SEC is Scrutinizing RIAs’ Remote Work for Violations, Attorney Warns
Failure to supervise a remote advisor led to IFP Advisors recent $400,000 Fine

The SEC is focused on the regulatory risks associated with advisors with personnel working from home or other locations other than their firm's central office, securities attorney Richard L. Chen warned in a new blog.

The Securities and Exchange Commission wants advisors to take a closer look at cybersecurity risks.

In February, the SEC proposed rules that would require advisors to periodically assess their information systems and categorize cybersecurity risks, report significant cybersecurity events within 48 hours, and ensure client information is protected by third-party vendors.

Cybersecurity is a big, expensive deal for every company. Whether you’re leading a global corporation or a small or midsize business, or SMB, cyber threats are always close at hand.

Late last month the Securities and Exchange Commission (“SEC”) charged JP Morgan, UBS and Trade Station with violations of Regulation S-ID based on a range of inadequacies in their identity theft red flag policies and procedures. https://www.sec.gov/news/press-release/2022-131 The violations at issue might seem less than critical, such as not updating policies, merely copying over examples of red flags from Reg S-ID’s Appendix A, not incorporating specific policies into the red flag program, covering all accounts instead of conducting specific account assessments, and not providing sufficient detail in board reports. Although the SEC did not note any failure by these broker-dealers and investment advisors to actually detect and respond to identity theft red flags, the resulting orders and fines (up to $1.2 million), underline the SEC’s seriousness about protecting investors from cybercrime by requiring broker dealers and investment advisors to up their game and focus on the details.

Fidelity conducted an RIA Benchmarking Study to identify and analyze key performance metrics for RIAs. The intended goal was to evaluate individual performance rates and provide recommendations for improving revenue streams and growing clientele.

The Securities and Exchange Commission announced Wednesday that it imposed a total of $2.5 million in fines on J.P. Morgan Securities, UBS Financial Services Inc. and TradeStation Securities Inc. for deficiencies related to their efforts to protect customers from identity theft.

On May 3, 2022 the Securities and Exchange Commission (the “SEC”) announced the addition of 20 new positions to the Division of Enforcement’s newly renamed Crypto Assets and Cyber Unit (formerly known as the Cyber Unit), expanding the Crypto Assets and Cyber Unit to 50 positions (the “Announcement”).[i] With its expanded numbers, the Crypto Assets and Cyber Unit will continue to identify cybersecurity disclosure and control issues and will focus on investigating:

Cybersecurity is now battling a human problem just as much, if not more, than a technical one.

According to Verizon’s 2021 Data Breach Investigations Report, 85% of successful cyberattacks now involve a human element. Combine that with the fact that even the very best technology can only thwart about 93% of attacks, and that leaves a large hole in an organization’s basic security hygiene. This gap forces employees to make split decisions that can affect security, and failure to choose correctly puts disaster just a click away.

If you haven’t planned for an SEC audit, you should.

Why? Because you are likely to face one. Advances in technology and the adoption of a data-centric approach have made it fast and easy for the SEC to comprehensively audit even the smallest firm, regardless of its location.

Recently, Private Client Services, LLC (“PCS”) confirmed that the company experienced a data breach after an unauthorized party gained access to sensitive consumer information through a compromised employee email account. According to the PCS, the breach resulted in the names, Social Security numbers, driver’s license numbers and state identification numbers being compromised. On May 27, 2022, PCS filed official notice of the breach and sent out data breach letters to all affected parties. In total, the company sent out 22,554 letters.