SEC & FINRA: Shared Regulatory Priorities for 2019

Each year, both the United States Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) issue guidance concerning their regulatory priorities for the coming year. FINRA's 2019 Annual Regulatory and Examination Priorities Letter can be found here, and the SEC Office of Compliance Inspections and Examinations (OCIE)'s 2019 National Exam Program Examination Priorities can be found here.

Set forth below are topics on which the SEC's and FINRA's concerns overlap. Notably, FINRA took a unique approach this year in that its letter begins with materially new topics, then discusses areas of ongoing concern, with an emphasis on aspects of those topics not covered in prior letters. Unlike in previous years, FINRA declined to use its priorities letter to repeat topics that have been "mainstays" of its focus over the years. The SEC also took a new approach, emphasizing how it increasingly leverages technology and data analytics to fulfill its mission and citing its recently adopted Strategic Plan, which reiterates the importance of examinations to bolster regulatory requirements and protect investors.

This year, both of the annual priorities letters address a large number of diverse topics. Accordingly, in order to provide additional insight into the evolution of the SEC's and FINRA's regulatory and examination priorities, we have prepared detailed comparisons of FINRA's priorities between 2007 and 2019 and the SEC's priorities between 2013 and 2019. The comparison of the SEC's priorities is available here. The comparison of FINRA's priorities is available here.

Cybersecurity: The SEC places a particular emphasis on cybersecurity this year and states that it will continue to prioritize cybersecurity in each of its five examination programs. Specific to investment advisers, the SEC will emphasize cybersecurity practices at investment advisers with multiple branch offices, including those that have recently merged with other investment advisers. The SEC will also continue to focus on, among other areas, governance and risk assessment, access rights and controls, data loss prevention, and incident response.

FINRA also retains its emphasis on cybersecurity, although it does so primarily through its focus on regulatory technology or "RegTech." FINRA will engage with firms to understand how they are using a variety of innovative RegTech tools to make their compliance efforts more efficient and how they are addressing related risks, challenges, or regulatory concerns, including supervision and governance systems, third-party vendor management, safeguarding customer data and cybersecurity. MORE

SEC Issues Privacy and Data Security Risk Alert

Thursday, April 18, 2019

Following recent examinations of SEC-registered investment advisers and broker-dealers, the Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) published a privacy risk alert on April 16, 2019. OCIE is hoping to remind advisers and broker-dealers about providing compliant privacy and opt-out notices, and adopting and implementing effective policies and procedures for safeguarding customer records and information, under Regulation S-P.

Privacy Notices. During the examinations, OCIE observed advisors and broker-dealers were not providing initial privacy notices, annual privacy notices and opt-out notices to their customers. When these notices were provided, many did not accurately reflect firms’ policies and procedures and/or notify customers of their right to opt out of having their nonpublic personal information shared with nonaffiliated third parties. OCIE’s risk alert, thus, reminds advisors and broker-dealers that Regulation S-P requires that they:

  • provide a clear and conspicuous notice to customers that accurately reflects privacy policies and practices generally no later than when a customer relationship is established,

  • provide a similar notice not less than annually during the continuation of the customer relationship, and

  • deliver a clear and conspicuous notice to its customers that accurately explains the right to opt out of some disclosures of non-public personal information about the customer to nonaffiliated third parties.

Written Policies and Procedures to Safeguard Customer Information. OCIE also observed during these examinations that some advisors and broker-dealers had not adopted written policies and procedures as required under the Safeguards Rule. According to the risk alert, some firms simply:

restated the Safeguards Rule but did not include policies and procedures related to administrative, technical, and physical safeguards.

And, other policies

contained numerous blank spaces designed to be filled in by registrants.

Given the OCIE’s observations, purchasing sample privacy and data and security policies and procedures, perhaps online, without more, would likely be inconsistent with Regulation S-P. Data security compliance is more than simply having a policy document. OCIE explained that written policies and procedures under Regulation S-P must be “reasonably designed to ensure the security and confidentiality of customer records and information, protect against any anticipated threats or hazards to the security or integrity of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.” Thus, the general approach for advisors and brokers-dealers should be to assess the threats and vulnerabilities to customer records and information, and then craft administrative, physical, and technical policies and procedures to address those threats and vulnerabilities.

OCIE also detailed data security practices that it found troubling under Regulation S-P. Examples include:

  • Personal devices – employees storing and maintaining customer information on their personal laptops without policies and procedures address how to protect the information on those devices.

  • Electronic communications – the absence of policies designed to prevent employees from regularly sending unencrypted emails to customers containing PII.

  • Training and monitoring – a lack of training for employee about encryption, password-protection, and transmission of PII through company-approved methods.

  • Outside vendors – advisors and broker-dealers maintaining policies that required outside vendors to contractually agree to keep customers’ PII confidential, but not following their own policies.

  • PII inventory – not maintaining an inventory of all systems on which PII is maintained leaving advisors and broker-dealers unaware of the categories of customer PII that they maintain, and limiting the ability to adequately safeguard customer information.

  • Incident response plans – plans failed to address role assignments for implementing the plan, actions required to address a cybersecurity incident, and assessments of system vulnerabilities.

  • Departed employees – former employees of advisors and broker-dealers retained access to restricted customer information rights after termination of employment.

Many of the observations noted above are common gaps to data security policies and procedures, particularly for small and medium-sized enterprises in any industry. For advisors and broker-dealers, the consequences of compliance lapses could result in data breaches, enhanced scrutiny by the SEC and OCIE, and reputational harm. Thus, as OCIE suggests following its recent examinations, advisors and broker-dealers should review and update, as needed, their written policies and procedures to mitigate the issues identified by OCIE staff. MORE

Jackson Lewis P.C. © 2019

NASAA Proposes Investment Adviser Model Cybersecurity Rule

On September 23, 2018, the North American Securities Administrators Association, Inc. (“NASAA”) released a proposed model rule for state-registered investment advisers (“state RIAs”) that would impose new information security and privacy requirements (the “Cyber Proposal”).1 NASAA intends the Cyber Proposal to provide state RIAs with a basic structure for implementing information security policies, procedures and practices and to create uniformity in state regulation of investment adviser cybersecurity.

The Cyber Proposal is intended to build on existing NASAA cybersecurity efforts, such as the 2017 release of a security checklist to help state RIAs identify and remediate cybersecurity vulnerabilities.2

This Legal Update (i) describes the relevant scope of the Cyber Proposal, (ii) explains its substantive requirements, and (iii) highlights some takeaways for the investment adviser industry.

Scope

The Cyber Proposal is a proposed model rule, meaning that, even if it is adopted by NASAA, it will not be binding on any state RIAs unless and until state securities administrators formally adopt it through state administrative rulemakings. Additionally, the Cyber Proposal applies to state RIAs and generally would not apply to federally-registered investment advisers (“federal RIAs”), which are exempt from state registration under the National Securities Markets Improvement Act of 1996’s amendments to the Investment Advisers Act of 1940. However, as discussed below, the Cyber Proposal also would amend the model rules for unethical business practices and prohibited conduct, which apply to federal RIAs.  

Substantive Requirements

The Cyber Proposal has three components: (1) a new model information security and privacy rule that would require state RIAs to adopt policies and procedures, (2) an amendment to the existing model recordkeeping rule and (3) an amendment to the model unethical business practices and prohibited conduct rules (collectively, “UBP Model Rules”).

Information Security and Privacy Rule. The proposed model information security and privacy rule would contain two parts addressing (a) the implementation of Physical Security and Cybersecurity Policies and Procedures and (b) the delivery of a Privacy Policy. 

Physical Security and Cybersecurity Policies and Procedures: This part is based on longstanding information security concepts from the Gramm-Leach-Bliley Act’s (“GLBA”) Safeguard Rules3 and the National Institute of Standards and Technology’s (“NIST”) Cybersecurity Framework and is not intended to create a new cybersecurity protocol. 

Under this part, a state RIA would be required to establish, implement, update and enforce reasonably designed, written physical security and cybersecurity policies and procedures to ensure the confidentiality, integrity and availability of physical and electronic records and information.

Consistent with the Securities and Exchange Commission’s (“SEC”) Reg. S-P, the Cyber Proposal would require a state RIA’s policies and procedures to:

  • Protect against reasonably anticipated threats or hazards to the security or integrity of client records and information;

  • Ensure that the investment adviser safeguards confidential client records and information; and

  • Protect any records and information the release of which could result in harm or inconvenience to any client.

The Cyber Proposal also would require the state RIA’s policies and procedures to cover the five cybersecurity functions from the Cybersecurity Framework. These functions are: 

  • Identify. Develop the organizational understanding to manage information security risk to systems, assets, data and capabilities; 

  • Protect. Develop and implement the appropriate safeguards to ensure delivery of critical infrastructure services;

  • Detect. Develop and implement the appropriate activities to identify the occurrence of an information security event; 

  • Respond. Develop and implement the appropriate activities to take action regarding a detected information security event; and 

  • Recover. Develop and implement the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to an information security event.

A state RIA would need to review and update these policies and procedures at least annually.

Privacy Policy Practices. This part would require a state RIA to deliver a copy of its privacy policy at onboarding and thereafter as it is updated, but at least annually.4

Amended Recordkeeping Requirement. The amendments to the model recordkeeping rule would require that state RIAs maintain copies of their policies and procedures and other compliance records related to the Information Security and Privacy Rule discussed above. The Cyber Proposal would expressly require that state RIAs maintain hard copies of their current policies and procedures to mitigate information security risks.

Amended UBP Model Rules. The proposed amendment to the UBP Model Rules would clarify that a failure to establish, maintain and enforce a required policy or procedure would be an unethical business practice and prohibited conduct. This amendment is intended to cover supervisions and business continuity in addition to the required policies and procedures. 

Given that the UBP Model Rules apply to federal RIAs, it is unclear why NASAA would include this amendment in the Cyber Proposal, which generally would not apply to federal RIAs. It is possible that NASAA is seeking to create an avenue for state securities administrators to take action against federal RIAs that lack cybersecurity policies or that the amended UBP Model Rules may be used to target non-compliance with the policies and procedures requirements of the SEC’s Safeguards Rule.

Takeaways

As noted above, the Cyber Proposal represents a significant effort by NASAA to develop cyber guidance and preparation standards for small advisory firms. However, because the Cyber Proposal is only a model rule, the versions adopted in each state may vary. 

Additionally, it is unclear how the Cyber Proposal will interact with other cybersecurity requirements, such as Colorado’s and Vermont’s cybersecurity regulations for broker-dealers and state RIAs providing services in those states or Massachusetts’s generally applicable cybersecurity regulation.5 State RIAs doing business in those states may need multiple variations of cybersecurity policy or to adopt the most restrictive requirements and apply them across all states.

1 NASAA, Request for Public Comment Regarding a Proposed IA Model Rule for Information Security and Privacy Under the Uniform Securities Acts of 1956 and 2002 (Sept. 23, 2018). The text of the Cyber Proposal is available at http://www.nasaa.org/wp-content/uploads/2018/09/NASAA-Request-for-Public-Comment-on-Information-Security-and-Privacy.pdf and public comments on the proposal are available at http://www.nasaa.org/regulatory-activity/nasaa-proposals/public-comment-on-nasaa-proposals/public-comment-on-proposed-ia-model-rule-for-information-security-and-privacy-under-the-uniform-securities-acts-of-1956-and-2002/

2 NASAA, NASAA Releases Cybersecurity Checklist for RIA firms (Oct. 17, 2017); NASAA, Top 2017 NASAA RIA Compliance Deficiencies: Cybersecurity (Mar. 27, 2018). 

3 Specifically, the Cyber Proposal would implement concepts from the versions of the Safeguard Rules that have been promulgated by the Federal Trade Commission (“FTC”) and the Securities and Exchange Commission. However, the Cyber Proposal uses, but does not define, the term “client”, and it is unclear if NASAA intends for the Cyber Proposal to cover clients who would not be “customers” under GLBA.

4 NASAA recognized that an annual delivery requirement diverges from the requirements of GLBA but asserted that “privacy policies contain important information, and advisory clients should receive a copy of their investment adviser’s privacy policy every year.” 

See Colo. Code Regs. §§ 704-1:51-4.8, 4.14; 4-4 Vt. Code R. § 8:8-4; Mass. Gen. Laws ch. 93H, §§ 1 to 6, 175I, §§ 1 to 22; 201 Mass. Code Regs. 17.00 to 17.05.

Jeffrey P. Taft

Adam D. Kanter

Matthew Bisanz

Nicholas McCoy

Industry Regulator Issues Cybersecurity Guidance

Borden Ladner Gervais LLP

The Financial Industry Regulatory Authority (FINRA) is an independent, self-regulatory organization for brokerdealer firms doing business in the United States. FINRA is authorized by the United States Congress to protect American investors by making sure the broker-dealer industry operates fairly and honestly.

In 2015, FINRA issued a Report on Cybersecurity Practices to provide information about the following practices that broker-dealer firms should consider to strengthen their cybersecurity programs: (1) cybersecurity governance and risk management; (2) cybersecurity risk assessment; (3) technical controls; (4) incident response planning; (5) vendor management; (6) staff training; (7) cyber intelligence and information sharing; and (8) cyber insurance. The report explained FINRA’s expectation that broker-dealer firms would make cybersecurity a priority and would devote sufficient resources to understanding and preparing for current and evolving cybersecurity threats. 

In 2016, FINRA published a Checklist for a Small Firm’s Cybersecurity Program to help small broker-dealer firms with limited resources establish a cybersecurity program. The checklist is primarily derived from the National Institute of Standards and Technology (NIST) Cybersecurity Framework and FINRA’s Report on Cybersecurity Practices (2015), and references the SANS Critical Security Controls for Effective Cyber Defense

The 2018 Report

FINRA’s Report on Selected Cybersecurity Practices – 2018 presents FINRA’s recommendations for effective practices regarding five important cybersecurity topics: (1) cybersecurity controls in branch offices; (2) phishing attacks; (3) insider threats; (4) penetration-testing programs; and (5) mobile devices. The Report reminds that the recommended practices should be part of a holistic cybersecurity program, as discussed in FINRA’s 2015 Report on Cybersecurity Practices. The Report also provides a list of core cybersecurity controls for small broker-dealer firms to be used in conjunction with FINRA’s Checklist for a Small Firm’s Cybersecurity Program. Following is a summary of some of the key recommendations in the Report.

Branch Controls 

The Report explains that effective cybersecurity controls in branch offices are especially important for firms with decentralized business models. The Report details four practices for addressing cybersecurity risks at branch offices: (1) develop comprehensive and easily referenced written supervisory procedures to define minimum cybersecurity requirements and to formalize oversight of branch offices; (2) create inventories of branch-level data, software and hardware assets, and related third party services, for use in conjunction with cybersecurity risk assessments to help identify critical assets and their cyber vulnerabilities; (3) establish and maintain branch technical controls to mitigate identified cybersecurity threats; and (4) implement a robust review program to ensure that branches consistently apply cybersecurity practices.

Phishing

The Report explains that social engineering or “phishing” attacks, which try to convince a targeted individual to disclose sensitive information (e.g. personal information or credentials) or take harmful action (e.g. clicking on a malicious link or opening an infected attachment), are one of the most common cybersecurity threats to firms and their customers. The Report warns about the increasing sophistication and quality of phishing attacks, especially carefully planned attacks targeted to a specific individual (known as “spear phishing”) or to a senior executive (known as “whaling”) that can be difficult to distinguish from legitimate communications. The Report provides a useful summary of the characteristics of common phishing communications.

The Report details practices to mitigate phishing risks, including: (1) develop policies/procedures to specifically address phishing; (2) include phishing scenarios in risk assessments; (3) establish policies/procedures to confirm transaction requests; (4) implement email scanning and filtering to monitor and block phishing and spam communications; (5) train staff, including simulated phishing campaigns and remedial training for staff who demonstrate risky behaviour; (6) review processes/procedures to detect and remediate a successful phishing attack; (7) implement data loss prevention practices/procedures to reduce the impact of a successful phishing attack; and (8) provide customers with resources to protect themselves from phishing attacks. 

Insider Threats 

The Report warns that insider threats are a critical cybersecurity risk, because insiders (i.e. individuals with authorized access to firm systems and data) are often able to circumvent controls and cause material data breaches and other significant harm to an organization. The Report explains that an effective risk-based insider threat program typically includes the following components: (1) executive leadership and management support; (2) identity and access management policies and technical controls; (3) technical controls to help identify risky activities or anomalous behavior and detect potential attacks, and data loss prevention controls to prevent the inadvertent or malicious transmission of data to unauthorized recipients; (4) training for all insiders; (5) measures (based on people, processes and technologies) to help identify potentially malicious insiders and deter intentional misconduct, and to cultivate a strong culture of compliance; and (6) a comprehensive asset inventory.

Penetration Testing 

The Report explains that penetration (or “pen”) testing can be an important part of a cybersecurity program. A pen test simulates a malicious external or internal attack on a firm’s network to identify vulnerabilities and evaluate the effectiveness of preventative measures. The Report notes that firms often take a risk-based approach to determining the systems to be tested and test frequency. The Report encourages due diligence when selecting pen test service providers, and the use of appropriate contractual arrangements (including confidentiality obligations) with all pen test service providers. The Report notes that firms often follow established governance structures and procedures for determining when and how to address risks identified by a pen test.

Mobile Devices 

The Report explains that the increasingly widespread use of mobile devices by staff, customers and service providers can present significant cyber risks, including infected, cloned or pirated applications, operating system vulnerabilities, and phishing, spoofing or rerouting calls, emails and text messages. The Report details practices to mitigate risks presented by staff use of mobile devices, including: (1) develop policies/ procedures (e.g. “bring your own device” standards) for staff use of mobile devices and for the protection of sensitive data and information; (2) prohibit staff use of a mobile device unless the device has been approved and the user has agreed to comply with applicable policies/procedures; (3) train staff; (4) require all mobile devices to comply with technological requirements (e.g. mobile device management applications, password requirements, software restrictions, and encryption and transmission controls); (5) emphasize the importance of physically securing mobile devices and reporting lost devices; and (6) enforce compliance with mobile device policies/procedures with appropriate consequences for violations.

The Report details practices to mitigate risks presented by customers’ use of mobile devices, including: (1) customer education/information about mobile device risks; (2) require the use of multi-factor authentication and implement data loss prevention controls; (3) prohibit the use of mobile devices for certain activities (e.g. changes to account settings or contact information); (4) automatically terminate remote network access after a period of inactivity; and (5) secure development and testing of mobile applications.

Core Cybersecurity Controls for Small Firms 

The Report lists the following “core controls” for small firms’ cybersecurity programs: (1) patch maintenance; (2) secure system configuration; (3) identity and access management; (4) vulnerability scanning; (5) endpoint malware protection; (6) email and browser protection; (7) perimeter security; (8) security awareness training; (9) risk assessments; (10) data protection; (11) third-party risk management; (12) branch controls; and (13) policies and procedures. The Report cautions that an effective cybersecurity program requires that each of those controls be considered in the context of the firm’s particular business model and technology infrastructure, and in light of other relevant circumstances. The Report encourages small firms to consider other FINRA cybersecurity guidance.

Why states should push forward with cyber laws

The list of Democratic presidential candidates continues to grow, and three of those hopefuls offer backgrounds and legislative records that could help advance the issue of cybersecurity standards at the federal level.

Sen. Kamala Harris (D-Calif.) last year co-sponsored a bipartisan bill to improve cybersecurity at U.S. ports as well as the Secure Elections Act. Sen. Kirsten Gillibrand (D-N.Y.) teamed with Republican Sen. Lindsey Graham (R-S.C.) on legislation to push for a more rigorous investigation into Russian election interference. In addition, Sen. Elizabeth Warren (D-Mass.) introduced legislation in response to the Equifax data breach. Additionally, President Trump recently signed the SECURE Technology Act, which requires the Department of Homeland Security to establish a security vulnerability disclosure policy, a bug bounty pilot program, and set supply chain risk management standards.

In fact, according to The Washington Post, “all six U.S. senators that threw their hats in the ring for the Democratic nomination have co-sponsored bills aimed at protecting election systems against Russian hackers.”

At no other time has cybersecurity been at the forefront of so many federal legislative efforts and conversations. While it’s encouraging to see cybersecurity getting much-deserved attention from politicians seeking the highest office, it could be argued that these efforts are doomed to fail. MORE

Don’t Let Your Cybersecurity Policy Slip

The SEC has been clear on what it expects from advisors on data protection. Are you up to speed?

By now, every Securities and Exchange Commission-registered investment advisor should have a written cybersecurity policy. That was the first piece of advice Cary Kvitka, our cyber-security legal expert, gave me in a recent update on the topic, which included a review of SEC oversight.

The SEC’s Office of Compliance Inspections and Examinations issued Risk Alerts in 2014 and 2015, identifying cybersecurity as a critical concern and describing the nature of upcoming cybersecurity-focused examinations. In the process, OCIE identified the types of information it would be requesting in those examinations. In September 2015, for example, it announced that the upcoming round of examinations would focus on:

• Governance and Risk Assessment, which generally evaluates whether advisors: 1) have cybersecurity governance and risk assessment processes to address OCIE’s stated focus areas, 2) are periodically evaluating cybersecurity risks, 3) have implemented cybersecurity infrastructure and risk assessment processes tailored to business operations, and 4) engage in communications to and from senior management.

• Access Rights and Controls, that is whether advisors are at risk of a data breach resulting from the failure to implement basic controls to prevent unauthorized access to systems or information, and evaluation of the way in which they manage user credentials, authentication, and authorization methods.

• Data Loss Prevention, which would include analyses of how advisors monitor: 1) the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads, and 2) unauthorized data transfers.

• Vendor Management, including an assessment of an advisor’s due diligence, monitoring and vendor oversight process, in addition to an evaluation of relevant contract terms.

• Training, which could focus upon the ways in which advisors prevent data breaches resulting from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or downloading attachments from an unknown source.

• Incident Response, for which examiners would assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible data breaches.

Cary also mentioned that a critical footnote in the September 2015 OCIE Risk Alert references Regulation S-P, Rule 30(a), which requires advisors to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information, must be reasonably designed to:

1. Insure the security and confidentiality of customer records and information; 2. Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and 3. Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.

Within this Risk Alert, the footnote signals that RIAs that do not adopt written policies and procedures to address the risk of data breaches/unauthorized access through hacking or electronic means are potentially violating Rule 30(a).

When OCIE announced its 2019 examination priorities, it specifically indicated it will emphasize cybersecurity practices at investment advisors with multiple branch offices, including those that have recently merged with other investment advisors. Now advisors need to pay close attention to what their written cybersecurity policies require.

Generally, we recommend they conduct a review of cybersecurity policy at least annually. In the process, they should evaluate whether to update the cybersecurity policy, procedures, or infrastructure based upon the risks it faces. The annual review also should ensure that the firm has been compliant with all policy requirements, (such as maintaining inventories, sign-in sheets for education / review sessions, tracking access rights, etc.) and that the written cybersecurity policy reflects current information and practices.

In summary, the SEC has made its position clear. Have you kept pace?

Thomas D. Giachetti is chairman of the Securities Practice Group of Stark & Stark. He can be reached at tgiachetti@stark-stark.com.

A Regulatory Tsunami Is Coming: Are You Prepared?

Compliance will be an increasingly challenging business issue in 2019. Consider the 'Office of Compliance' that Xerox already has to deal with the complexity.

Regardless of how any business leader personally feels about data-privacy regulations, they seem destined to grow stronger.

In December, a coalition of more than 200 banks, retailers and tech companies called on Congress to draft stricter privacy legislation. Coalition members said they believed that all companies should be subject to the same rules, regardless of their size or industry, and that there should be a national standard for data-breach notifications.

The fact that private industry was itself calling for legislation is significant. Companies are now acutely aware of the financial and public relations fallout from data breaches, so much so that they are actually asking lawmakers to hold them to higher standards. The public is equally anxious about data privacy.

Related: The Very Strong Business Case for Complying With the World’s Toughest Data Protection Regulation

And it's that combination that makes it extremely likely that tougher data regulations are headed down the pipeline.

All this comes on the heels of the General Data Protection Regulation's (GDPR) implementation in the European Union last spring, plus the passage of the California Consumer Privacy Act last summer. Congressional Democrats and Republicans are currently butting heads on the issue, with the GOP interested only in a federal law that would supersede any state regulations.

What does small business think of all this? Considering that California's law goes into effect in January 2020 and that nearly every other state has proposed various data privacy legislation, small businesses are obviously eager to avoid a potential patchwork of state laws. The regulatory waters are already choppy enough.

Some industries, like finance, are accustomed to data regulations. Considering the scope of potential new regulations, that finance sector experience won’t count for much, however. For the simple fact is that every company in America needs to prepare for new compliance challenges throughout 2019.

Have you thought about what compliance means to you?

The costs 

Most companies expect pending regulations to be modeled on the GDPR that now applies to every business serving customers in the European Union. GDPR levies fines for every single record that is exposed in a breach, meaning fines can run into the millions (or even billions) of euros (do the math for $U.S.).

If the size of those numbers is troubling, consider the likelihood of a fine. Forthcoming regulations will obligate companies to take a whole new approach to data and customer engagement. Adjusting to complex, wide-ranging new regulations won’t be easy. Companies may be eager to comply but find themselves in trouble because they’re unable.

The ever-increasing threat of cybercrime is another worry. Today’s hackers are both tenacious and sophisticated, making cybersecurity incredibly difficult to ensure. Following whatever regulations are released won’t make companies immune to attack or exempt from fines -- though it will make them better protected than they are today.

Making compliance simple and certain

We don’t yet know what form any new regulations might take or how they would affect individual companies. Luckily, the details are not necessary for businesses to begin building a better approach to compliance. The goal is to make managing compliance simultaneously easier and more consistent. Start with these steps:

1. Collect data from across channels. 

Don’t think of data as "regulated" versus "unregulated." All data is potentially sensitive, so instead of protecting some data, companies should begin protecting all data equally. That starts with busineses being able to collect data from as many sources as possible for storage on one platform that’s been standardized for compliance.

Related: The Feds and the States Are Embracing Privacy Law; What That Means to Your Business

Xerox recognized the value of standardization when, in 2017, it established an Office of Compliance, which strives to create a positive corporate compliance culture by helping employees do diligent work, and ensuring that senior leaders and all members of management send consistent messages. This office also constantly reviews and updates corporate policies to align with evolving regulatory and legal requirements.

Such top-down coordination will be essential once fast-moving data in multiple formats becomes subject to privacy laws. Think of it as a dedicated compliance team that's entrusted to stay abreast of each new development and respond accordingly.

Companies of all sizes should copy Xerox and make an effort to codify their compliance protocols -- the sooner, the better. Just make sure to stay open to the possibility of procedural changes, as forthcoming regulations will surely require flexibility as they are introduced and enacted.

2. Facilitate internal and external audits.

Audits are crucial for compliance. Complying with auditors often means turning over massive amounts of information. Alternately, conducting internal audits allows companies to find and correct issues before the regulators even arrive. In either case, companies need to have on-demand access to all their data; otherwise, any kind of audit is a burden.

Having all data on a platform accessible with unified search makes retrieval basically effortless. Nikon understands that a fast response is important -- so much so that it has developed independent systems. These systems enable the company's internal audit department to review compliance with laws and regulations, as well as with internal rules, without interference from operational divisions.

An overview of each department’s annual activities -- to determine primarily whether divisions' operations are being conducted in accordance with laws and regulations, as well as to create proposals for improvement -- is provided to the company’s executive committee and board of directors.

Picture how much easier external investigations will be to manage after your company performs numerous dry runs. Practice makes perfect. As regulations evolve over the course of 2019 and beyond, reacting and adapting fast will be key. Get a head start by instituting a system of internal audits as soon as you can.

3. Practice good governance.

Regulations dictate how a company must act both before and after a breach. Because of that increased scrutiny, companies must become hyperaware of data security. If, for instance, a breach went undetected, and therefore unreported, the resulting fine could be multiplied. Considering how unpredictable cybersecurity can be, companies need to have plans and policies detailing exactly how to act after a breach. MORE

SEC Cyber Enforcement Examination Initiative

SEC Examiners will gather information on cybersecurity-related controls and will also test to assess implementation of certain firm controls. In order to promote better compliance practices and inform the Commission’s understanding of cybersecurity preparedness, this Initiative will focus on the following areas:

• Governance and Risk Assessment: Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms are periodically evaluating cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.

• Access Rights and Controls: Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Examiners may review how firms control access to various systems and data via management of user credentials, authentication, and authorization methods. This may include a review of controls associated with remote access, customer logins, passwords, firm protocols to address customer login problems, network segmentation, and tiered access.

• Data Loss Prevention: Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.

• Vendor Management: Some of the largest data breaches over the last few years may have resulted from the hacking of third party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.

• Training: Without proper training, employees and vendors may put a firm’s data at risk. Some data breaches may result from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection, or opening messages or downloading attachments from an unknown source. With proper training, however, employees and vendors can be the firm’s first line of defense, such as by alerting firm IT professionals to suspicious activity and understanding and following firm protocols with respect to technology. Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.

• Incident Response: Firms generally acknowledge the increased risks related to cybersecurity attacks and potential future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities, and developed plans to address possible future events. This includes determining which firm data, assets, and services warrant the most protection to help prevent attacks from causing significant harm. While these are the primary focus areas for the Cybersecurity Examination Initiative, examiners may select additional areas based on risks identified during the course of the examinations. As part of OCIE’s efforts to promote compliance and to share with the industry where it sees cybersecurity-related risks, OCIE is including, as the Appendix to this Risk Alert, a sample request for information and documents to be used in this Initiative. III. Conclusion In sharing the key focus areas for the Cybersecurity Examination Initiative and the attached document request, the NEP hopes to encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity. MORE

Will 2019 Be the Year of Blockbuster Cybersecurity Enforcement by the SEC?

Firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance.

Conclusion

The SEC has, in the past, largely taken a softer approach to encouraging compliance in the cyber-security arena, but the agency now appears ready to bring significant enforcement actions for cyber-related missteps. Public companies and entities registered with the SEC would do well to heed the SEC’s admonitions and take a close and careful look at their cybersecurity-related policies and procedures to ensure full compliance.

After years of admonishing financial institutions and public companies to take cybersecurity more seriously, the U.S. Securities and Exchange Commission (SEC) appears ready to back up its words with investigations and penalties. Starting with Jay Clayton’s confirmation as SEC Chair in 2017, the agency has enhanced its efforts to protect investors and markets from increasingly dangerous and costly cyber threats. Indeed, the SEC’s conduct over the past two years—including creating a dedicated Cyber Unit in its Enforcement Division and by bringing several first-of-their-kind cybersecurity enforcement actions—foretell that the agency is prepared to take an even more aggressive approach in addressing cybersecurity issues among the entities it supervises. As a result, firms that have yet to dedicate sustained attention to their cyber threats and risks may find that the SEC is far more willing to use a stick rather than a carrot to obtain compliance.

The SEC’s Focus on Cybersecurity

Since his confirmation as SEC Chair in 2017, Clayton has made cybersecurity one of the SEC’s main priorities. In 2017, Clayton formed the cybersecurity working group, an initiative to coordinate information sharing, risk monitoring, and incident response throughout the SEC. In discussing the working group, Clayton defined the SEC’s cyber focus as “identifying and managing cybersecurity risks and ensuring that market participants—including issuers, intermediaries, investors and government authorities—are actively engaged in this effort and are appropriately informing investors and other market participants of these risks.” See SEC Public Statement, Statement on Cybersecurity (Sept. 20, 2017).

In September 2017, the SEC also announced the creation of a Cyber Unit. The Cyber Unit was formed to consolidate the expertise of the SEC’s Division of Enforcement and enhance its ability to identify and investigate a wide-range of cyber-related threats, including (1) market manipulation schemes involving false information communicated electronically; (2) hacking to obtain material nonpublic information; (3) fraud involving blockchain technology and “initial coin offerings”; (4) hacking into retail brokerage accounts; and (5) cyber threats to trading platforms and market infrastructure. In commenting on the Cyber Unit’s launch, Stephanie Avakian, co-director of the SEC’s Enforcement Division, identified cyber-related threats as “among the greatest risks facing investors and the securities industry.” SEC Press Release 2017-176, SEC Announces Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25, 2017).

Since its creation, the Cyber Unit has wasted little time in bringing cases. According to the Enforcement Division’s 2018 Annual Report, during 2018, the SEC brought 20 stand-alone cases related to cybersecurity and has 225 cyber-related investigations that it deems “ongoing.” See SEC Annual Report, Division of Enforcement (Nov. 2, 2018). In several cases, the enforcement actions were first-of-their-kind, as discussed below.

The SEC’s focus on cybersecurity also appears to be driven by its own experience with cybersecurity issues. The same month that the SEC announced the creation of its Cyber Unit, the SEC announced that it, too, has experienced data breaches. In an extended Statement on Cybersecurity that likely is also intended to serve as a model for public companies in discussing their own material cybersecurity risks and incidents, Clayton announced a number of cybersecurity risks and data incidents effecting the SEC, the most significant of which involved hackers gaining access to the SEC’s EDGAR filing database in 2016 to steal unreleased corporate filings that potentially contained material nonpublic information. See SEC Public Statement, Statement on Cybersecurity (Sept. 20, 2017).

Public Company Cybersecurity Disclosures

Cyber Disclosure Guidance. One of the centerpieces of the SEC’s enhanced cybersecurity strategy is in encouraging public companies and issuers to be transparent with the investing public about their material cyber risks and incidents. In September 2017, Clayton said that he is “not comfortable that the American investing public understands the substantial risks that we face systemically for cyber issues, and I’d like to see better disclosure around that.” C. Germaine, Clayton Says No Shift in Enforcement Priorities at SEC, Law360 (Sept. 6, 2017). Perhaps exemplifying the SEC’s concerns, that same month, credit reporting agency Equifax disclosed that an unknown attacker had stolen personally identifiable information of approximately 145 million consumers. K. Coen, Populist Pitchforks Come Out: Insider Trading and Equifax, Law360 (Nov. 6, 2017). Equifax faced immediate public criticism over the timeliness and adequacy of its disclosure, which came approximately six weeks after it discovered the breach. Further, questions were raised about potential insider trading by four Equifax executives, including the Chief Financial Officer, all of whom collectively sold $1.8 million of Equifax shares between the time the breach was discovered and when it was disclosed to the public. Id. An internal review ultimately cleared those executives of any wrongdoing.

In February 2018, and consistent with the SEC’s focus on disclosure—and perhaps in response to the Equifax breach—the SEC published revised guidance regarding public company disclosures about material cyber risks and incidents (2018 Guidance). See SEC Release Nos. 33-10459 & 34-82746, Commission Statement and Guidance on Public Company Cybersecurity Disclosures (Feb. 26, 2018). The 2018 Guidance consolidated and built upon the SEC’s prior guidance on disclosure obligations relating to cybersecurity, particularly the Division of Corporation Finance’s guidance from 2011. Among other things, the 2018 Guidance addresses topics such as: (1) the criteria for determining whether a cyber risk or incident is “material”; (2) how promptly companies must disclose material cyber incidents; (3) the level of specificity required when disclosing material cyber risks; and (4) the need to adopt policies and procedures to prevent insider trading on as-yet undisclosed cyber incidents.

Disclosure-Related Enforcement Actions. At the time the 2018 Guidance was released, it was still unclear whether the SEC would bring an enforcement action against an issuer that failed to disclose material cyber risks or incidents to the investing public. Previously, Stephanie Avakian said that she could “absolutely” envision a situation in which the SEC would bring an enforcement action for inadequate cyber disclosures. J. Hoover, SEC Suits Over Cyber Reporting Could Be on the Horizon, Law360 (April 20, 2017).

That uncertainty was resolved in April 2018, when the SEC announced its first-ever enforcement action against a public company for failing to disclose a breach. The enforcement action involved Yahoo, which the SEC alleged had misled shareholders by not disclosing in its public filings for nearly two years a data breach that affected hundreds of millions of its internet email subscribers. See SEC Press Release 2018-71, Altaba, Formerly Known as Yahoo!, Charged with Failing to Disclose Massive Cybersecurity Breach; Agrees to Pay $35 Million (April 24, 2018). The Yahoo breach only came to light as a result of merger discussions with Verizon, which sought to purchase the company. According to the SEC, Yahoo’s senior management and legal staff allegedly “did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in [its] public filings or whether the breach rendered, or would render, any statements made by [it] in its public filings misleading.”

The SEC further noted that the company’s disclosures in its public filings were misleading to the extent they omitted known trends or uncertainties presented by the data breach. In addition, the SEC alleged the risk factor disclosures in the company’s public filings were misleading in that they claimed the company only faced the risk of potential future data breaches without disclosing that a data breach had in fact already occurred. The SEC noted that while immediate disclosure (such as in a Form 8-K) is not always necessary in the event of a data breach, the breach should have been disclosed in the company’s regular periodic reports. The company ultimately agreed to pay a $35 million fine.

In the case of Yahoo, the failure to disclose the breach had a clear effect on the company’s shareholders, who saw Verizon reduce its purchase price for Yahoo by $350 million after the breach was disclosed. In announcing the Yahoo enforcement action, Steven Peikin, co-director of Enforcement, observed that “[w]e do not second-guess good faith exercises of judgment about cyber-incident disclosure. But we have also cautioned that a company’s response to such an event could be so lacking that an enforcement action would be warranted. This is clearly such a case.” Id.

It remains to be seen whether the SEC will take any actions with respect to Equifax for its six-week delay in disclosure of its 2017 breach. However, in March and June of 2018, the SEC charged two former Equifax employees with trading on material nonpublic information related to the Equifax breach. See SEC Press Release 2018-40, Former Equifax Executive Charged With Insider Trading (March 14, 2018) and SEC Press Release 2018-115, Former Equifax Manager Charged With Insider Trading (June 28, 2018). The U.S. Department of Justice also brought parallel criminal insider trading charges against these individuals. Notably, the two individuals charged were not included among the four Equifax executives who were initially suspected of engaging in potential insider trading.

The charges against these individuals highlight the challenge public companies face in managing information related to a breach among their employees prior to public disclosure. In Equifax’s case, neither defendant was told about the breach directly. Instead, Equifax provided them with a false cover story to explain the breach mitigation work they were asked to perform. Because the defendants were not told about the breach, they were not also expressly instructed that a blackout had been imposed on Equifax share sales. The defendants eventually pieced together the clues about the breach and sold their shares prior to the company’s public disclosure of the breach.

Data Security Safeguards

In addition to cybersecurity disclosures, the SEC has also reaffirmed its commitment to seeing registered entities such as broker-dealers and investment advisers implement appropriate data security programs to protect their systems and customer data.

For example, the 2019 examination priorities of the SEC’s Office of Compliance Inspections and Examinations (OCIE) again feature cybersecurity as a top priority. See SEC 2019 Examination Priorities, Office of Compliance Inspections and Examinations (Dec. 20, 2018). Among other things, OCIE continues to stress the importance of cyber risk assessments, access rights, vendor management, training, and data loss prevention for firms. The scope of focus, however, has sharpened over the last year to include the configuration of network storage devices, policies and procedures related to retail trading information security, and practices at investment advisers with multiple branch offices or that have recently merged with other investment advisers. Further, for entities that maintain critical market infrastructure, OCIE will examine compliance with SEC Regulation SCI, which requires such entities to maintain policies to protect their systems’ capacity, integrity, resiliency, availability, and security.

Given the SEC’s sharp focus on cybersecurity compliance issues for broker-dealers and investment advisers, one would expect to see a corresponding focus by Enforcement Division on these issues as well. And, in fact, in September 2018, the SEC brought another first-of-its-kind enforcement action that, notably, was based on a referral from an OCIE examination. See SEC Press Release 2018-213, SEC Charges Firm With Deficient Cybersecurity Procedures (Sept. 26, 2018). In that action, a mid-sized broker-dealer and investment adviser was fined $1 million for alleged cybersecurity lapses that allowed hackers to access client Social Security Numbers, account balances and details of client investment accounts. In additional to finding a violation of the Regulation S-P—the SEC’s Safeguards Rule—the SEC dusted off its “Identity Theft Red Flags Rule” to censure the firm. The Identity Theft Red Flags Rule—also called “Regulation S-ID”—requires designated financial firms to develop and implement a written identity theft prevention program “designed to detect, prevent, and mitigate identity theft” for investment accounts. The rule also requires board oversight of the identity theft program. Although the SEC had adoptedthe red flags rule five years ago, it has not been used in an enforcement action until now. MORE

2018 SEC Annual Report

Policing Cyber-Related Misconduct Since the formation of the Cyber Unit at the end of FY 2017, the Division’s focus on cyberrelated misconduct has steadily increased. In FY 2018, the Commission brought 20 stand alone cases, including those cases involving ICOs and digital assets. At the end of the fscal year, the Division had more than 225 cyber-related investigations ongoing. Thanks to the work of the Unit and other staff focusing on these issues, in FY 2018 the SEC’s enforcement efforts impacted a number of areas where the federal securities laws intersect with cyber issues. MORE

Reducing the greatest cyber security risk -- the one from within

NEW YORK(Thomson Reuters Regulatory Intelligence) - The greatest cyber security risk to an investment advisory firm may be its staff, therefore a training and education program that addresses relevant cyber threats is vital.

In 2019, investment advisers must, among its most important cyber security steps, train staff to identify phishing emails, secure and protect company devices and take steps to verify the movement of client funds. The increased use of automation and reliance on electronic communications can cause a firm employee to unknowingly allow an unauthorized party to access company systems and ultimately access client’s non-public information or funds. Therefore, a firm that includes the education of firm staff in the firm’s overall plan against cyber-attacks will be best prepared to keep the firm’s infrastructure intact.

CYBER SECURITY

Cyber security is one of the greatest risks currently facing the financial-services industry, and a perennial examination priority for the Securities and Exchange Commission.

The SEC has prioritized cyber security during adviser examinations with an emphasis on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.

Specifically, in the 2019 exam list, the SEC has added emphasis on the cybersecurity practices of investment advisers with multiple branch offices, including those that have recently merged with other advisers.

PHISHING EMAILS

The forms of electronic communication have expanded; however, email continues to be the primary channel for most investment advisers. Phishing is a type of online scam where criminals send an email that appears to be from a legitimate company and ask you to provide sensitive information. A firm’s email administrator or system may not always identify these types of emails, therefore firm associates must be able to recognize them before any action is taken. In many cases, once the sensitive information is given to the scammer, they will then have access and be able to use account numbers, passwords, usernames, and more to commit fraud.

A firm’s associates should be aware of suspicious emails that do not use the individual’s name, for example if a bank or brokerage firm was notifying an individual of an issue, the firm would know and use the customer’s name.

Also, the sending email name should match the sender. Therefore, ensuring the senders email in the header matches the display name is prudent.

In addition, a phishing email will often be unsolicited or unexpected and contain grammatical or spelling errors and unnecessary capitalization. A firm individual must be weary of attachments or links as well. An unexpected attachment or prompted download can inadvertently install malware or ransomware.

When a link is present, it’s always best policy to open a new browser tab and manually search and access the link in a personal browser.

Lastly, a firm individual must alert the compliance department or proper authority once a phishing email is identified and phishing attempts can also spill into social media, so diligence must expand beyond email. MORE

ADVISOR ARMOR FINRA/SEC/NYDFS Core Cyber Security Compliance Controls for Small and Multi-Branch Firms

The following list identifies core controls that are needed to be evidenced demonstrating a firms’ cybersecurity program. To establish an effective program, however, firms will need to consider these measures in the context of their business model and technology infrastructure.

Patch Maintenance. Enable the automatic patching and updating features of operating systems and other software to help firms maintain the latest security controls.

Secure System Configuration. When configuring systems and software, use vendor guidance or industry standards, such as those published by the Center for Internet Security (“CIS”)

Identity and Access Management. Limit access to confidential customer and firm information based on business need. Tightly restrict use of “admin” or highly privileged entitlements and regularly review user accounts and privileges to modify or delete those which are no longer necessary to achieve business objectives.

Vulnerability Scanning. Use Commercial Off-The-Shelf (“COTS”) software or third-party vendors to continuously scan for vulnerabilities and quickly address detected discrepancies.

Endpoint Malware Protection. Install COTS software on firm computers, servers and firewalls to detect and block viruses and other malware.

E-mail and Browser Protection. Install software or use services to block web-based e-mail programs and unsafe content received through e-mail (e.g., phishing attacks) or accessed via web browsers.

Perimeter Security. Use network access controls, such as firewalls, to block unnecessary connectivity between firm systems and outside systems. If feasible, incorporate an Intrusion Detection and Prevention.

Security Awareness Training. Provide cybersecurity training to all employees upon their employment and at least annually thereafter (but preferably more often) to ensure all users  are aware of their responsibilities for protecting the firm’s systems and information. Training should address common attacks, how to avoid becoming a victim and what to do if you notice something suspicious. Consider implementing an ongoing phishing awareness campaign.

Risk Assessments. Conduct annual risk assessments and testing of firm controls to verify effectiveness and adequacy. This assessment may be accomplished using third-party or firm security experts.

Data Protection. Encrypt critical data, back it up frequently and store copies of back-ups offline. Regularly test the firm’s ability to restore data. Consider blocking USB ports and use of all removable data storage devices, including CDs and flash drives

Third-Party Risk Management. Review System and Organization Controls (SOC) or SSAE 18 reports for third party vendors and other partners with access to confidential firm and customer data to ensure they have security controls commensurate with, or better, than the firm’s.  All contracts should have provisions to enforce controls to protect data, including prompt notification of any changes to those controls and vulnerabilities or breaches that may affect the firm.

Branch Controls. Ensure that branches apply and enforce relevant firm cybersecurity controls, which may include many of the controls identified in this list, as well as other relevant controls.

Policies and Procedures. Create policies and procedures that address each category of controls applicable to the firm, such as those identified in this list.

 

OCIE and FINRA Set Exam Priorities and FINRA Issues Cybersecurity Tips: Regulatory Update for February 2019

For Investment Advisers: SEC Actions

OCIE Announces 2019 Examination Priorities: The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (“OCIE”) released its 2019 exam priorities on December 20, 2018.  OCIE’s priorities haven’t changed much from 2018, and include topics addressed in the 2018 Risk Alerts and the feedback received from OCIE’s outreach program.  OCIE’s six “themes” for 2019 are:

  1. Protection of retail investors, including seniors and those saving for retirement;

  2. Compliance and risk management for firms responsible for critical market infrastructure, such as clearing firms, securities exchanges, transfer agents, and compliance with Regulation SCI which requires written policies and procedures surrounding technology and systems infrastructure;

  3. Oversight of FINRA & MSRB and their operations, regulatory programs and examination quality;

  4. Scrutiny of broker-dealers, investment advisers, and trading platforms dealing with digital assets, including cryptocurrencies, coins, and tokens;

  5. Cybersecurity issues, focusing on advisory firms with multiple branch offices and firms that have merged with other RIAs.  OCIE continues to stress the importance of risk assessments, access rights, vendor management, training, and data loss prevention.

  6. Anti-Money Laundering Programs in broker-dealers, focusing on whether broker-dealers are filing Suspicious Activity Reports (SARs), independently testing their AML program and identifying suspicious and illegal activities.

As discussed in 2018 Risk Alerts, OCIE will continue to focus on disclosure of fees and expenses and conflicts of interest.  Unsurprisingly, the receipt of 12b-1 fees and mutual fund share class selection continue to be hot topics, along with arrangements with affiliated service providers.  A newer area of concern is securities-backed non-purpose loans and lines of credit.  OCIE will be reviewing the incentives received by advisers and broker-dealers for recommending these loans.  Financial exploitation of seniors is another area of concern, so firms should address this issue in their compliance programs.  Contributed by Heather Augustine, Senior Compliance Consultant

 Regulatory Review 2018: HCC put together a list of the top regulatory hot buttons from 2018 to help you focus your compliance efforts in 2019.

11 Key Takeaways for Updating your Compliance Program in 2019: HCC put together a review of the regulatory landscape in 2018, with a list of 11 recommendations for updating your compliance program.

Investment Advisers Compliance to Do List for 2019: For investment advisers, private and hedge fund managers:  a handy list of regulatory deadlines for 2019 for updating your compliance calendar.

Form ADV Update deadline: Procrastinators beware!  Investment advisers with a fiscal year end of December 31 have until Sunday, March 31, 2019, to file the Form ADV update.  IARD will be open on March 31, from 10am-6pm Eastern Time.  Consequently, the deadline for filing an annual updating amendment will NOT be extended to Monday, April 1, 2019.

For Broker-Dealers:  FINRA Actions 

FINRA Provides Additional Guidance to Enhance your Cybersecurity Program:  FINRA’s Report on Selected Cybersecurity Practices – 2018 is a follow-up to its initial Report on Cybersecurity Practices, published in 2015.  FINRA’s 2018 report highlights effective practices used by member firms to address emerging cybersecurity threats.  It focuses on member firms’ primary challenges and the most frequent examination findings.  These topics include branch office controls, social engineering by hackers, identification and mitigation of internal threats, penetration testing and managing mobile devices.  The Report’s Appendix is a great resource that provides a list of core cybersecurity controls for small firms.  As you review your cybersecurity program in 2019, consult FINRA’s Cybersecurity page for additional resources that will help you strengthen your program.  Contributed by Rochelle Truzzi, Senior Compliance Consultant

Broker-Dealer Compliance to Do List for 2019: For broker-dealers, a list of regulatory deadlines for 2018.

Broker-Dealer 2018 Regulatory Year in Review: A summary of 2018 rule changes, enforcement actions and regulatory developments for broker-dealers for 2018.

Broker-Dealers! Be Sure to Whitelist noreply@finra.org:  FINRA announced, though Firm Gateway, that it will begin sending Information Request email notifications to firms using Amazon Simple Email Service (SES).  To ensure you continue to receive FINRA’s notices regarding Information Requests, FINRA suggests that you work with your IT department/provider to whitelist the email address, noreply@finra.org.  Contributed by Rochelle Truzzi, Senior Compliance Consultant

2019 Annual Entitlement User Accounts Certification Process:  This year, the certification window will open on April 22nd and end on June 21st.  FINRA will send a notification to the firm’s Super Account Administrator (SAA) to complete the certification through WebCRD/IARD.  Contributed by Rochelle Truzzi, Senior Compliance Consultant

FINRA 2019 Annual Risk Monitoring and Examination Priorities Letter FINRA:  On January 22, 2019, FINRA published its annual Examination Priorities Letter.  This year FINRA broadened the scope of its priorities letter to include specific areas of focus on risk monitoring.  As in prior years, the letter addresses specific examination topics but does not include many of the mainstay topics that have been repeatedly covered.  Stay tuned for our blog post on these priorities!  Contributed by Doug MacKinnon, Senior Compliance Consultant

For Hedge Fund Managers – NFA Member Firms  

NFA Members Need to Update Cybersecurity Programs: On January 7, 2019, the National Futures Association (“NFA”) amended its interpretative Notice 9070 on Information Systems Security Programs, (the “Cybersecurity Notice”).  The amendment states that NFA members are required to train their employees upon hiring and at least annually and identify the topics covered by the training program.   Members are also required to notify the NFA of cybersecurity incidents (1) resulting in a loss of capital, or a loss of customer or counterparty funds, and (2) if the NFA member is required to notify customers or counterparties under state or federal law.  The amendment also changed the approval requirements for a member’s Information System Security Program (ISSP).  The Cybersecurity Notice is effective on April 1, 2019. Contributed by Jaqueline Hummel, Partner and Managing Director

CPOs required to Implement Internal Controls:  The NFA issued Interpretive Notice “NFA Compliance Rule 2-9: CPO Internal Controls System” (the “Internal Controls Notice”) that requires Commodity Pool Operators (CPOs) to establish a system of internal controls designed to deter fraud, safeguard customer funds, and ensure the accuracy of financial reports.  The control system should also assure that the CPO complies with its regulatory requirements.  The Internal Controls Notice will be effective on April 1, 2019.  Contributed by Jaqueline Hummel, Partner and Managing Director MORE

National Law Review: Some Thoughts on the Year in Privacy and Data Security Law

As we turn the page on 2018, let’s reflect on some of the key privacy and cybersecurity issues that will continue to occupy our hearts and minds in 2019.

The SEC Steps into Cybersecurity

2018 was the year in which the U.S. Securities and Exchange Commission squarely inserted itself into cybersecurity regulatory compliance.

In February 2018, the SEC released its first Commission-level Interpretive Guidance relating to public company disclosures of cybersecurity risks and incidents. Two key compliance takeaways are: (1) investor risk related to known cyber incidents must be fully and timely disclosed; and (2) public companies must police insider trading based on information related to undisclosed cyber incidents. Whether a cyber incident is material and requires disclosure will depend on a host of factors, including the nature, extent, and potential magnitude of the incident. This includes consideration of the type of compromised information (personally identifiable information, intellectual property or other confidential business information); the incident’s impact on operations; the harm to a company’s reputation, financial performance, customer/vendor relationships; and potential liabilities in civil litigation or regulatory enforcement actions. To avoid even the appearance of improper trading, companies “should consider whether and when it may be appropriate to implement restrictions on insider trading” during the investigation and assessment of significant cybersecurity incidents.

Just a month after issuing its Interpretive Guidance, the SEC penalized Yahoo $35 million for failing to timely disclose its data breaches. The cease and desist order was the SEC’s first against a public company for failing to disclose known cyber incidents in its public filings. From 2014-2016, the SEC alleged, Yahoo filed a number of reports and statements with the SEC that misled investors about Yahoo’s cybersecurity history. For instance, in its 2014-2016 annual and quarterly reports, the SEC found that Yahoo included risk factor disclosures stating that the company “faced the risk” of potential future data breaches, “without disclosing that a massive data breach had in fact already occurred.” Yahoo filed a July 2016 proxy statement relating to its proposed sale to Verizon that falsely denied knowledge of any such massive breach. It also filed a stock purchase agreement that it knew contained a material misrepresentation as to the non-existence of the data breaches.

Finally, in October 2018, the SEC released a “Report of Investigation” into whether nine public companies violated U.S. securities laws “by failing to have sufficient accounting controls” to prevent approximately $100 million in losses as a result of “business email compromises” (BECs) targeting their personnel. The Report was prompted by the SEC’s investigation The nine companies were victimized by one of two variants of the BEC scheme—involving spoofed or compromised emails from a person purporting to be a either a company executive or a vendor.

The SEC advised companies to “pay particular attention to the obligations imposed by Section 13(b)(2)(B) to devise and maintain internal accounting controls that reasonably safeguard company and, ultimately, investor assets from cyber-related frauds.” The SEC emphasized that these fraud schemes were widely successful because they used “technology to search for both weaknesses in policies and procedures and human vulnerabilities that rendered the control environment ineffective.” The victimized issuers had policies and procedures requiring different authorization levels for payments; management approval of outgoing wires; and verification of changes to vendor data. The critical flaw was in employee interpretation of these controls as capable of being satisfied solely through electronic communications—along with their failure to recognize obvious indications of fraud in the emails.

This report follows on the heels of a July 2018 FBI Public Service Announcementthat it had tracked more than 78,000 BECs—totaling more than $12.5 billion in fraud losses—since October 2013. The FBI has identified more than 41,000 BEC victims in the United States—with more than $3 billion in fraud losses since 2013, and $1.6 billion in fraud losses since May 2016.

States Continue to Expand Data Security Laws

Last year saw the creation and significant expansion of data security laws in state houses across the country. The new laws fall into two primary categories: (1) statutory requirements that all organizations must create and implement reasonable cybersecurity programs to protect personal information; and (2) more expansive data breach notification laws.

Data Security Laws

At least twenty states have adopted broadly applicable “data security” statutes that require virtually all organizations that collect or possess personal information to maintain reasonable cybersecurity programs. Delaware’s new law is a good example. It requires “[a]ny person” conducting business and owning, licensing, or maintaining personal information to implement reasonable security measures “to prevent the unauthorized acquisition, use, modification, disclosure, or destruction of personal information collected or maintained in the regular course of business.” Other states – such as Alabama – enacted “data security” laws that are much more prescriptive, listing factors to be considered in assessing ‘reasonableness.’

Data Breach Notification Laws

At least thirty-one states considered data breach legislation in 2018. With new legislation in South Dakota and Alabama, all fifty states now have data breach notification laws. The biggest changes in 2018 included broad expansions of the definition of protected “personal information;” specified timeframes for notification to consumers and state attorneys general; mandatory credit monitoring for certain types of breaches; and disclosure and investigative cooperation requirements imposed upon third party service providers.

A Landmark Mobile Privacy Decision

The Supreme Court’s 2018 decision in Carpenter v. United States establishes broad digital privacy rights that are sure to extend beyond law enforcement investigations and locational information. The decision significantly expands the Court’s dominant theme of this decade that “digital is different” when it comes to modern privacy law.

The decision itself holds that the Fourth Amendment requires the government to secure a search warrant to obtain a person’s historical cell site location information from a cellular service provider. That undersells its import though. Carpenter remakes the foundational legal principles governing privacy in data shared between device users and their service providers.

It’s how the Court got to that holding that is so groundbreaking. First, the Court declared that “[i]ndividuals have a reasonable expectation of privacy in the whole of their physical movements.” The Court characterized the cell site location information at issue as “detailed, encyclopedic, and effortlessly compiled” – allowing the government (and the service providers) to conduct “near perfect surveillance” on users. Second, this “reasonable expectation of privacy” is not defeated simply because each device constantly shares its location with cellular service providers. Data that must be shared for the proper functioning of technology services does not lose its privacy protection simply because it is possessed by and compiled in the business records of third parties. The spark of this reasoning is sure to spread quickly across the digital legal landscape in 2019 and beyond.

California Continues Pushing the U.S. Forward

California has repeatedly been at the epicenter of privacy and data security legislation in the United States, perhaps most notably by being the first state to enact a breach notification statute. This past year, California once again broke new legislative ground by enacting the California Consumer Privacy Act of 2018 (“CCPA”) and legislation directed at securing IoT devices.

If you are reading this blog post, there is very little chance that you are unfamiliar with the CCPA, such that there is no point in summarizing its provisions. In fact, if we could jump forward five years, the CCPA’s significance will likely not merely be what businesses will need to undertake in 2019 to drive compliance, but rather it will be as a harbinger for the enactment of other privacy-related legislation in this country. One can readily envision that the CCPA will lead either to the enactment of federal privacy legislation or to more state laws directed at privacy. It is not hyperbole to say that how this unfolds in 2019 will set the course for privacy legislation in this country for years to come.

Similarly, California’s enactment of first-in-the-nation legislation directed at IoT device security is significant not just for what the legislation says, but also for what it signals will happen in the coming years. If you have tracked the IoT marketplace, you have heard the projections about the rapid expansion in the number of IoT devices in the next five years. But, at the same time, manufacturers have little incentive to build information security and privacy into those devices. Most commentators seem to agree that this will have to change but it is anyone’s guess as to how. Will industry self-regulate? Will the European Union lead the charge? Will plaintiffs’ lawyers find success in bringing class actions against IoT device manufacturers? Will the federal government pass legislation?

The California legislation offers one potential answer, which is that states will begin to legislate in this field. Indeed, California’s legislation – which originated as a botnet prevention measure – focuses only on a small aspect of IoT device security, namely, passwords. There is fertile ground for states to take up other issues such as requiring manufacturers to provide devices that do not have existing security flaws and requiring manufacturers to provide security patches.

Advisor Armor Opinion: Crackdown showdown Serious cybersecurity enforcement is coming in 2019, but are advisers ready?

When clients ask what advisers are doing to protect their data, only the firms that can give a satisfying answer will build trust with investors

Advisor Armor Opinion

As the most tenured and largest provider of cyber security compliance in financial services our empirical evidence indicates ZERO correlation between information technology spending and technical controls with data security failures and successful compliance examinations.  

Governance procedures and technical controls must be reasonably tailored to conducted assessments.   Commonality certainly exists but one size does not fit all and controls must change to model current risks.

Jan 12, 2019 @ 6:00 am By Ryan W. Neal 

After spending most of a decade offering guidance and stern warnings, regulators are ready to put enforcement muscle behind cyber security rules.

A flurry of activity in 2018 at federal and state levels has many legal and security experts expecting 2019 to be a watershed year for holding firms accountable for clients' digital data. Penalties are coming for advisory firms that don't do enough to prevent a data breach or don't respond to a breach effectively.

The Securities and Exchange Commission is leading the charge. The agency took several actions in 2018 that should alert every adviser that any grace period in adopting data security controls has expired.

"The honeymoon phase is over," said Askari Foy, managing director of ACA Aponix's global regulatory cyber security practice and a former SEC associate director. "As they identify issues, they're less likely to be friendly, for lack of a better word. They tend to roll up their sleeves and really dig into the issues, particularly if they smell blood or sense potential harm to investors." 

Voya troubles

No alarm rings louder than the SEC's Sept. 26, 2018, announcement that Voya Financial Advisors would pay $1 million to settle charges relating to a 2016 scam that compromised the personal information of thousands of customers. It was the first time the SEC enforced its "identity theft red flags rule," which has been on the books since 2013.

Even though Voya had a cyber security policy in place and responded to the breach within a matter of hours, it wasn't good enough for the SEC. The regulator said Voya's cyber security policies and procedures were out of date and failed to do enough to ensure they applied to the entire workforce of financial advisers.

This issue of scant policies or ineffective effort is common throughout the industry and it's exactly what the SEC wants to eliminate. For many advisers, cyber security is just another compliance procedure — put a policy in place, do some basic training, check off the box and move on to more pressing business issues.

"Firms have cyber security policies, they get one from an attorney or compliance firm. The policy looks great, but it doesn't actually reconcile to reality in any way," said Sid Yenamandra, CEO and co-founder of cyber security firm Entreda.

For example, the policy may say advisers can only access the firm's network using a secure connection such as a virtual private network, but there are no checks that the policy is actually followed, he said.

Entreda's experts, who have provided data protection software and training services to thousands of advisers, see a lot of lip service paid to cyber security.

"People talk about having a good cyber security policy, but who is actually implementing it? Our view on this entire issue is we tend to see there is a false sense of security that a lot of firms have," Mr. Yenamandra said.

These firms are more vulnerable to an attack, and this year they also could face stiff fines and censure. Regulators' gloves are off, and they are ready to crack down.

Advisor Armor risk assessments and profiles create suitable policies and procedures which describe how firms manage and care for valuable information.  These policies are then tested and maintained by Penetration Testing, Endpoint Security Audits and Employee Awareness Training and Testing.  Our Assurance Service certifies and attests to the implementation of the described policies and procedures.

2018 warnings to heed

When the SEC first developed regulations regarding email communications, it gave firms a few years to acclimate to the new rules and get programs in place. As guidance became more detailed and rules more specific over time, that's when sanctions started coming. Regulators are following a similar pattern with cyber security, said Kim Peretti, co-chair of law firm Alston & Bird's national security and digital crimes practice and its cyber security preparedness and response team.

"Investment advisers and broker-dealers of all sizes may be under scrutiny and should expect more enforcement actions moving forward," she said. "For registered investment advisers and broker-dealers, the primary implication of this focus is that the SEC will continue to expect more mature cyber security programs that adapt to the changing threat environment and appropriately manage and communicate risks to investors."

The agency last year named cyber security as a priority in its examinations of investment advisers and brokers; asked Congress for an additional $52 million to expand personnel, including four people dedicated to cyber security; and issued new guidance on public companies' obligations to disclose cyber security risks and incidents, updating its previous guidance issued in 2011.

The SEC published a report last year detailing an investigation of nine undisclosed public companies that fell victim to cyberfraud and collectively lost nearly $100 million. Though no charges were filed, the report served as a stern warning to consider cyber security when implementing internal account controls and specified the exact rule — Section 13(b)(2)(B) of the Securities Exchange Act of 1934 — that holds firms accountable.

It isn't just the SEC getting tougher with cyber security. In August, the Financial Industry Regulatory Authority Inc. censured and fined a small broker-dealer $50,000 for having inadequate procedures for preventing hackers from transfering money from client accounts. In December, the self-regulatory organization updated its 2015 report on cyber security best practices for broker-dealers.

State regulators are making their own rules. Since New York issued rules requiring financial institutions to establish cyber security programs, the number of bills and proposals addressing cyber security at the state level has continued to grow. According to the National Conference of State Legislatures, 265 bills were introduced in 2018, up from 240 bills in 2017 and 104 in 2016. As of Nov. 6 (the latest data available), 52 of the bills proposed last year became law.

Advisor Armor Coverage models current state consumer data security protection expectations for All states including those recently instituted by New York, California, Oregon, Massachusetts, Florida, etc.

The increased activity provides a window into where regulators are focusing their energy and what future enforcement actions might involve.

For example, the SEC's February guidance on disclosure obligations and subsequent charges against Yahoo — $35 million for failing to disclose a cyber security breach — show how seriously the regulator wants firms to report data breaches. According to the New York Times, only 24 public companies (across all industries) reported breaches to the SEC in 2017, but researchers believe more than 4,000 breaches occurred.

The Voya charges reveal another common weakness, specifically for financial advisers. It's not enough to just have a cyber security plan in place. Regulators want to see firms continually testing, reviewing and updating cyber security policies and procedures to ensure they remain effective as threats evolve.

Business email

Another area of focus, as evidenced by the SEC's investigative report and Finra's updated best practices, is compromised business emails — an increasingly popular attack method in which hackers pose as corporate executives or third-party vendors and use emails to trick other employees.

"There's been an increasing focus on the nexus between cyberintrusion and cyberfraud," Ms. Peretti said.

Preventing harm due to phishing scams requires firms address human susceptibility to such scams in addition to the technology element itself, she said.

Finally, the Voya breach was caused by hackers impersonating an independent adviser and using the custodian's support line to reset passwords and gain access to the system, illustrating the vulnerability from third parties.

Regulators want advisers to have an inventory of everyone who can access their data, including both third-party technology vendors and independent contractors.

Advisor Armor provides Email Enticement (Phishing) Testing and Training.  Thousands of customized phishing emails, consistent with and relevant to financial services, provide a realistic challenge that builds practical resistance to the single largest intrusion threat facing financial firms today.

Where advisers can improve

The good news is that the financial services industry has done a pretty good job of adapting to new cyber security requirements, at least in comparison to other industries like retail, said Robert Cattanach, partner at law firm Dorsey & Whitney. 

Where it's most often falling apart is with the smaller registered investment advisers and broker-dealers.

"Modest-sized companies lack the resources to really make good on their paper policies," Mr. Cattanach said. "Someone can gin up the right-sounding IT governance policies and procedures. But it's a whole additional step to make sure they are followed."

At smaller firms, there can be a sense of fatigue and helplessness when it comes to cyber security, because even the largest companies get hacked.

"There is this general feeling of, 'Holy cow, how can I, this little RIA out here, protect [against a breach] if these large institutions can't?'" said Wes Stallman, provider of cloud-based cyber security for advisers. "I do think that causes some frustration."

Experts said the adviser mindset should not be fixed on trying to safeguard data 100% because, with attacks always evolving, it's less of a matter of "if" and more of "when" there's a breach.

Regulators understand this, and really just want firms to have checks and balances in place to ensure they are doing the best they can to prevent breaches. More importantly, regulators want firms to have an up-to-date and battle-tested plan for an effective and timely response to a breach.

Advisor Armor has managed hundreds of client data security incidents over the past 3 years. Our history with Red Flags/Identity Theft, allows us to efficiently navigate the murky regulatory requirements for physical and electronic breaches. And our incident response coverage satisfies the regulator requirement for tested procedures. 

Finra's December update to its best practices includes a new appendix to help small firms adopt and implement cyber security controls. When used alongside Finra's previously released small firm cyber security checklist, it should give smaller advisers an effective guide to remaining compliant.

The bigger challenge is how to get all financial advisers to move beyond the lip service and actually realize that cyber security is something more important than another compliance chore. The key to that may lie in thinking of cyber security as a competitive advantage, Mr. Yenamandra said.

Clients are going to increasingly ask what advisers are doing to protect data, and firms that can give a satisfying answer will build trust with investors.

"Cyber security needs to be viewed as not only an operational risk but also a strategic function," he said

 

Cyber Insurance Primer

Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But, a substantial portion of organizations don’t carry coverage for data breaches despite numerous high profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal.

24%

Percentage of companies that had cyber-insurance.1

64%

Percentage of companies that believed their exposure to cyber risk would increase in the next 24 months.2

43%

Percentage of companies that did not plan to purchase cyber insurance in the next 24 months.3

Why is buying cyber insurance difficult?

  1. There is little standardization among competing policies; as a result it is hard to comparison shop.

  2. Policies’ exclusions often swallow coverage; as a result, assessing the value of a policy is difficult unless you have extensive experience with the types of liabilities that arise following data breaches.

  3. Policies often cover security but not privacy risks.

Items to review when shopping for cyber insurance:

  1. Do the sub-limits on coverage match the corresponding risks?

  2. Does the policy include sub-retentions (sub-deductibles) that are unlikely to be reached?

  3. Does exclusion prevent payment for the largest risks, g., charges that arise following a credit card breach, common theories alleged in class actions, etc.?

  4. Is voluntary notification of affected consumers covered?

  5. Will credit monitoring for affected consumers be covered?

  6. Who does the insurer have on panel for legal representation, forensic investigations, and/or crisis management?

2019 Examination Priorities of SEC Office of Compliance Inspections and Examinations are Announced

Next year’s examination priorities of the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission were announced on December 20, 2018, and cover six broad, albeit non-exhaustive, topics.1

  • Matters of importance for retail investors, including seniors and those saving for retirement;

  • Compliance and risks in registrants responsible for critical market infrastructure;

  • Matters related to the Financial Industry Regulatory Authority and Municipal Securities Rulemaking Board;

  • Digital assets, including cryptocurrencies, coins and tokens (a newly-added priority);

  • Cybersecurity; and

  • Anti-money laundering (AML) programs.

Many of the six broad topics remain the same as those included in the 2018 OCIE Examination Priorities. It is important to note, however, that the OCIE leadership team specifically indicated that the 2019 priorities reflect meaningful changes from the prior year, particularly as new risks have emerged and existing risks were either heightened or mitigated.

Retail Investors, including Seniors and those Saving for Retirement

The first identified priority is the protection of retail investors. OCIE emphasizes the following areas of focus, most of which continue and/or expand upon existing examination priorities:

  • Fees and Expenses: Disclosure of the Costs of Investing;

  • Conflicts of Interest;

  • Senior Investors, and Retirement Accounts and Products;

  • Portfolio Management and Trading;

  • Never-Before- or Not-Recently-Examined Investment Advisers;

  • Mutual Funds and Exchange-Traded Funds;

  • Municipal Advisors;

  • Broker-Dealers Entrusted with Customer Assets; and

  • Microcap Securities.2

Compliance and Risk in Registrants Responsible for Critical Infrastructure

The second identified priority is compliance and risks in critical infrastructure. In this area, OCIE will continue to focus examinations on:

  • “Systematically Important” Clearing Agencies;

  • Entities Subject to Regulations Systems Compliance and Integrity (SCI), including the effectiveness of the implementation of such entities’ compliance policies and procedures;

  • Transfer Agents, including “transfers, recordkeeping” and asset safeguarding; and

  • National Securities Exchanges, including exchanges’ internal audit and surveillance programs as well as funding for regulatory programs.

Focus on FINRA and MSRB

OCIE will continue to examine: (1) FINRA’s operations and regulatory programs and the quality of its examinations of broker-dealers; and (2) the effectiveness of particular MSRB operational and internal policies, procedures and controls.

Digital Assets

New to OCIE’s priorities is a focus on the examination of participants in the digital asset market (including broker-dealers, trading platforms, and investment advisers) and the associated risks presented by that market to retail investors. As part of its entry into examining the digital assets space, OCIE intends to “identify market participants offering, selling, trading, and managing these products or considering or actively seeking to offer these products and then assess the extent of their activities.” For those firms that are identified as “actively seeking” to offer digital assets, OCIE examinations will then focus on, among other things, “portfolio management of digital assets, trading, safety of client funds and assets, pricing of client portfolios, compliance, and internal controls.”

Cybersecurity

Cybersecurity will continue to be a focus of each OCIE examination program, especially registrants’ “policies and procedures related to retail trading information security” and, with respect to investment advisers, cybersecurity practices of advisers with multiple branch offices.

Anti-Money Laundering Programs

OCIE notes that examiners will continue to prioritize broker-dealer compliance with applicable AML requirements, including proper filing of suspicious activity reports and robust and independent testing of their AML programs.

Conclusion

While the priorities indicate where OCIE intends to focus resources in the coming year, registrants should not expect examinations to be limited to the issues highlighted above. It is important to note that the 2019 OCIE priorities not only reflect Chairman Jay Clayton’s prior emphasis on Main Street investors, technological changes and cybersecurity, but also continue to reflect a considerable degree of continuity with the priorities of the SEC under prior Chair Mary Jo White. With this in mind, firms may want to review their policies and procedures and conduct internal compliance reviews.

Finra updates cybersecurity best practices report

Though brokers say cybersecurity is one of their top priorities, the Financial Industry Regulatory Authority Inc. says it still sees a lot of problematic practices at firms.

To help them improve, Finra on Thursday updated a 2015 report on cybersecurity that details best practices for broker-dealers.

The "Report on Selected Cybersecurity Practices – 2018" covers five topics addressing the evolving threat of cybercrime and the most frequent findings from its examination program.

"Securities firms rate cybersecurity as one of their top operational risks, and our new report addresses areas that firms tend to find most challenging," David Kelley, surveillance director of member supervision in Finra's Kansas City office, said in a statement.

The topics include cybersecurity controls in branch offices; methods of limiting "phishing" attacks; identifying and mitigating insider threats; elements of a strong penetration-testing program; and establishing and maintain controls on mobile devices.

The report addresses several critical issues firms are often unfamiliar with, said Bart McDonough, CEO and founder of Agio, a hybrid cybersecurity and managed IT firm. For example, Finra describes the best way of contacting the FBI in the event of a breach.

However, Mr. McDonough said the report could have been presented by simply to increase understanding, especially for firms who don't have a cybersecurity expert who can decipher technical language.

"The report misses an opportunity to highlight the critical need for threat intelligence, where firms have insight into what's happening at other, similar companies," Mr. McDonough said in an email.

"Another shortcoming of the report is that it buries the importance of executive leadership and management support in the middle of the analysis. That has to be a starting point and a tone-setter for the entire firm."

The updated report goes into greater depth and detail than the 2015 report. Finra describes more than 30 specific practices for branch controls that cover written supervisory procedures, asset inventories, technical controls and branch review programs.

Mark Brown, president of cybersecurity compliance firm Advisor Armor, said firms with a "hub and spoke" structure are of particular interest to Finra and the Securities and Exchange Commission, and the additional detail on branch office cybersecurity isn't surprising.

"Finra and [broker/dealers] have been late to this, and registered reps are in a tug a war with who pays for it," Mr. Brown said in an email. "But in the end, the right controls, evidence and auditing of cybersecurity need to be in place."

Finra also highlights how firms can detect phishing attacks, even if they appear to come from trusted sources.

The report includes an appendix covering core cybersecurity controls for small firms, which, in addition to the "Small Firm Cybersecurity Checklist," can help smaller businesses identify possible cybersecurity controls.

"There is no 'one-size-fits-all' approach to cybersecurity, so Finra has made a priority of providing firms with reports and other tools to help them determine the right set of practices for their individual business," said Steven Polansky, senior director of member supervision in Finra's Washington office.

Shan Dagli, head of intermediary solutions at Envision, an IT provider, suspects the increased guidance means Finra's 2018 exams revealed a wide disparity in what firms were doing from a cybersecurity standpoint.

"So Finra is taking it upon themselves to provide more guidance," Mr. Dagli said. "With increased guidance, it could lead to more scrutiny. Or it could simply be a manner of wanting to provide clearer guidance/best practices.


For the Average Hacker, Your Small Business Is an Ideal Target

Headlines are full of cybersecurity breaches, and big businesses like Google and Facebook are some of the latest to fall victim to outside attacks. A vulnerability in Google+ is at least partially responsible for the company’s decision to shut down the platform for good, and a recent breach of Facebook’s network security may have compromised the personal information of almost 50 million users.

Of course, for such enormous companies, a breach is an embarrassing blip on the radar. Google is mostly terminating its social platform because no one uses it (the company reported that 90 percent of user sessions last less than five seconds), and the even the notorious Cambridge Analytica scandal cost Facebook a mere $644,000 in fines imposed by British regulators -- peanuts for a company bringing in almost $100,000 in revenue every minute. But what would a $600,000 fine do to your small businesses? MORE

5 Must-Read Resources for Compliance and IT Leaders in Investment Firms

Regulated investment firms use the web to gather market intelligence, to access data aggregation tools and business apps, and to communicate via webmail and social media.

While many (if not most) business functions have shifted to the web and cloud apps, including IT security, the primary tool used by research analysts and investment managers remains stuck in IT’s past: the locally installed browser. A holdover from the 1990s, the local browser’s inherent weaknesses make it notoriously difficult to manage, monitor, and secure against web-borne exploits.

This has created a growing compliance blindspot for buy-side and sell-side firms. At the same time, the pressure from federal and state regulators is steadily increasing. Registered investment advisers are one example. By subjecting 17% of firms to OCIE examinations in FY 2018, the SEC already exceeded its own ambitious goal (15%) in this group alone for this year.

Chief Compliance Officers, CISOs and CTOs in the industry have been put on notice. One simple page view request on an infected website can result in malware or spyware spreading through the firm’s network, resulting in data breaches and financial and reputational damages. One post on a social media platform or in a chat room may invite the scrutiny of regulators.

How can firms ensure oversight and governance when team members go online? In this post, we highlight surveys, reports and whitepapers that provide useful facts and actionable insights to help practitioners answer this question:

*

1) SEC Enforcement: More Pressure for Investment Firms

The Securities and Exchange Commission’s Enforcement Division has published the FY 2018 Annual Report of its ongoing efforts to protect investors and market integrity.

The report presents the activities of the division from both a qualitative and quantitative perspective. In FY 2018, the SEC continued to bring enforcement actions relating to a wide variety of market manipulations, misconduct and compliance violations. It obtained judgments and orders totaling more than $3.945 billion in disgorgement and penalties.

Policing “Cyber-Related” Misconduct

The report also documents the Division’s increasing focus on misconduct in the digital realm. In FY 2018, the SEC brought 20 standalone cases, including such involving ICOs and digital assets. At the end of the fiscal year, more than 225 cyber-related investigations were underway. 2018 saw the SEC’s first enforcement action charging violations of Regulation S-ID, known as the Identity Theft Red Flags Rule, which is designed to protect customers from the risk of identity theft.

While an agency-wide hiring freeze since late 2016 led to a 10% staff reduction since, this seems not to have resulted in less pressure on regulated securities investment firms. The Division’s annual report documents significant continued enforcement-related activities.

From a compliance perspective, one item in the “Other Noteworthy [Enforcement] Actions” section of the report may deserve more attention than it received so far: it points to “13 registered investment advisers who repeatedly failed to provide required information that the agency uses to monitor risk.”

Our Take:

When regulators request such information from entities under investigation, disparate data sources and a lack of compliance-ready IT tools may prevent firms to “promptly produce” (SEC lingo) the data and documents. The use of local browsers, in particular, can become an audit impediment, because it prevents a unified view into a firm’s activities on the web, for example when team members post on social media or pull research data from third-party aggregators.

A compliance-ready browser built in the cloud, provided as a service offsite and centrally managed by IT, removes such hurdles. With Silo, the cloud browser, all user actions are logged and encrypted, to facilitate at-a-glance compliance reviews and post-issue remediation.

Read / download:

Division of Enforcement of the U.S. Securities and Exchange Commission: Annual Report 2018 [PDF]

*

2) Vigilant Regulators, Weak Policy Implementation

In November, international law firm Proskauer Rose LLP released its 2018 Proskauer Annual Review and 2019 Outlook for Hedge Funds, Private Equity Funds and Other Private Funds.

The yearly report provides a summary of significant regulatory changes and developments that occurred in the past year in the private equity and hedge funds space. It also includes an overview of SEC examination priorities and enforcement developments impacting the private funds industry.

“SEC’s Enforcement Program Remains Robust”

The SEC brought 821 enforcement actions in 2018, “the second highest total ever,” the authors point out. This included more than 100 enforcement actions involving advisers and investment companies, a 32% increase from 2017 and the second largest category of actions brought by the SEC in 2018.

Noteworthy in particular from the compliance and IT perspective is the extensive review in this report of a $1 million settlement with the SEC by broker-dealer and adviser Voya Financial Advisors (VFA). Following a data breach that compromised the personal information of 5,600 customers, the SEC had alleged failures in the firm’s cybersecurity policies and procedures.

The firm had over a dozen policies and procedures in place governing cybersecurity, the Proskauer report explains. It lays out in detail why “[t]he SEC found that these policies were not reasonably designed to apply to the systems that independent contractors used.”