The financial services industry faced unprecedented cybersecurity and privacy challenges in 2020. From learning how to operate with a remote workforce, dealing with a complex and evolving regulatory environment, facing an exponential rise in the number and sophistication of cyberattacks – particularly ransomware attacks and the significant and still unfolding breach of the federal government – and navigating COVID-19 issues, the cyber resilience of financial institutions was tested to its limits.

The Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently alerted investment professionals about many of the common lapses it observed when conducting thousands of cybersecurity exams. The report warned that hackers are in fact becoming more aggressive and sophisticated — and in some cases backed by substantial resources and nation-state actors.

To help educate independent advisers, asset managers, investment firms, boards, and prospects about the importance of protecting confidential client data here is a checklist of the top five things professionals in the financial industry should consider when setting priorities.

The North American Securities Administrators Association said Monday that its membership has voted to adopt a model rule setting parameters on how to implement a continuing education program for investment adviser representatives (IARs) in their jurisdictions.

Employers in the financial services sector are facing an unprecedented number of cybersecurity attacks during the pandemic crisis. To put this in perspective, the Financial Industry Regulatory Authority (FINRA) has issued nine notices regarding the ongoing and widespread cybersecurity threats facing the industry since the COVID-19 pandemic began – and only issued seven cybersecurity notices in the 14 years before the pandemic. What do financial services employers need to know about this development, and what can you do to minimize your chances of falling victim to such an attack?

Compliance is a key issue for all firms. Many companies use the U.S. sentencing guidelines as a starting point. In other instances, regulators craft a starting point with rules that direct the creation of programs. This is true, for example, for investment advisers registered with the Commission. In either case, the critical point is to craft the policies and procedures so that they effectively monitor the business and evolve with it.

OCIE – the SEC’s Office of Compliance Inspections and Examinations – published a Risk Alert on November 19, 2020 discussing key issues for registered investment advisers. OCIE Observations: Investment Adviser Compliance Programs (here). The Alert provides a good discussion of key issues in crafting and maintaining an effective compliance program.

Cyber threats are an increasing problem for small- and medium-sized businesses, especially with the major shift to remote work due to COVID-19. Some of the notable data breaches, such as Equifax in 2017, and more recent ones like the ransomware attack that hit German tech firm Software AG in October 2020, resulting in customers losing trust in the company.

On Nov. 19, 2020, the SEC’s Office of Compliance Inspections and Examinations and its director provided unprecedented guidance with respect to the responsibilities of private fund managers and their chief compliance officers. The public guidance, which is consistent with comments we have observed from OCIE examination staff, identifies numerous strengths and weaknesses of the compliance programs of SEC-registered investment advisers. Private fund managers and their CCOs should evaluate their compliance programs in light of this guidance.

Examiners observed that the branch office model “may pose certain risk factors."

The Securities and Exchange Commission’s exam division flagged on Monday deficiencies the agency has seen in advisors that operate from numerous branch offices — including violations of the custody and compliance rules as well as in providing investment advice and in advertising.

Cyberattacks have become so common that it is no longer a question of if a broker-dealer, investment advisory firm or financial institution (collectively, “financial firms”) will suffer an attack, but when an attack will occur. In my 19 years as a trial attorney focused on securities and business disputes, I can confidently say that there’s always room for proactive strategies that anticipate negative events. As financial firms rely more on online and out-of-office platforms and services, especially during the COVID-19 pandemic, the likelihood increases that proprietary and confidential, nonpublic customer information (“NPI”) is stolen, deleted or ransomed. Financial firms need to understand the different cyber threats and the defensive measures to protect against attacks.

On October 15, the Financial Industry Regulatory Authority (FINRA) released an information notice (Notice) providing additional background on authentication techniques for firms to consider as they implement cybersecurity authentication programs.