Why states should push forward with cyber laws

The list of Democratic presidential candidates continues to grow, and three of those hopefuls offer backgrounds and legislative records that could help advance the issue of cybersecurity standards at the federal level.

Sen. Kamala Harris (D-Calif.) last year co-sponsored a bipartisan bill to improve cybersecurity at U.S. ports as well as the Secure Elections Act. Sen. Kirsten Gillibrand (D-N.Y.) teamed with Republican Sen. Lindsey Graham (R-S.C.) on legislation to push for a more rigorous investigation into Russian election interference. In addition, Sen. Elizabeth Warren (D-Mass.) introduced legislation in response to the Equifax data breach. Additionally, President Trump recently signed the SECURE Technology Act, which requires the Department of Homeland Security to establish a security vulnerability disclosure policy, a bug bounty pilot program, and set supply chain risk management standards.

In fact, according to The Washington Post, “all six U.S. senators that threw their hats in the ring for the Democratic nomination have co-sponsored bills aimed at protecting election systems against Russian hackers.”

At no other time has cybersecurity been at the forefront of so many federal legislative efforts and conversations. While it’s encouraging to see cybersecurity getting much-deserved attention from politicians seeking the highest office, it could be argued that these efforts are doomed to fail. MORE

Don’t Let Your Cybersecurity Policy Slip

The SEC has been clear on what it expects from advisors on data protection. Are you up to speed?

By now, every Securities and Exchange Commission-registered investment advisor should have a written cybersecurity policy. That was the first piece of advice Cary Kvitka, our cyber-security legal expert, gave me in a recent update on the topic, which included a review of SEC oversight.

The SEC’s Office of Compliance Inspections and Examinations issued Risk Alerts in 2014 and 2015, identifying cybersecurity as a critical concern and describing the nature of upcoming cybersecurity-focused examinations. In the process, OCIE identified the types of information it would be requesting in those examinations. In September 2015, for example, it announced that the upcoming round of examinations would focus on:

• Governance and Risk Assessment, which generally evaluates whether advisors: 1) have cybersecurity governance and risk assessment processes to address OCIE’s stated focus areas, 2) are periodically evaluating cybersecurity risks, 3) have implemented cybersecurity infrastructure and risk assessment processes tailored to business operations, and 4) engage in communications to and from senior management.

• Access Rights and Controls, that is whether advisors are at risk of a data breach resulting from the failure to implement basic controls to prevent unauthorized access to systems or information, and evaluation of the way in which they manage user credentials, authentication, and authorization methods.

• Data Loss Prevention, which would include analyses of how advisors monitor: 1) the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads, and 2) unauthorized data transfers.

• Vendor Management, including an assessment of an advisor’s due diligence, monitoring and vendor oversight process, in addition to an evaluation of relevant contract terms.

• Training, which could focus upon the ways in which advisors prevent data breaches resulting from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or downloading attachments from an unknown source.

• Incident Response, for which examiners would assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible data breaches.

Cary also mentioned that a critical footnote in the September 2015 OCIE Risk Alert references Regulation S-P, Rule 30(a), which requires advisors to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, must be reasonably designed to:

1. Insure the security and confidentiality of customer records and information; 2. Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and 3. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Within this Risk Alert, the footnote signals that RIAs that do not adopt written policies and procedures to address the risk of data breaches/unauthorized access through hacking or electronic means are potentially violating Rule 30(a).

When OCIE announced its 2019 examination priorities, it specifically indicated it will emphasize cybersecurity practices at investment advisors with multiple branch offices, including those that have recently merged with other investment advisors. Now advisors need to pay close attention to what their written cybersecurity policies require.

Generally, we recommend they conduct a review of cybersecurity policy at least annually. In the process, they should evaluate whether to update the cybersecurity policy, procedures, or infrastructure based upon the risks it faces. The annual review also should ensure that the firm has been compliant with all policy requirements, (such as maintaining inventories, sign-in sheets for education / review sessions, tracking access rights, etc.) and that the written cybersecurity policy reflects current information and practices.

In summary, the SEC has made its position clear. Have you kept pace?

Thomas D. Giachetti is chairman of the Securities Practice Group of Stark & Stark. He can be reached at tgiachetti@stark-stark.com.

A Regulatory Tsunami Is Coming: Are You Prepared?

Compliance will be an increasingly challenging business issue in 2019. Consider the 'Office of Compliance' that Xerox already has to deal with the complexity.

Regardless of how any business leader personally feels about data-privacy regulations, they seem destined to grow stronger.

In December, a coalition of more than 200 banks, retailers and tech companies called on Congress to draft stricter privacy legislation. Coalition members said they believed that all companies should be subject to the same rules, regardless of their size or industry, and that there should be a national standard for data-breach notifications.

The fact that private industry was itself calling for legislation is significant. Companies are now acutely aware of the financial and public relations fallout from data breaches, so much so that they are actually asking lawmakers to hold them to higher standards. The public is equally anxious about data privacy.

Related: The Very Strong Business Case for Complying With the World’s Toughest Data Protection Regulation

And it's that combination that makes it extremely likely that tougher data regulations are headed down the pipeline.

All this comes on the heels of the General Data Protection Regulation's (GDPR) implementation in the European Union last spring, plus the passage of the California Consumer Privacy Act last summer. Congressional Democrats and Republicans are currently butting heads on the issue, with the GOP interested only in a federal law that would supersede any state regulations.

What does small business think of all this? Considering that California's law goes into effect in January 2020 and that nearly every other state has proposed various data privacy legislation, small businesses are obviously eager to avoid a potential patchwork of state laws. The regulatory waters are already choppy enough.

Some industries, like finance, are accustomed to data regulations. Considering the scope of potential new regulations, that finance sector experience won’t count for much, however. For the simple fact is that every company in America needs to prepare for new compliance challenges throughout 2019.

Have you thought about what compliance means to you?

The costs 

Most companies expect pending regulations to be modeled on the GDPR that now applies to every business serving customers in the European Union. GDPR levies fines for every single record that is exposed in a breach, meaning fines can run into the millions (or even billions) of euros (do the math for $U.S.).

If the size of those numbers is troubling, consider the likelihood of a fine. Forthcoming regulations will obligate companies to take a whole new approach to data and customer engagement. Adjusting to complex, wide-ranging new regulations won’t be easy. Companies may be eager to comply but find themselves in trouble because they’re unable.

The ever-increasing threat of cybercrime is another worry. Today’s hackers are both tenacious and sophisticated, making cybersecurity incredibly difficult to ensure. Following whatever regulations are released won’t make companies immune to attack or exempt from fines -- though it will make them better protected than they are today.

Making compliance simple and certain

We don’t yet know what form any new regulations might take or how they would affect individual companies. Luckily, the details are not necessary for businesses to begin building a better approach to compliance. The goal is to make managing compliance simultaneously easier and more consistent. Start with these steps:

1. Collect data from across channels. 

Don’t think of data as "regulated" versus "unregulated." All data is potentially sensitive, so instead of protecting some data, companies should begin protecting all data equally. That starts with busineses being able to collect data from as many sources as possible for storage on one platform that’s been standardized for compliance.

Related: The Feds and the States Are Embracing Privacy Law; What That Means to Your Business

Xerox recognized the value of standardization when, in 2017, it established an Office of Compliance, which strives to create a positive corporate compliance culture by helping employees do diligent work, and ensuring that senior leaders and all members of management send consistent messages. This office also constantly reviews and updates corporate policies to align with evolving regulatory and legal requirements.

Such top-down coordination will be essential once fast-moving data in multiple formats becomes subject to privacy laws. Think of it as a dedicated compliance team that's entrusted to stay abreast of each new development and respond accordingly.

Companies of all sizes should copy Xerox and make an effort to codify their compliance protocols -- the sooner, the better. Just make sure to stay open to the possibility of procedural changes, as forthcoming regulations will surely require flexibility as they are introduced and enacted.

2. Facilitate internal and external audits.

Audits are crucial for compliance. Complying with auditors often means turning over massive amounts of information. Alternately, conducting internal audits allows companies to find and correct issues before the regulators even arrive. In either case, companies need to have on-demand access to all their data; otherwise, any kind of audit is a burden.

Having all data on a platform accessible with unified search makes retrieval basically effortless. Nikon understands that a fast response is important -- so much so that it has developed independent systems. These systems enable the company's internal audit department to review compliance with laws and regulations, as well as with internal rules, without interference from operational divisions.

An overview of each department’s annual activities -- to determine primarily whether divisions' operations are being conducted in accordance with laws and regulations, as well as to create proposals for improvement -- is provided to the company’s executive committee and board of directors.

Picture how much easier external investigations will be to manage after your company performs numerous dry runs. Practice makes perfect. As regulations evolve over the course of 2019 and beyond, reacting and adapting fast will be key. Get a head start by instituting a system of internal audits as soon as you can.

3. Practice good governance.

Regulations dictate how a company must act both before and after a breach. Because of that increased scrutiny, companies must become hyperaware of data security. If, for instance, a breach went undetected, and therefore unreported, the resulting fine could be multiplied. Considering how unpredictable cybersecurity can be, companies need to have plans and policies detailing exactly how to act after a breach. MORE

SEC Cyber Enforcement Examination Initiative

SEC Examiners will gather information on cybersecurity-related controls and will also test to assess implementation of certain firm controls. In order to promote better compliance practices and inform the Commission’s understanding of cybersecurity preparedness, this Initiative will focus on the following areas:

• Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.

• Access Rights and Controls: Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.

• Data Loss Prevention: Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.

• Vendor Management: Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.

• Training: Without proper training, employees and vendors may put a firm’s data at risk. Some data breaches may result from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or opening messages or downloading attachments from an unknown source. With proper training, however, employees and vendors can be the firm’s first line of defense, such as by alerting firm IT professionals to suspicious activity and understanding and following firm protocols with respect to technology. Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.

• Incident Response: Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm. While these are the primary focus areas for the Cybersecurity Examination Initiative, examiners may select additional areas based on risks identified during the course of the examinations. As part of OCIE’s efforts to promote compliance and to share with the industry where it sees cybersecurity-related risks, OCIE is including, as the Appendix to this Risk Alert, a sample request for information and documents to be used in this Initiative. III. Conclusion In sharing the key focus areas for the Cybersecurity Examination Initiative and the attached document request, the NEP hopes to encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity. MORE

Will 2019 Be the Year of Blockbuster Cybersecurity Enforcement by the SEC?

Firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance.


The SEC has, in the past, largely taken a softer approach to encouraging compliance in the cyber-security arena, but the agency now appears ready to bring significant enforcement actions for cyber-related missteps. Public companies and entities registered with the SEC would do well to heed the SEC’s admonitions and take a close and careful look at their cybersecurity-related policies and procedures to ensure full compliance.

After years of admonishing financial institutions and public companies to take cybersecurity more seriously, the U.S. Securities and Exchange Commission (SEC) appears ready to back up its words with investigations and penalties. Starting with Jay Clayton’s confirmation as SEC Chair in 2017, the agency has enhanced its efforts to protect investors and markets from increasingly dangerous and costly cyber threats. Indeed, the SEC’s conduct over the past two years—including creating a dedicated Cyber Unit in its Enforcement Division and by bringing several first-of-their-kind cybersecurity enforcement actions—foretell that the agency is prepared to take an even more aggressive approach in addressing cybersecurity issues among the entities it supervises. As a result, firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance.

The SEC’s Focus on Cybersecurity

Since his confirmation as SEC Chair in 2017, Clayton has made cybersecurity one of the SEC’s main priorities. In 2017, Clayton formed the cybersecurity working group, an initiative to coordinate information sharing, risk monitoring, and incident response throughout the SEC. In discussing the working group, Clayton defined the SEC’s cyber focus as “identifying and managing cybersecurity risks and ensuring that market participants—including issuers, intermediaries, investors and government authorities—are actively engaged in this effort and are appropriately informing investors and other market participants of these risks.” See SEC Public Statement, Statement on Cybersecurity (Sept. 20, 2017).

In September 2017, the SEC also announced the creation of a Cyber Unit. The Cyber Unit was formed to consolidate the expertise of the SEC’s Division of Enforcement and enhance its ability to identify and investigate a wide-range of cyber-related threats, including (1) market manipulation schemes involving false information communicated electronically; (2) hacking to obtain material nonpublic information; (3) fraud involving blockchain technology and “initial coin offerings”; (4) hacking into retail brokerage accounts; and (5) cyber threats to trading platforms and market infrastructure. In commenting on the Cyber Unit’s launch, Stephanie Avakian, co-director of the SEC’s Enforcement Division, identified cyber-related threats as “among the greatest risks facing investors and the securities industry.” SEC Press Release 2017-176, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017).

Since its creation, the Cyber Unit has wasted little time in bringing cases. According to the Enforcement Division’s 2018 Annual Report, during 2018, the SEC brought 20 stand-alone cases related to cybersecurity and has 225 cyber-related investigations that it deems “ongoing.” See SEC Annual Report, Division of Enforcement (Nov. 2, 2018). In several cases, the enforcement actions were first-of-their-kind, as discussed below.

The SEC’s focus on cybersecurity also appears to be driven by its own experience with cybersecurity issues. The same month that the SEC announced the creation of its Cyber Unit, the SEC announced that it, too, has experienced data breaches. In an extended Statement on Cybersecurity that likely is also intended to serve as a model for public companies in discussing their own material cybersecurity risks and incidents, Clayton announced a number of cybersecurity risks and data incidents effecting the SEC, the most significant of which involved hackers gaining access to the SEC’s EDGAR filing database in 2016 to steal unreleased corporate filings that potentially contained material nonpublic information. See SEC Public Statement, Statement on Cybersecurity (Sept. 20, 2017).

Public Company Cybersecurity Disclosures

Cyber Disclosure Guidance. One of the centerpieces of the SEC’s enhanced cybersecurity strategy is in encouraging public companies and issuers to be transparent with the investing public about their material cyber risks and incidents. In September 2017, Clayton said that he is “not comfortable that the American investing public understands the substantial risks that we face systemically for cyber issues, and I’d like to see better disclosure around that.” C. Germaine, Clayton Says No Shift in Enforcement Priorities at SEC, Law360 (Sept. 6, 2017). Perhaps exemplifying the SEC’s concerns, that same month, credit reporting agency Equifax disclosed that an unknown attacker had stolen personally identifiable information of approximately 145 million consumers. K. Coen, Populist Pitchforks Come Out: Insider Trading and Equifax, Law360 (Nov. 6, 2017). Equifax faced immediate public criticism over the timeliness and adequacy of its disclosure, which came approximately six weeks after it discovered the breach. Further, questions were raised about potential insider trading by four Equifax executives, including the Chief Financial Officer, all of whom collectively sold $1.8 million of Equifax shares between the time the breach was discovered and when it was disclosed to the public. Id. An internal review ultimately cleared those executives of any wrongdoing.

In February 2018, and consistent with the SEC’s focus on disclosure—and perhaps in response to the Equifax breach—the SEC published revised guidance regarding public company disclosures about material cyber risks and incidents (2018 Guidance). See SEC Release Nos. 33-10459 & 34-82746, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 26, 2018). The 2018 Guidance consolidated and built upon the SEC’s prior guidance on disclosure obligations relating to cybersecurity, particularly the Division of Corporation Finance’s guidance from 2011. Among other things, the 2018 Guidance addresses topics such as: (1) the criteria for determining whether a cyber risk or incident is “material”; (2) how promptly companies must disclose material cyber incidents; (3) the level of specificity required when disclosing material cyber risks; and (4) the need to adopt policies and procedures to prevent insider trading on as-yet undisclosed cyber incidents.

Disclosure-Related Enforcement Actions. At the time the 2018 Guidance was released, it was still unclear whether the SEC would bring an enforcement action against an issuer that failed to disclose material cyber risks or incidents to the investing public. Previously, Stephanie Avakian said that she could “absolutely” envision a situation in which the SEC would bring an enforcement action for inadequate cyber disclosures. J. Hoover, SEC Suits Over Cyber Reporting Could Be on the Horizon, Law360 (April 20, 2017).

That uncertainty was resolved in April 2018, when the SEC announced its first-ever enforcement action against a public company for failing to disclose a breach. The enforcement action involved Yahoo, which the SEC alleged had misled shareholders by not disclosing in its public filings for nearly two years a data breach that affected hundreds of millions of its internet email subscribers. See SEC Press Release 2018-71, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (April 24, 2018). The Yahoo breach only came to light as a result of merger discussions with Verizon, which sought to purchase the company. According to the SEC, Yahoo’s senior management and legal staff allegedly “did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in [its] public filings or whether the breach rendered, or would render, any statements made by [it] in its public filings misleading.”

The SEC further noted that the company’s disclosures in its public filings were misleading to the extent they omitted known trends or uncertainties presented by the data breach. In addition, the SEC alleged the risk factor disclosures in the company’s public filings were misleading in that they claimed the company only faced the risk of potential future data breaches without disclosing that a data breach had in fact already occurred. The SEC noted that while immediate disclosure (such as in a Form 8-K) is not always necessary in the event of a data breach, the breach should have been disclosed in the company’s regular periodic reports. The company ultimately agreed to pay a $35 million fine.

In the case of Yahoo, the failure to disclose the breach had a clear effect on the company’s shareholders, who saw Verizon reduce its purchase price for Yahoo by $350 million after the breach was disclosed. In announcing the Yahoo enforcement action, Steven Peikin, co-director of Enforcement, observed that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.” Id.

It remains to be seen whether the SEC will take any actions with respect to Equifax for its six-week delay in disclosure of its 2017 breach. However, in March and June of 2018, the SEC charged two former Equifax employees with trading on material nonpublic information related to the Equifax breach. See SEC Press Release 2018-40, Former Equifax Executive Charged With Insider Trading (March 14, 2018) and SEC Press Release 2018-115, Former Equifax Manager Charged With Insider Trading (June 28, 2018). The U.S. Department of Justice also brought parallel criminal insider trading charges against these individuals. Notably, the two individuals charged were not included among the four Equifax executives who were initially suspected of engaging in potential insider trading.

The charges against these individuals highlight the challenge public companies face in managing information related to a breach among their employees prior to public disclosure. In Equifax’s case, neither defendant was told about the breach directly. Instead, Equifax provided them with a false cover story to explain the breach mitigation work they were asked to perform. Because the defendants were not told about the breach, they were not also expressly instructed that a blackout had been imposed on Equifax share sales. The defendants eventually pieced together the clues about the breach and sold their shares prior to the company’s public disclosure of the breach.

Data Security Safeguards

In addition to cybersecurity disclosures, the SEC has also reaffirmed its commitment to seeing registered entities such as broker-dealers and investment advisers implement appropriate data security programs to protect their systems and customer data.

For example, the 2019 examination priorities of the SEC’s Office of Compliance Inspections and Examinations (OCIE) again feature cybersecurity as a top priority. See SEC 2019 Examination Priorities, Office of Compliance Inspections and Examinations (Dec. 20, 2018). Among other things, OCIE continues to stress the importance of cyber risk assessments, access rights, vendor management, training, and data loss prevention for firms. The scope of focus, however, has sharpened over the last year to include the configuration of network storage devices, policies and procedures related to retail trading information security, and practices at investment advisers with multiple branch offices or that have recently merged with other investment advisers. Further, for entities that maintain critical market infrastructure, OCIE will examine compliance with SEC Regulation SCI, which requires such entities to maintain policies to protect their systems’ capacity, integrity, resiliency, availability, and security.

Given the SEC’s sharp focus on cybersecurity compliance issues for broker-dealers and investment advisers, one would expect to see a corresponding focus by Enforcement Division on these issues as well. And, in fact, in September 2018, the SEC brought another first-of-its-kind enforcement action that, notably, was based on a referral from an OCIE examination. See SEC Press Release 2018-213, SEC Charges Firm With Deficient Cybersecurity Procedures (Sept. 26, 2018). In that action, a mid-sized broker-dealer and investment adviser was fined $1 million for alleged cybersecurity lapses that allowed hackers to access client Social Security Numbers, account balances and details of client investment accounts. In additional to finding a violation of the Regulation S-P—the SEC’s Safeguards Rule—the SEC dusted off its “Identity Theft Red Flags Rule” to censure the firm. The Identity Theft Red Flags Rule—also called “Regulation S-ID”—requires designated financial firms to develop and implement a written identity theft prevention program “designed to detect, prevent, and mitigate identity theft” for investment accounts. The rule also requires board oversight of the identity theft program. Although the SEC had adoptedthe red flags rule five years ago, it has not been used in an enforcement action until now. MORE

2018 SEC Annual Report

Policing Cyber-Related Misconduct Since the formation of the Cyber Unit at the end of FY 2017, the Division’s focus on cyberrelated misconduct has steadily increased. In FY 2018, the Commission brought 20 stand alone cases, including those cases involving ICOs and digital assets. At the end of the fscal year, the Division had more than 225 cyber-related investigations ongoing. Thanks to the work of the Unit and other staff focusing on these issues, in FY 2018 the SEC’s enforcement efforts impacted a number of areas where the federal securities laws intersect with cyber issues. MORE

Reducing the greatest cyber security risk -- the one from within

NEW YORK(Thomson Reuters Regulatory Intelligence) - The greatest cyber security risk to an investment advisory firm may be its staff, therefore a training and education program that addresses relevant cyber threats is vital.

In 2019, investment advisers must, among its most important cyber security steps, train staff to identify phishing emails, secure and protect company devices and take steps to verify the movement of client funds. The increased use of automation and reliance on electronic communications can cause a firm employee to unknowingly allow an unauthorized party to access company systems and ultimately access client’s non-public information or funds. Therefore, a firm that includes the education of firm staff in the firm’s overall plan against cyber-attacks will be best prepared to keep the firm’s infrastructure intact.


Cyber security is one of the greatest risks currently facing the financial-services industry, and a perennial examination priority for the Securities and Exchange Commission.

The SEC has prioritized cyber security during adviser examinations with an emphasis on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.

Specifically, in the 2019 exam list, the SEC has added emphasis on the cybersecurity practices of investment advisers with multiple branch offices, including those that have recently merged with other advisers.


The forms of electronic communication have expanded; however, email continues to be the primary channel for most investment advisers. Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information. A firm’s email administrator or system may not always identify these types of emails, therefore firm associates must be able to recognize them before any action is taken. In many cases, once the sensitive information is given to the scammer, they will then have access and be able to use account numbers, passwords, usernames, and more to commit fraud.

A firm’s associates should be aware of suspicious emails that do not use the individual’s name, for example if a bank or brokerage firm was notifying an individual of an issue, the firm would know and use the customer’s name.

Also, the sending email name should match the sender. Therefore, ensuring the senders email in the header matches the display name is prudent.

In addition, a phishing email will often be unsolicited or unexpected and contain grammatical or spelling errors and unnecessary capitalization. A firm individual must be weary of attachments or links as well. An unexpected attachment or prompted download can inadvertently install malware or ransomware.

When a link is present, it’s always best policy to open a new browser tab and manually search and access the link in a personal browser.

Lastly, a firm individual must alert the compliance department or proper authority once a phishing email is identified and phishing attempts can also spill into social media, so diligence must expand beyond email. MORE

ADVISOR ARMOR FINRA/SEC/NYDFS Core Cyber Security Compliance Controls for Small and Multi-Branch Firms

The following list identifies core controls that are needed to be evidenced demonstrating a firms’ cybersecurity program. To establish an effective program, however, firms will need to consider these measures in the context of their business model and technology infrastructure.

Patch Maintenance. Enable the automatic patching and updating features of operating systems and other software to help firms maintain the latest security controls.

Secure System Configuration. When configuring systems and software, use vendor guidance or industry standards, such as those published by the Center for Internet Security (“CIS”)

Identity and Access Management. Limit access to confidential customer and firm information based on business need. Tightly restrict use of “admin” or highly privileged entitlements and regularly review user accounts and privileges to modify or delete those which are no longer necessary to achieve business objectives.

Vulnerability Scanning. Use Commercial Off-The-Shelf (“COTS”) software or third-party vendors to continuously scan for vulnerabilities and quickly address detected discrepancies.

Endpoint Malware Protection. Install COTS software on firm computers, servers and firewalls to detect and block viruses and other malware.

E-mail and Browser Protection. Install software or use services to block web-based e-mail programs and unsafe content received through e-mail (e.g., phishing attacks) or accessed via web browsers.

Perimeter Security. Use network access controls, such as firewalls, to block unnecessary connectivity between firm systems and outside systems. If feasible, incorporate an Intrusion Detection and Prevention.

Security Awareness Training. Provide cybersecurity training to all employees upon their employment and at least annually thereafter (but preferably more often) to ensure all users  are aware of their responsibilities for protecting the firm’s systems and information. Training should address common attacks, how to avoid becoming a victim and what to do if you notice something suspicious. Consider implementing an ongoing phishing awareness campaign.

Risk Assessments. Conduct annual risk assessments and testing of firm controls to verify effectiveness and adequacy. This assessment may be accomplished using third-party or firm security experts.

Data Protection. Encrypt critical data, back it up frequently and store copies of back-ups offline. Regularly test the firm’s ability to restore data. Consider blocking USB ports and use of all removable data storage devices, including CDs and flash drives

Third-Party Risk Management. Review System and Organization Controls (SOC) or SSAE 18 reports for third party vendors and other partners with access to confidential firm and customer data to ensure they have security controls commensurate with, or better, than the firm’s.  All contracts should have provisions to enforce controls to protect data, including prompt notification of any changes to those controls and vulnerabilities or breaches that may affect the firm.

Branch Controls. Ensure that branches apply and enforce relevant firm cybersecurity controls, which may include many of the controls identified in this list, as well as other relevant controls.

Policies and Procedures. Create policies and procedures that address each category of controls applicable to the firm, such as those identified in this list.


OCIE and FINRA Set Exam Priorities and FINRA Issues Cybersecurity Tips: Regulatory Update for February 2019

For Investment Advisers: SEC Actions

OCIE Announces 2019 Examination Priorities: The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) released its 2019 exam priorities on December 20, 2018.  OCIE’s priorities haven’t changed much from 2018, and include topics addressed in the 2018 Risk Alerts and the feedback received from OCIE’s outreach program.  OCIE’s six “themes” for 2019 are:

  1. Protection of retail investors, including seniors and those saving for retirement;

  2. Compliance and risk management for firms responsible for critical market infrastructure, such as clearing firms, securities exchanges, transfer agents, and compliance with Regulation SCI which requires written policies and procedures surrounding technology and systems infrastructure;

  3. Oversight of FINRA & MSRB and their operations, regulatory programs and examination quality;

  4. Scrutiny of broker-dealers, investment advisers, and trading platforms dealing with digital assets, including cryptocurrencies, coins, and tokens;

  5. Cybersecurity issues, focusing on advisory firms with multiple branch offices and firms that have merged with other RIAs.  OCIE continues to stress the importance of risk assessments, access rights, vendor management, training, and data loss prevention.

  6. Anti-Money Laundering Programs in broker-dealers, focusing on whether broker-dealers are filing Suspicious Activity Reports (SARs), independently testing their AML program and identifying suspicious and illegal activities.

As discussed in 2018 Risk Alerts, OCIE will continue to focus on disclosure of fees and expenses and conflicts of interest.  Unsurprisingly, the receipt of 12b-1 fees and mutual fund share class selection continue to be hot topics, along with arrangements with affiliated service providers.  A newer area of concern is securities-backed non-purpose loans and lines of credit.  OCIE will be reviewing the incentives received by advisers and broker-dealers for recommending these loans.  Financial exploitation of seniors is another area of concern, so firms should address this issue in their compliance programs.  Contributed by Heather Augustine, Senior Compliance Consultant

 Regulatory Review 2018: HCC put together a list of the top regulatory hot buttons from 2018 to help you focus your compliance efforts in 2019.

11 Key Takeaways for Updating your Compliance Program in 2019: HCC put together a review of the regulatory landscape in 2018, with a list of 11 recommendations for updating your compliance program.

Investment Advisers Compliance to Do List for 2019: For investment advisers, private and hedge fund managers:  a handy list of regulatory deadlines for 2019 for updating your compliance calendar.

Form ADV Update deadline: Procrastinators beware!  Investment advisers with a fiscal year end of December 31 have until Sunday, March 31, 2019, to file the Form ADV update.  IARD will be open on March 31, from 10am-6pm Eastern Time.  Consequently, the deadline for filing an annual updating amendment will NOT be extended to Monday, April 1, 2019.

For Broker-Dealers:  FINRA Actions 

FINRA Provides Additional Guidance to Enhance your Cybersecurity Program:  FINRA’s Report on Selected Cybersecurity Practices – 2018 is a follow-up to its initial Report on Cybersecurity Practices, published in 2015.  FINRA’s 2018 report highlights effective practices used by member firms to address emerging cybersecurity threats.  It focuses on member firms’ primary challenges and the most frequent examination findings.  These topics include branch office controls, social engineering by hackers, identification and mitigation of internal threats, penetration testing and managing mobile devices.  The Report’s Appendix is a great resource that provides a list of core cybersecurity controls for small firms.  As you review your cybersecurity program in 2019, consult FINRA’s Cybersecurity page for additional resources that will help you strengthen your program.  Contributed by Rochelle Truzzi, Senior Compliance Consultant

Broker-Dealer Compliance to Do List for 2019: For broker-dealers, a list of regulatory deadlines for 2018.

Broker-Dealer 2018 Regulatory Year in Review: A summary of 2018 rule changes, enforcement actions and regulatory developments for broker-dealers for 2018.

Broker-Dealers! Be Sure to Whitelist noreply@finra.org:  FINRA announced, though Firm Gateway, that it will begin sending Information Request email notifications to firms using Amazon Simple Email Service (SES).  To ensure you continue to receive FINRA’s notices regarding Information Requests, FINRA suggests that you work with your IT department/provider to whitelist the email address, noreply@finra.org.  Contributed by Rochelle Truzzi, Senior Compliance Consultant

2019 Annual Entitlement User Accounts Certification Process:  This year, the certification window will open on April 22nd and end on June 21st.  FINRA will send a notification to the firm’s Super Account Administrator (SAA) to complete the certification through WebCRD/IARD.  Contributed by Rochelle Truzzi, Senior Compliance Consultant

FINRA 2019 Annual Risk Monitoring and Examination Priorities Letter FINRA:  On January 22, 2019, FINRA published its annual Examination Priorities Letter.  This year FINRA broadened the scope of its priorities letter to include specific areas of focus on risk monitoring.  As in prior years, the letter addresses specific examination topics but does not include many of the mainstay topics that have been repeatedly covered.  Stay tuned for our blog post on these priorities!  Contributed by Doug MacKinnon, Senior Compliance Consultant

For Hedge Fund Managers – NFA Member Firms  

NFA Members Need to Update Cybersecurity Programs: On January 7, 2019, the National Futures Association (“NFA”) amended its interpretative Notice 9070 on Information Systems Security Programs, (the “Cybersecurity Notice”).  The amendment states that NFA members are required to train their employees upon hiring and at least annually and identify the topics covered by the training program.   Members are also required to notify the NFA of cybersecurity incidents (1) resulting in a loss of capital, or a loss of customer or counterparty funds, and (2) if the NFA member is required to notify customers or counterparties under state or federal law.  The amendment also changed the approval requirements for a member’s Information System Security Program (ISSP).  The Cybersecurity Notice is effective on April 1, 2019. Contributed by Jaqueline Hummel, Partner and Managing Director

CPOs required to Implement Internal Controls:  The NFA issued Interpretive Notice “NFA Compliance Rule 2-9: CPO Internal Controls System” (the “Internal Controls Notice”) that requires Commodity Pool Operators (CPOs) to establish a system of internal controls designed to deter fraud, safeguard customer funds, and ensure the accuracy of financial reports.  The control system should also assure that the CPO complies with its regulatory requirements.  The Internal Controls Notice will be effective on April 1, 2019.  Contributed by Jaqueline Hummel, Partner and Managing Director MORE

National Law Review: Some Thoughts on the Year in Privacy and Data Security Law

As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.

The SEC Steps into Cybersecurity

2018 was the year in which the U.S. Securities and Exchange Commission squarely inserted itself into cybersecurity regulatory compliance.

In February 2018, the SEC released its first Commission-level Interpretive Guidance relating to public company disclosures of cybersecurity risks and incidents. Two key compliance takeaways are: (1) investor risk related to known cyber incidents must be fully and timely disclosed; and (2) public companies must police insider trading based on information related to undisclosed cyber incidents. Whether a cyber incident is material and requires disclosure will depend on a host of factors, including the nature, extent, and potential magnitude of the incident. This includes consideration of the type of compromised information (personally identifiable information, intellectual property or other confidential business information); the incident’s impact on operations; the harm to a company’s reputation, financial performance, customer/vendor relationships; and potential liabilities in civil litigation or regulatory enforcement actions. To avoid even the appearance of improper trading, companies “should consider whether and when it may be appropriate to implement restrictions on insider trading” during the investigation and assessment of significant cybersecurity incidents.

Just a month after issuing its Interpretive Guidance, the SEC penalized Yahoo $35 million for failing to timely disclose its data breaches. The cease and desist order was the SEC’s first against a public company for failing to disclose known cyber incidents in its public filings. From 2014-2016, the SEC alleged, Yahoo filed a number of reports and statements with the SEC that misled investors about Yahoo’s cybersecurity history. For instance, in its 2014-2016 annual and quarterly reports, the SEC found that Yahoo included risk factor disclosures stating that the company “faced the risk” of potential future data breaches, “without disclosing that a massive data breach had in fact already occurred.” Yahoo filed a July 2016 proxy statement relating to its proposed sale to Verizon that falsely denied knowledge of any such massive breach. It also filed a stock purchase agreement that it knew contained a material misrepresentation as to the non-existence of the data breaches.

Finally, in October 2018, the SEC released a “Report of Investigation” into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of “business email compromises” (BECs) targeting their personnel. The Report was prompted by the SEC’s investigation The nine companies were victimized by one of two variants of the BEC scheme—involving spoofed or compromised emails from a person purporting to be a either a company executive or a vendor.

The SEC advised companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” The SEC emphasized that these fraud schemes were widely successful because they used “technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.” The victimized issuers had policies and procedures requiring different authorization levels for payments; management approval of outgoing wires; and verification of changes to vendor data. The critical flaw was in employee interpretation of these controls as capable of being satisfied solely through electronic communications—along with their failure to recognize obvious indications of fraud in the emails.

This report follows on the heels of a July 2018 FBI Public Service Announcementthat it had tracked more than 78,000 BECs—totaling more than $12.5 billion in fraud losses—since October 2013. The FBI has identified more than 41,000 BEC victims in the United States—with more than $3 billion in fraud losses since 2013, and $1.6 billion in fraud losses since May 2016.

States Continue to Expand Data Security Laws

Last year saw the creation and significant expansion of data security laws in state houses across the country. The new laws fall into two primary categories: (1) statutory requirements that all organizations must create and implement reasonable cybersecurity programs to protect personal information; and (2) more expansive data breach notification laws.

Data Security Laws

At least twenty states have adopted broadly applicable “data security” statutes that require virtually all organizations that collect or possess personal information to maintain reasonable cybersecurity programs. Delaware’s new law is a good example. It requires “[a]ny person” conducting business and owning, licensing, or maintaining personal information to implement reasonable security measures “to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.” Other states – such as Alabama – enacted “data security” laws that are much more prescriptive, listing factors to be considered in assessing ‘reasonableness.’

Data Breach Notification Laws

At least thirty-one states considered data breach legislation in 2018. With new legislation in South Dakota and Alabama, all fifty states now have data breach notification laws. The biggest changes in 2018 included broad expansions of the definition of protected “personal information;” specified timeframes for notification to consumers and state attorneys general; mandatory credit monitoring for certain types of breaches; and disclosure and investigative cooperation requirements imposed upon third party service providers.

A Landmark Mobile Privacy Decision

The Supreme Court’s 2018 decision in Carpenter v. United States establishes broad digital privacy rights that are sure to extend beyond law enforcement investigations and locational information. The decision significantly expands the Court’s dominant theme of this decade that “digital is different” when it comes to modern privacy law.

The decision itself holds that the Fourth Amendment requires the government to secure a search warrant to obtain a person’s historical cell site location information from a cellular service provider. That undersells its import though. Carpenter remakes the foundational legal principles governing privacy in data shared between device users and their service providers.

It’s how the Court got to that holding that is so groundbreaking. First, the Court declared that “[i]ndividuals have a reasonable expectation of privacy in the whole of their physical movements.” The Court characterized the cell site location information at issue as “detailed, encyclopedic, and effortlessly compiled” – allowing the government (and the service providers) to conduct “near perfect surveillance” on users. Second, this “reasonable expectation of privacy” is not defeated simply because each device constantly shares its location with cellular service providers. Data that must be shared for the proper functioning of technology services does not lose its privacy protection simply because it is possessed by and compiled in the business records of third parties. The spark of this reasoning is sure to spread quickly across the digital legal landscape in 2019 and beyond.

California Continues Pushing the U.S. Forward

California has repeatedly been at the epicenter of privacy and data security legislation in the United States, perhaps most notably by being the first state to enact a breach notification statute. This past year, California once again broke new legislative ground by enacting the California Consumer Privacy Act of 2018 (“CCPA”) and legislation directed at securing IoT devices.

If you are reading this blog post, there is very little chance that you are unfamiliar with the CCPA, such that there is no point in summarizing its provisions. In fact, if we could jump forward five years, the CCPA’s significance will likely not merely be what businesses will need to undertake in 2019 to drive compliance, but rather it will be as a harbinger for the enactment of other privacy-related legislation in this country. One can readily envision that the CCPA will lead either to the enactment of federal privacy legislation or to more state laws directed at privacy. It is not hyperbole to say that how this unfolds in 2019 will set the course for privacy legislation in this country for years to come.

Similarly, California’s enactment of first-in-the-nation legislation directed at IoT device security is significant not just for what the legislation says, but also for what it signals will happen in the coming years. If you have tracked the IoT marketplace, you have heard the projections about the rapid expansion in the number of IoT devices in the next five years. But, at the same time, manufacturers have little incentive to build information security and privacy into those devices. Most commentators seem to agree that this will have to change but it is anyone’s guess as to how. Will industry self-regulate? Will the European Union lead the charge? Will plaintiffs’ lawyers find success in bringing class actions against IoT device manufacturers? Will the federal government pass legislation?

The California legislation offers one potential answer, which is that states will begin to legislate in this field. Indeed, California’s legislation – which originated as a botnet prevention measure – focuses only on a small aspect of IoT device security, namely, passwords. There is fertile ground for states to take up other issues such as requiring manufacturers to provide devices that do not have existing security flaws and requiring manufacturers to provide security patches.

Advisor Armor Opinion: Crackdown showdown Serious cybersecurity enforcement is coming in 2019, but are advisers ready?

When clients ask what advisers are doing to protect their data, only the firms that can give a satisfying answer will build trust with investors

Advisor Armor Opinion

As the most tenured and largest provider of cyber security compliance in financial services our empirical evidence indicates ZERO correlation between information technology spending and technical controls with data security failures and successful compliance examinations.  

Governance procedures and technical controls must be reasonably tailored to conducted assessments.   Commonality certainly exists but one size does not fit all and controls must change to model current risks.

Jan 12, 2019 @ 6:00 am By Ryan W. Neal 

After spending most of a decade offering guidance and stern warnings, regulators are ready to put enforcement muscle behind cyber security rules.

A flurry of activity in 2018 at federal and state levels has many legal and security experts expecting 2019 to be a watershed year for holding firms accountable for clients' digital data. Penalties are coming for advisory firms that don't do enough to prevent a data breach or don't respond to a breach effectively.

The Securities and Exchange Commission is leading the charge. The agency took several actions in 2018 that should alert every adviser that any grace period in adopting data security controls has expired.

"The honeymoon phase is over," said Askari Foy, managing director of ACA Aponix's global regulatory cyber security practice and a former SEC associate director. "As they identify issues, they're less likely to be friendly, for lack of a better word. They tend to roll up their sleeves and really dig into the issues, particularly if they smell blood or sense potential harm to investors." 

Voya troubles

No alarm rings louder than the SEC's Sept. 26, 2018, announcement that Voya Financial Advisors would pay $1 million to settle charges relating to a 2016 scam that compromised the personal information of thousands of customers. It was the first time the SEC enforced its "identity theft red flags rule," which has been on the books since 2013.

Even though Voya had a cyber security policy in place and responded to the breach within a matter of hours, it wasn't good enough for the SEC. The regulator said Voya's cyber security policies and procedures were out of date and failed to do enough to ensure they applied to the entire workforce of financial advisers.

This issue of scant policies or ineffective effort is common throughout the industry and it's exactly what the SEC wants to eliminate. For many advisers, cyber security is just another compliance procedure — put a policy in place, do some basic training, check off the box and move on to more pressing business issues.

"Firms have cyber security policies, they get one from an attorney or compliance firm. The policy looks great, but it doesn't actually reconcile to reality in any way," said Sid Yenamandra, CEO and co-founder of cyber security firm Entreda.

For example, the policy may say advisers can only access the firm's network using a secure connection such as a virtual private network, but there are no checks that the policy is actually followed, he said.

Entreda's experts, who have provided data protection software and training services to thousands of advisers, see a lot of lip service paid to cyber security.

"People talk about having a good cyber security policy, but who is actually implementing it? Our view on this entire issue is we tend to see there is a false sense of security that a lot of firms have," Mr. Yenamandra said.

These firms are more vulnerable to an attack, and this year they also could face stiff fines and censure. Regulators' gloves are off, and they are ready to crack down.

Advisor Armor risk assessments and profiles create suitable policies and procedures which describe how firms manage and care for valuable information.  These policies are then tested and maintained by Penetration Testing, Endpoint Security Audits and Employee Awareness Training and Testing.  Our Assurance Service certifies and attests to the implementation of the described policies and procedures.

2018 warnings to heed

When the SEC first developed regulations regarding email communications, it gave firms a few years to acclimate to the new rules and get programs in place. As guidance became more detailed and rules more specific over time, that's when sanctions started coming. Regulators are following a similar pattern with cyber security, said Kim Peretti, co-chair of law firm Alston & Bird's national security and digital crimes practice and its cyber security preparedness and response team.

"Investment advisers and broker-dealers of all sizes may be under scrutiny and should expect more enforcement actions moving forward," she said. "For registered investment advisers and broker-dealers, the primary implication of this focus is that the SEC will continue to expect more mature cyber security programs that adapt to the changing threat environment and appropriately manage and communicate risks to investors."

The agency last year named cyber security as a priority in its examinations of investment advisers and brokers; asked Congress for an additional $52 million to expand personnel, including four people dedicated to cyber security; and issued new guidance on public companies' obligations to disclose cyber security risks and incidents, updating its previous guidance issued in 2011.

The SEC published a report last year detailing an investigation of nine undisclosed public companies that fell victim to cyberfraud and collectively lost nearly $100 million. Though no charges were filed, the report served as a stern warning to consider cyber security when implementing internal account controls and specified the exact rule — Section 13(b)(2)(B) of the Securities Exchange Act of 1934 — that holds firms accountable.

It isn't just the SEC getting tougher with cyber security. In August, the Financial Industry Regulatory Authority Inc. censured and fined a small broker-dealer $50,000 for having inadequate procedures for preventing hackers from transfering money from client accounts. In December, the self-regulatory organization updated its 2015 report on cyber security best practices for broker-dealers.

State regulators are making their own rules. Since New York issued rules requiring financial institutions to establish cyber security programs, the number of bills and proposals addressing cyber security at the state level has continued to grow. According to the National Conference of State Legislatures, 265 bills were introduced in 2018, up from 240 bills in 2017 and 104 in 2016. As of Nov. 6 (the latest data available), 52 of the bills proposed last year became law.

Advisor Armor Coverage models current state consumer data security protection expectations for All states including those recently instituted by New York, California, Oregon, Massachusetts, Florida, etc.

The increased activity provides a window into where regulators are focusing their energy and what future enforcement actions might involve.

For example, the SEC's February guidance on disclosure obligations and subsequent charges against Yahoo — $35 million for failing to disclose a cyber security breach — show how seriously the regulator wants firms to report data breaches. According to the New York Times, only 24 public companies (across all industries) reported breaches to the SEC in 2017, but researchers believe more than 4,000 breaches occurred.

The Voya charges reveal another common weakness, specifically for financial advisers. It's not enough to just have a cyber security plan in place. Regulators want to see firms continually testing, reviewing and updating cyber security policies and procedures to ensure they remain effective as threats evolve.

Business email

Another area of focus, as evidenced by the SEC's investigative report and Finra's updated best practices, is compromised business emails — an increasingly popular attack method in which hackers pose as corporate executives or third-party vendors and use emails to trick other employees.

"There's been an increasing focus on the nexus between cyberintrusion and cyberfraud," Ms. Peretti said.

Preventing harm due to phishing scams requires firms address human susceptibility to such scams in addition to the technology element itself, she said.

Finally, the Voya breach was caused by hackers impersonating an independent adviser and using the custodian's support line to reset passwords and gain access to the system, illustrating the vulnerability from third parties.

Regulators want advisers to have an inventory of everyone who can access their data, including both third-party technology vendors and independent contractors.

Advisor Armor provides Email Enticement (Phishing) Testing and Training.  Thousands of customized phishing emails, consistent with and relevant to financial services, provide a realistic challenge that builds practical resistance to the single largest intrusion threat facing financial firms today.

Where advisers can improve

The good news is that the financial services industry has done a pretty good job of adapting to new cyber security requirements, at least in comparison to other industries like retail, said Robert Cattanach, partner at law firm Dorsey & Whitney. 

Where it's most often falling apart is with the smaller registered investment advisers and broker-dealers.

"Modest-sized companies lack the resources to really make good on their paper policies," Mr. Cattanach said. "Someone can gin up the right-sounding IT governance policies and procedures. But it's a whole additional step to make sure they are followed."

At smaller firms, there can be a sense of fatigue and helplessness when it comes to cyber security, because even the largest companies get hacked.

"There is this general feeling of, 'Holy cow, how can I, this little RIA out here, protect [against a breach] if these large institutions can't?'" said Wes Stallman, provider of cloud-based cyber security for advisers. "I do think that causes some frustration."

Experts said the adviser mindset should not be fixed on trying to safeguard data 100% because, with attacks always evolving, it's less of a matter of "if" and more of "when" there's a breach.

Regulators understand this, and really just want firms to have checks and balances in place to ensure they are doing the best they can to prevent breaches. More importantly, regulators want firms to have an up-to-date and battle-tested plan for an effective and timely response to a breach.

Advisor Armor has managed hundreds of client data security incidents over the past 3 years. Our history with Red Flags/Identity Theft, allows us to efficiently navigate the murky regulatory requirements for physical and electronic breaches. And our incident response coverage satisfies the regulator requirement for tested procedures. 

Finra's December update to its best practices includes a new appendix to help small firms adopt and implement cyber security controls. When used alongside Finra's previously released small firm cyber security checklist, it should give smaller advisers an effective guide to remaining compliant.

The bigger challenge is how to get all financial advisers to move beyond the lip service and actually realize that cyber security is something more important than another compliance chore. The key to that may lie in thinking of cyber security as a competitive advantage, Mr. Yenamandra said.

Clients are going to increasingly ask what advisers are doing to protect data, and firms that can give a satisfying answer will build trust with investors.

"Cyber security needs to be viewed as not only an operational risk but also a strategic function," he said


Cyber Insurance Primer

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But, a substantial portion of organizations don’t carry coverage for data breaches despite numerous high profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal.


Percentage of companies that had cyber-insurance.1


Percentage of companies that believed their exposure to cyber risk would increase in the next 24 months.2


Percentage of companies that did not plan to purchase cyber insurance in the next 24 months.3

Why is buying cyber insurance difficult?

  1. There is little standardization among competing policies; as a result it is hard to comparison shop.

  2. Policies’ exclusions often swallow coverage; as a result, assessing the value of a policy is difficult unless you have extensive experience with the types of liabilities that arise following data breaches.

  3. Policies often cover security but not privacy risks.

Items to review when shopping for cyber insurance:

  1. Do the sub-limits on coverage match the corresponding risks?

  2. Does the policy include sub-retentions (sub-deductibles) that are unlikely to be reached?

  3. Does exclusion prevent payment for the largest risks, g., charges that arise following a credit card breach, common theories alleged in class actions, etc.?

  4. Is voluntary notification of affected consumers covered?

  5. Will credit monitoring for affected consumers be covered?

  6. Who does the insurer have on panel for legal representation, forensic investigations, and/or crisis management?

2019 Examination Priorities of SEC Office of Compliance Inspections and Examinations are Announced

Next year’s examination priorities of the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission were announced on December 20, 2018, and cover six broad, albeit non-exhaustive, topics.1

  • Matters of importance for retail investors, including seniors and those saving for retirement;

  • Compliance and risks in registrants responsible for critical market infrastructure;

  • Matters related to the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board;

  • Digital assets, including cryptocurrencies, coins and tokens (a newly-added priority);

  • Cybersecurity; and

  • Anti-money laundering (AML) programs.

Many of the six broad topics remain the same as those included in the 2018 OCIE Examination Priorities. It is important to note, however, that the OCIE leadership team specifically indicated that the 2019 priorities reflect meaningful changes from the prior year, particularly as new risks have emerged and existing risks were either heightened or mitigated.

Retail Investors, including Seniors and those Saving for Retirement

The first identified priority is the protection of retail investors. OCIE emphasizes the following areas of focus, most of which continue and/or expand upon existing examination priorities:

  • Fees and Expenses: Disclosure of the Costs of Investing;

  • Conflicts of Interest;

  • Senior Investors, and Retirement Accounts and Products;

  • Portfolio Management and Trading;

  • Never-Before- or Not-Recently-Examined Investment Advisers;

  • Mutual Funds and Exchange-Traded Funds;

  • Municipal Advisors;

  • Broker-Dealers Entrusted with Customer Assets; and

  • Microcap Securities.2

Compliance and Risk in Registrants Responsible for Critical Infrastructure

The second identified priority is compliance and risks in critical infrastructure. In this area, OCIE will continue to focus examinations on:

  • “Systematically Important” Clearing Agencies;

  • Entities Subject to Regulations Systems Compliance and Integrity (SCI), including the effectiveness of the implementation of such entities’ compliance policies and procedures;

  • Transfer Agents, including “transfers, recordkeeping” and asset safeguarding; and

  • National Securities Exchanges, including exchanges’ internal audit and surveillance programs as well as funding for regulatory programs.

Focus on FINRA and MSRB

OCIE will continue to examine: (1) FINRA’s operations and regulatory programs and the quality of its examinations of broker-dealers; and (2) the effectiveness of particular MSRB operational and internal policies, procedures and controls.

Digital Assets

New to OCIE’s priorities is a focus on the examination of participants in the digital asset market (including broker-dealers, trading platforms, and investment advisers) and the associated risks presented by that market to retail investors. As part of its entry into examining the digital assets space, OCIE intends to “identify market participants offering, selling, trading, and managing these products or considering or actively seeking to offer these products and then assess the extent of their activities.” For those firms that are identified as “actively seeking” to offer digital assets, OCIE examinations will then focus on, among other things, “portfolio management of digital assets, trading, safety of client funds and assets, pricing of client portfolios, compliance, and internal controls.”


Cybersecurity will continue to be a focus of each OCIE examination program, especially registrants’ “policies and procedures related to retail trading information security” and, with respect to investment advisers, cybersecurity practices of advisers with multiple branch offices.

Anti-Money Laundering Programs

OCIE notes that examiners will continue to prioritize broker-dealer compliance with applicable AML requirements, including proper filing of suspicious activity reports and robust and independent testing of their AML programs.


While the priorities indicate where OCIE intends to focus resources in the coming year, registrants should not expect examinations to be limited to the issues highlighted above. It is important to note that the 2019 OCIE priorities not only reflect Chairman Jay Clayton’s prior emphasis on Main Street investors, technological changes and cybersecurity, but also continue to reflect a considerable degree of continuity with the priorities of the SEC under prior Chair Mary Jo White. With this in mind, firms may want to review their policies and procedures and conduct internal compliance reviews.

Finra updates cybersecurity best practices report

Though brokers say cybersecurity is one of their top priorities, the Financial Industry Regulatory Authority Inc. says it still sees a lot of problematic practices at firms.

To help them improve, Finra on Thursday updated a 2015 report on cybersecurity that details best practices for broker-dealers.

The "Report on Selected Cybersecurity Practices – 2018" covers five topics addressing the evolving threat of cybercrime and the most frequent findings from its examination program.

"Securities firms rate cybersecurity as one of their top operational risks, and our new report addresses areas that firms tend to find most challenging," David Kelley, surveillance director of member supervision in Finra's Kansas City office, said in a statement.

The topics include cybersecurity controls in branch offices; methods of limiting "phishing" attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintain controls on mobile devices.

The report addresses several critical issues firms are often unfamiliar with, said Bart McDonough, CEO and founder of Agio, a hybrid cybersecurity and managed IT firm. For example, Finra describes the best way of contacting the FBI in the event of a breach.

However, Mr. McDonough said the report could have been presented by simply to increase understanding, especially for firms who don't have a cybersecurity expert who can decipher technical language.

"The report misses an opportunity to highlight the critical need for threat intelligence, where firms have insight into what's happening at other, similar companies," Mr. McDonough said in an email.

"Another shortcoming of the report is that it buries the importance of executive leadership and management support in the middle of the analysis. That has to be a starting point and a tone-setter for the entire firm."

The updated report goes into greater depth and detail than the 2015 report. Finra describes more than 30 specific practices for branch controls that cover written supervisory procedures, asset inventories, technical controls and branch review programs.

Mark Brown, president of cybersecurity compliance firm Advisor Armor, said firms with a "hub and spoke" structure are of particular interest to Finra and the Securities and Exchange Commission, and the additional detail on branch office cybersecurity isn't surprising.

"Finra and [broker/dealers] have been late to this, and registered reps are in a tug a war with who pays for it," Mr. Brown said in an email. "But in the end, the right controls, evidence and auditing of cybersecurity need to be in place."

Finra also highlights how firms can detect phishing attacks, even if they appear to come from trusted sources.

The report includes an appendix covering core cybersecurity controls for small firms, which, in addition to the "Small Firm Cybersecurity Checklist," can help smaller businesses identify possible cybersecurity controls.

"There is no 'one-size-fits-all' approach to cybersecurity, so Finra has made a priority of providing firms with reports and other tools to help them determine the right set of practices for their individual business," said Steven Polansky, senior director of member supervision in Finra's Washington office.

Shan Dagli, head of intermediary solutions at Envision, an IT provider, suspects the increased guidance means Finra's 2018 exams revealed a wide disparity in what firms were doing from a cybersecurity standpoint.

"So Finra is taking it upon themselves to provide more guidance," Mr. Dagli said. "With increased guidance, it could lead to more scrutiny. Or it could simply be a manner of wanting to provide clearer guidance/best practices.

For the Average Hacker, Your Small Business Is an Ideal Target

Headlines are full of cybersecurity breaches, and big businesses like Google and Facebook are some of the latest to fall victim to outside attacks. A vulnerability in Google+ is at least partially responsible for the company’s decision to shut down the platform for good, and a recent breach of Facebook’s network security may have compromised the personal information of almost 50 million users.

Of course, for such enormous companies, a breach is an embarrassing blip on the radar. Google is mostly terminating its social platform because no one uses it (the company reported that 90 percent of user sessions last less than five seconds), and the even the notorious Cambridge Analytica scandal cost Facebook a mere $644,000 in fines imposed by British regulators -- peanuts for a company bringing in almost $100,000 in revenue every minute. But what would a $600,000 fine do to your small businesses? MORE

5 Must-Read Resources for Compliance and IT Leaders in Investment Firms

Regulated investment firms use the web to gather market intelligence, to access data aggregation tools and business apps, and to communicate via webmail and social media.

While many (if not most) business functions have shifted to the web and cloud apps, including IT security, the primary tool used by research analysts and investment managers remains stuck in IT’s past: the locally installed browser. A holdover from the 1990s, the local browser’s inherent weaknesses make it notoriously difficult to manage, monitor, and secure against web-borne exploits.

This has created a growing compliance blindspot for buy-side and sell-side firms. At the same time, the pressure from federal and state regulators is steadily increasing. Registered investment advisers are one example. By subjecting 17% of firms to OCIE examinations in FY 2018, the SEC already exceeded its own ambitious goal (15%) in this group alone for this year.

Chief Compliance Officers, CISOs and CTOs in the industry have been put on notice. One simple page view request on an infected website can result in malware or spyware spreading through the firm’s network, resulting in data breaches and financial and reputational damages. One post on a social media platform or in a chat room may invite the scrutiny of regulators.

How can firms ensure oversight and governance when team members go online? In this post, we highlight surveys, reports and whitepapers that provide useful facts and actionable insights to help practitioners answer this question:


1) SEC Enforcement: More Pressure for Investment Firms

The Securities and Exchange Commission’s Enforcement Division has published the FY 2018 Annual Report of its ongoing efforts to protect investors and market integrity.

The report presents the activities of the division from both a qualitative and quantitative perspective. In FY 2018, the SEC continued to bring enforcement actions relating to a wide variety of market manipulations, misconduct and compliance violations. It obtained judgments and orders totaling more than $3.945 billion in disgorgement and penalties.

Policing “Cyber-Related” Misconduct

The report also documents the Division’s increasing focus on misconduct in the digital realm. In FY 2018, the SEC brought 20 standalone cases, including such involving ICOs and digital assets. At the end of the fiscal year, more than 225 cyber-related investigations were underway. 2018 saw the SEC’s first enforcement action charging violations of Regulation S-ID, known as the Identity Theft Red Flags Rule, which is designed to protect customers from the risk of identity theft.

While an agency-wide hiring freeze since late 2016 led to a 10% staff reduction since, this seems not to have resulted in less pressure on regulated securities investment firms. The Division’s annual report documents significant continued enforcement-related activities.

From a compliance perspective, one item in the “Other Noteworthy [Enforcement] Actions” section of the report may deserve more attention than it received so far: it points to “13 registered investment advisers who repeatedly failed to provide required information that the agency uses to monitor risk.”

Our Take:

When regulators request such information from entities under investigation, disparate data sources and a lack of compliance-ready IT tools may prevent firms to “promptly produce” (SEC lingo) the data and documents. The use of local browsers, in particular, can become an audit impediment, because it prevents a unified view into a firm’s activities on the web, for example when team members post on social media or pull research data from third-party aggregators.

A compliance-ready browser built in the cloud, provided as a service offsite and centrally managed by IT, removes such hurdles. With Silo, the cloud browser, all user actions are logged and encrypted, to facilitate at-a-glance compliance reviews and post-issue remediation.

Read / download:

Division of Enforcement of the U.S. Securities and Exchange Commission: Annual Report 2018 [PDF]


2) Vigilant Regulators, Weak Policy Implementation

In November, international law firm Proskauer Rose LLP released its 2018 Proskauer Annual Review and 2019 Outlook for Hedge Funds, Private Equity Funds and Other Private Funds.

The yearly report provides a summary of significant regulatory changes and developments that occurred in the past year in the private equity and hedge funds space. It also includes an overview of SEC examination priorities and enforcement developments impacting the private funds industry.

“SEC’s Enforcement Program Remains Robust”

The SEC brought 821 enforcement actions in 2018, “the second highest total ever,” the authors point out. This included more than 100 enforcement actions involving advisers and investment companies, a 32% increase from 2017 and the second largest category of actions brought by the SEC in 2018.

Noteworthy in particular from the compliance and IT perspective is the extensive review in this report of a $1 million settlement with the SEC by broker-dealer and adviser Voya Financial Advisors (VFA). Following a data breach that compromised the personal information of 5,600 customers, the SEC had alleged failures in the firm’s cybersecurity policies and procedures.

The firm had over a dozen policies and procedures in place governing cybersecurity, the Proskauer report explains. It lays out in detail why “[t]he SEC found that these policies were not reasonably designed to apply to the systems that independent contractors used.”

Clayton slims down SEC agenda, looks for more wins

In a speech on the SEC's priorities for 2019, Clayton also signaled cybersecurity will remain at the top of the agenda, promising that examiners will press advisors and brokers on areas such as risk governance, access controls and data protection.

The SEC is on track to finalize its standards of conduct for investment advisors and brokers next year, Chairman Jay Clayton indicated on Wednesday, calling those rules "a very important and long overdue initiative."

Clayton is also warning advisors and other financial professionals to brace for market turbulence that could emerge from the U.K.’s exit from the European Union and the upcoming abandonment of the Libor benchmark that underlies many of the popular funds advisors rely on as a staple of their portfolio construction.

In a speech on the SEC's priorities for 2019, Clayton also signaled cybersecurity will remain at the top of the agenda, promising that examiners will press advisors and brokers on areas such as risk governance, access controls and data protection.

Clayton called the advisor and broker regulations "a key priority," touting the seven town-hall meetings commissioners and staffers held to gather input from the everyday investors the rules are intended to protect.

QuoteTaking a step back from the SEC's regulatory agenda, Clayton is also cautioning advisors to keep in mind three macro risks to the market that he expects to dominate the years ahead: cybersecurity, Brexit and Libor.

"It is clear, based on these discussions, that we have the right perspective, namely, that the core obligations of investment professionals — and mandatory plain language disclosures —should match reasonable investor expectations," Clayton said in prepared remarks.

Under Mary Jo White, his immediate predecessor, Clayton said that the commission's regulatory agenda had become too "aspirational." In 2016, 32 rules appeared on the agenda, but fewer than a third were ultimately adopted. Many of those initiatives stemmed from legislative directives included in the Dodd-Frank bill, Clayton acknowledged. But he is staking out an approach marked by fewer novel rulemakings. And those initiatives that do appear on the commission's docket, he aims to complete. In the coming year, Clayton says that he is hoping to conclude 80% of the items presently on the regulatory agenda.

Some of the sharpest criticism of the SEC's investment advice proposal has come from consumer advocates who see the provisions relating to brokers continuing to permit conduct that they say is harmful to investors. So instead of applying an advisor-like fiduciary duty to broker-dealers, the proposed Regulation Best Interest would do little to enhance the existing suitability standard that governs the brokerage sector. An advisory panel to the commission has recommended that it revise the regulation to encompass more of the spirit — if not the letter — of the fiduciary standard. MORE

Cybersecurity tips for advisors, and clients

Cyberattacks are growing in volume and sophistication and the need for the wealth management business to safeguard clients, portfolios and industry has never been greater.

In 2017 alone, more than 143 million Americans were affected by cybercrimes, a jump of 30% from 2016. As threats increase and fraudsters become more sophisticated, financial advisors and their clients must be proactive in protecting themselves and sensitive data. The process begins with education. Today’s cybercriminals use common, effective methods to acquire personal information. Malware (malicious software) can be delivered to devices via suspect websites, public Wi-Fi networks, and communal charging stations, presenting common hazards that might be sidestepped with the right information.

Below are helpful tips advisors can use to start a conversation with their clients about cybersecurity and help avoid potential catastrophe.

Software and online security

Keep your software, operating system and browser up to date. Companies continuously add security updates with every software upgrade they release. Installing updates immediately can help clients prevent a malware infection. 
Set up multi-factor authentication to login to any website or application clients use for financial transactions that contain personal data. 
Run a reputable, American anti-virus product on a home PC or laptop. This will help prevent a device from becoming infected with malware and may clean up an existing infection

As threats increase, the need to safeguard clients, portfolios and industry has never been greater, writes Rachel Wilson, head of cybersecurity for Morgan Wealth Management Technology.

Cybersecurity in public environments

Avoid using public Wi-Fi hotspots — such as the ones at coffee shops, airports, or hotels. If a client does use a public Wi-Fi hotspot, advise them to use a virtual private network (VPN) so that others cannot intercept their communications. As an alternative, clients can stick to the mobile network and create a personal Wi-Fi hotspot with their phone.
Don’t use public charging cords or USB ports to charge a device. Publicly available power outlets are generally fine, but avoid using publicly available cords and ports. These can be used to deliver malware or silently steal data.

If you’re a broker-dealer, you must be compliant with SEC Rule 17a-4. Make sure you know the regulations for Electronic Storage Media (ESM), and why it’s necessary to work with a Designated Third Party (D3P) to safeguard your electronic records.

Daily online activities

Don’t click on links or open attachments in unsolicited emails or text messages. Doing so may install malware on a device. 
Don’t reuse the same or similar username and password across multiple websites and applications. If clients reuse the same username and password and a hacker gains access to just one of the accounts, the hacker may be able to access their other client accounts as well.
Use a password manager. These apps create unique, complex passwords for clients and then store those passwords in a cryptographically sound way. 
Create and save bookmarks for the important banking and brokerage websites that clients visit often to avoid inadvertently entering credentials on a fraudulent site. 
Only download applications from Google Play or the App Store and never from a third-party app store. Third-party app stores, or apps that pop up and encourage a download, are much more likely to contain malware. 
Only give applications the permissions they really need. Granting an application access to photos, location, camera, contacts, makes data and information available to the application owner.
Limit how much information is shared on social media, and lock down the privacy settings on social media accounts. The information clients share online could be exploited to gather information for fraud schemes.

Tools to combat cybercrime

Use a current and reliable email provider that has basic, built-in security features. Using an older email account that has not incorporated security protections will greatly increase the likelihood of your email account being taken over and used to impersonate you or to spam your contacts.

Shred financial documents before discarding them, as these contain valuable information that could be used by fraudsters. Leverage online statements and paperless options, like eSign, eDelivery and eAuthorizations and Digital Vault, as these include important security features. Leverage online statements and paperless options. Additionally, clients should secure sensitive documents within their home.

These basic tips can help avoid some of the most common cybersecurity threats, but the need for vigilance and continued education is paramount. Advisors should maintain an ongoing dialogue with their clients to ensure their personal data, wealth information and financial transaction data are properly safeguarded.

SEC Enforcement’s Annual Report Prioritizes Retail Investors, Cryptocurrency, Cybercrime, and Individual Accountability

The Enforcement Division of the United States Securities and Exchange Commission (“SEC”) recently released its annual enforcement report(“Report”) for fiscal year 2018. The Report reflects an increased focus on retail investors, cryptocurrency, cybercrime, and individual accountability. Further, it showcases that SEC enforcement continues to be robust under the Trump administration, despite industry and media expectations to the contrary.

Cybercrime is also a growing area of concern for the SEC, with more than 225 active investigations this past year. Notably, in many of these investigations, companies that were victims of cyberattacks are now under investigation for how they responded to the attacks. The Enforcement Division brought proceedings against companies based on failures in those companies’ cybersecurity policies and procedures related to cyber intrusions. MORE

How to Choose a Cyber Liability Insurance Policy

As more and more data breaches and ransomware attacks make headlines around the world, the need for digital asset protection has become top of mind for many financial advisors and business owners. In yesterday’s post, I outlined some cyber liability insurance basics, including what may and may not be covered if your RIA–broker/dealer has its own policy. Today, I’ll dig a bit deeper into the topic, including how you can assess your risks to determine what coverage you may need so you can choose the right cyber liability policy.

Scenario: Cyberattack!

It’s 6:00 A.M. on a Monday morning. You hit snooze a few times before sitting up and grabbing your smartphone. A notification catches your eye. No, you’re not dreaming. Your business has been hit by a cyberattack.

How did this happen? You’ve put considerable effort into mitigating the risk of cyberthreats—staff education, encryption, and password polices, to name a few. Unfortunately, even with such protections in place, you can still become the victim of a cyberattack.

But hang on! You have cyber liability insurance. There’s no need to worry, right? That depends. Do you know the extent of the damage? Do you know what your policy covers? The answers to those questions will determine how concerned you should be.

What Went Wrong?

First, you’ll need to find out what information was involved in the cyberattack to determine if any confidential data was compromised. You’ll also want to look into how the breach happened. Was it because a scammer gained access to your firm’s data following a phishing attack? Was one of your employees the weak link?

If the incident occurred at your broker/dealer, which has its own cyber liability insurance policy, your B/D would likely cover data forensic expenses, extortion, notification costs, and credit monitoring for the affected individuals. If the breach happened on your end, however, you would be liable for the damages. If your firm is at fault, you will need to prove that your business did everything possible to prevent the breach and help minimize risk, such as taking proactive measures to ensure that proper security policies are in place and up to date.

Whether you are at fault or not, cyber liability insurance can’t mend a broken reputation. It can, however, help neutralize some of the costs associated with a cyberattack and help restore your business operations.

How to Choose the Right Coverage

Given everything we’ve discussed here and in yesterday’s post, you may be leaning toward purchasing a cyber liability policy. But how much coverage should you purchase? Following the three-step process described below can help you arrive at the best decision for your firm.

1) Assess your risk. If your office collects, transmits, stores, views, or interacts with personal information that hackers could use to identify a client, you are at risk for a cyberattack and need to ensure that your business is protected from what could go wrong.

Begin your assessment by getting a handle on your vulnerabilities. Do you, for example, have a hardware firewall and up-to-date antimalware and antivirus protection? Do you encrypt your hard drives and portable media? Do you regularly train your staff to be aware of information security issues? Have you enabled multifactor authentication, where possible, for all of your devices?

Answering no or I’m not sure to any of these questions means your—and your clients’—information may be at risk and you could benefit from cyber liability coverage. But even with the most robust information security programs, there’s always the chance that something might slip through the cracks. Taking a good look at scenarios that could leave your business vulnerable to attack can help you determine which coverage plans may be best for your firm.

For the second part of your assessment, you’ll want to evaluate whether you’ve done as much as possible regarding:

  • Governance and risk assessments: This includes creating an inventory of all the software and hardware in your office, as well as any device that’s connected to your network; developing policies for bringing devices to work and displaying information on screens or desks; and maintaining a data-retention policy.

  • Access rights and controls: This includes encryption, firewalls, password policies, and the like.

  • Data loss prevention: This includes verifying the identity of clients who request asset transfers and regularly updating your software.

  • Vendor management: This includes doing appropriate due diligence on potential vendors and signing contracts that govern data usage.

  • Training and awareness: This includes regular training on information security concerns for you and your staff, as well as training and best practices for your clients.

  • Incident response: This includes having an appropriate backup system in place, along with formal business continuity and incident response plans.

By understanding the controls you already have in place and the areas where you may be at risk, you can look to purchase a cyber liability policy that focuses on the coverage you need.

2) Research carriers and policy options. According to the 2017 Cost of Data Breach Global Study, the average cost of a data breach is $225 per client. So, although you may be reluctant to pay the premiums for yet another insurance policy, that cost is minimal compared with the out-of-pocket expenses your office could incur if it experiences a cyberattack.

Policy cost varies depending on the depth of coverage you select and the carrier you choose. When speaking to a potential insurance carrier, ask about the types of incidents covered and whether any “events” are specifically excluded from coverage. Because each financial services office is different and cyber liability insurance coverage varies from vendor to vendor, be sure to vet multiple policy options. You’ll also want to get the best value and price for what your business needs, so discuss pricing in detail with the carriers and inquire about deductibles.

3) Apply for your top choices. Once you have vetted a few insurance carriers, fill out an application with the companies whose quotes best fit your office’s needs. Ensure that the applications have been completed correctly, answering questions based upon the cybersecurity protocols your office employs. Once you are approved for a few policies, you can choose the right cyber liability policy for your needs based on the deductible, premiums, and coverage with which you are most comfortable.

A Plan for Prevention and Recovery

In today’s increasingly digital world, having a top-notch information security program in place is essential for protecting your business’s assets and your clients’ personal data. But as the threat of a cyberattack or breach grows, it’s best to be prepared not only to prevent an attack, but to make a full recovery from one as well. If you follow the steps outlined above and choose the right cyber liability policy for your business’s needs, you’ll be well equipped to handle any threat that comes your way. Posted by Rachel Sonia