Cyber threats are an increasing problem for small- and medium-sized businesses, especially with the major shift to remote work due to COVID-19. Some of the notable data breaches, such as Equifax in 2017, and more recent ones like the ransomware attack that hit German tech firm Software AG in October 2020, resulting in customers losing trust in the company.

On Nov. 19, 2020, the SEC’s Office of Compliance Inspections and Examinations and its director provided unprecedented guidance with respect to the responsibilities of private fund managers and their chief compliance officers. The public guidance, which is consistent with comments we have observed from OCIE examination staff, identifies numerous strengths and weaknesses of the compliance programs of SEC-registered investment advisers. Private fund managers and their CCOs should evaluate their compliance programs in light of this guidance.

Examiners observed that the branch office model “may pose certain risk factors."

The Securities and Exchange Commission’s exam division flagged on Monday deficiencies the agency has seen in advisors that operate from numerous branch offices — including violations of the custody and compliance rules as well as in providing investment advice and in advertising.

Cyberattacks have become so common that it is no longer a question of if a broker-dealer, investment advisory firm or financial institution (collectively, “financial firms”) will suffer an attack, but when an attack will occur. In my 19 years as a trial attorney focused on securities and business disputes, I can confidently say that there’s always room for proactive strategies that anticipate negative events. As financial firms rely more on online and out-of-office platforms and services, especially during the COVID-19 pandemic, the likelihood increases that proprietary and confidential, nonpublic customer information (“NPI”) is stolen, deleted or ransomed. Financial firms need to understand the different cyber threats and the defensive measures to protect against attacks.

On October 15, the Financial Industry Regulatory Authority (FINRA) released an information notice (Notice) providing additional background on authentication techniques for firms to consider as they implement cybersecurity authentication programs.

All businesses operating in New York under a license, registration, charter, certificate, permit or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law must comply with the DFS Regulations. A full list of businesses supervised by DFS can be found here.

The SHIELD Act does not mandate specific safeguards, but it provides several examples of practices that are considered reasonable administrative, technical, and physical safeguards. These examples suggest the kinds of safeguards businesses should be adopting, but they are not the only safeguards companies should be adopting.

The email scam is the latest of several attempts to illicitly gather data by impersonating FINRA or registered reps. The Financial Industry Regulatory Authority is warning member firms to avoid a phishing email that is requesting broker-dealers to fill out a fraudulent FINRA study.

On September 15, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert highlighting the recent uptick in “credential stuffing” cyber-attacks against SEC-registered investment advisors and broker dealers.

Credential stuffing is an automated cyber-attack on Internet-based user accounts and firm networks. Attackers obtain usernames and passwords from the dark web and then employ automated scripts utilizing the compromised information to attempt to log in and gain unauthorized access to other customer accounts and firm networks. Credential stuffing has proven to be a more effective way for hackers to gain access to accounts and firm systems than traditional brute force password attacks have been. If the credential stuffing attack is successful, attackers can gain access to and control over customer assets and confidential information.

Work from home organizations all over the world have been polishing their strategies to enable their employees to work from remote locations at whatever time they like.

Investment advisers are enhancing their cybersecurity programs by implementing formal protection plans, taking out insurance, and stepping up security assessments, an influential industry survey has found.