Registered investment advisers that rely on independent investment adviser representatives (IARs), operating their own offices, face unique supervision challenges. The SEC’s administrative action against Horter Investment Management, LLC (“Horter”) and its principal illustrates the worst-case scenario. The firm, based in Cincinnati, primarily hired IARs with remote offices.

In our first article to kick off Cybersecurity Awareness Month, we will discuss some steps businesses can take to improve their cyber hygiene. Over the past few years, some of the largest and well-known companies have been affected by data breaches resulting in millions of dollars in losses. Smaller businesses are not immune from data breaches, and even a small data breach impacting only a few thousand records can expose a business to significant losses and reputational damage that may have a devastating impact on its ability to function. Various attack methods can be used against businesses to obtain sensitive data or access funds through fraud. Some common attack methods are compromised credentials, social engineering attacks such as phishing, vishing, and smishing, business email compromise scams, ransomware, and vulnerabilities in third-party software. While no business can expect to be 100% safe, here are some basic practices businesses can implement to improve their cyber hygiene.

Overall, it is likely that states will continue to emphasize the importance of cybersecurity programs. Some laws could encourage stronger cybersecurity by providing an affirmative defense. Others could mandate certain cybersecurity practices without affording an explicit affirmative defense. No matter the specifics of a statute or even in the absence of a statute, companies will be well-served to implement an industry-recognized cybersecurity framework. Not only will the frameworks likely reduce the frequency or severity of data breaches, but they may also improve a company’s defense against alleged liability in the event a data breach does occur.

Connecticut’s new cybersecurity standards law, which goes into effect on October 1, 2021, protects companies from punitive damages in certain data breach actions where an organization has a cybersecurity program that conforms with an enumerated “industry-recognized cybersecurity framework.” It is the latest in a series of U.S. state efforts to incentivize companies to demonstrate that their cybersecurity programs are aligned with recognized frameworks and thus meet a reasonable standard of care.

It’s not enough to vet third-party technology providers when bringing them onboard because the due diligence evaluation should be ongoing, according to Ben Mathis, chief information officer at Carson Group.

ADVISOR ARMOR COVERAGE INCLUDES UNLIMITED THIRD PARTY CYBERSECURITY VETTING & MONITORING

On multiple fronts, the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) continue to increase their focus on cybersecurity. This is understandable as headlines of recent data breaches and ransomware attacks are in the news almost daily. This alert will highlight several of the actions taken by these regulators and proactive measures that financial services companies can implement to avoid the regulatory scrutiny that may follow from a cyber incident.

Laws passed in Ohio, Utah and Connecticut are redefining the idea of reasonable cyber security controls across the US, writes global cyber security thought leader and CS Hub Advisory Board member Kayne McGladrey CISSP

Attorney Brenda Sharton is an old hand at helping companies navigate data breaches. In a typical week, she would work on recovery efforts from two or three cyberattacks—a steady but manageable pace.

Then came the novel coronavirus pandemic, and the volume of attacks skyrocketed.

“Over the course of a long weekend we had nine of them,” she says of one period late last winter.

Hackers thrive on crisis and disruption, says Sharton, litigation partner and global co-chair of the privacy and cybersecurity practice at the law firm Dechert. As businesses follow tentative return-to-office plans even as the Delta variant surges, she worries about another burst of cyberattacks, which this time could include even more financial advisory practices.

Hackers eye all sorts of businesses, but wealth management companies make particularly alluring targets, thanks to their proximity to vast sums of money and the detailed Information they hold on wealthy clients.

“The two holy grails for these people are money movement and data access,” Wealthcare President Matt Regan says of today’s breed of cybercriminals. “Bank robbers rob banks because that’s where the money is, and this is where the money is.”

The US financial market regulator, the Securities and Exchange Commission (SEC), has imposed sanctions on eight broker-dealer and financial advisory companies for lapses in their cybersecurity policies and measures. Three firms are facing a combined monetary penalty of $750,000.

It has been a busy summer for data breach and cybersecurity laws. Several states have shortened their data breach notification timelines, expanded their definitions of personal data breaches triggering notification requirements, or added provisions related to companies' cybersecurity programs.

We summarize the notable changes below. Clients are advised to carefully review these changes and assess whether their existing information security policies and procedures should be updated.