cohen, when the complaint was filed in late September. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
FBI Has Doubled Agents in Cyber Program
Meanwhile, Supervisory Special Agent Matthew Floyd of the FBI stated at the roundtable that cybercrime causes “billions of dollars of losses every year,” and is the FBI’s third priority behind counterterrorism and counterintelligence.
“We’re continually banging our heads against a wall to try to figure out how we can better combat this,” he said, adding that over the last several years the FBI has doubled the number of agents in its cyber program.
“As we look into cybercrime, very rarely does it not cross international borders,” he added.
Business email compromise continues to be one of the top scams, with an average loss of $130,000.
Also “synthetic ID” is becoming a more prevalent scam against financial institutions, he said.
“An actor will take a real Social Security number and changing some of the variants of the personal identifying information and creating a ‘synthetic ID’ — a nonexistent person — they apply to some different credit lines, they had no credit to begin with … but then once you get denied credit, it actually creates a credit file. … Once they have that credit file established, they will attach it to someone else’s credit — someone with good credit — … and over the course of six months that score will go from 300 up to 750, they’ll detach it, and then they’ll start opening bank accounts, credit cards…”
Financial institutions are “really struggling with this,” Floyd said.
NASAA President-elect Frank Borger-Gilligan, who also serves as the assistant commissioner of the Tennessee Securities Division, within the state Department of Commerce & Insurance, noted at the roundtable that “last year, more than half of the adult online population in the U.S. were victims of cybercrimes,” according to a 2017 Norton Cybersecurity Insights report.
Globally, cybercriminals stole $172 billion from 978 million consumers in over 20 countries in 2017. Cybercriminals, it was estimated, cost the world economy more than $600 billion last year, Borger-Gilligan said.
More alarming, he continued, financial services firms were “three hundred times more likely to be targeted than traditional American companies.”
Last year, 61% of cyber victims were small businesses — which continue “to be the low-hanging fruit for cybercriminals,” Borger-Gilligan said. “Smaller companies often lack the IT resources, the robust network defenses, and they mistakenly assume that they’re too small to be targeted.”
Couple this with the fact that 78% of nearly 18,000 state-registered investment advisors are one to two person shops, he added. “So it is clear how important the issue of cybersecurity is for our regulators.”
More work is planned in the year ahead. This year, Borger-Gilligan said, NASAA is considering whether to adopt a model rule, which will provide “more direction to advisors and baseline protection for investors.”
He noted that NASAA’s Investment Adviser Section also recently published a model rule for public comment, which would require advisors to “adopt policies and procedures regarding information security,” and will require them to deliver the policy annually to clients.
The comment period closes on Nov. 26. MORE
In the first enforcement of the Identity Theft Red Flags Rule, the U.S. Securities and Exchange Commission (SEC) fined Voya Financial Advisors, Inc. $1,000,000 for failing to provide training on and reasonably design its written policies and procedures to mitigate identity theft. On September 26, 2018, the SEC announced a settled enforcement action against Voya, a dually registered broker-dealer and investment advisor, arising from a cyber intrusion that compromised personal information of thousands of customers.
The SEC’s order describes a six-day period in 2016 during which cyber intruders impersonated Voya contractors by calling Voya’s support line and requesting that their passwords be reset. With the new temporary passwords, the intruders obtained access to the personal information of 5,600 Voya customers. From there, they were able use that information to create new online customer profiles and get access to account documents for three customers. There were no unauthorized transfers of funds or securities from Voya customer accounts.
The SEC alleged that Voya had violated the Safeguards Rule, which requires broker-dealers and investment advisers adopt written policies and procedures that provide for the protection of customer records and information, and the Identity Theft Red Flags Rule, which requires them to develop and adopt a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft.
Voya had written policies and procedures, but the SEC alleged that in light of Voya’s business model and risk profile, they were not reasonably designed to: “(1) insure the security and confidentiality of customer records and information; (2) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (3) protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Significantly, several of Voya’s cybersecurity policies and procedures were not reasonably designed to be applied to its contractor representatives or to their remote systems, and they were not updated to reflect changes in risks to customers from identity theft. Moreover, Voya failed to provide training specific to preventing identity theft. Accordingly, the intruders were able to obtain access because of Voya’s weaknesses in those procedures, some of which had been exposed by previous fraudulent activity. The SEC order includes a detailed description of how the intruders obtained access, and should be required reading for everyone who establishes or oversees a cybersecurity program. MORE