On May 17, 2017, the Securities and Exchange Commission’s (“SEC’s”) Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert pertaining to cybersecurity.  According to the Risk Alert, an extensive ransomware attack called WannaCry, WCry, or Wanna Decryptor “rapidly affected numerous organizations across over one hundred countries.”  In light of the WannaCry attack, OCIE is urging registered investment advisers, broker-dealers, and investment companies, to address cybersecurity vulnerabilities.

According to the Risk Alert and an alert published by the Department of Homeland Security, U.S. Cert Alert TA17-132A, the hacker or hacking group who instigated the WannaCry attack obtained access to enterprise servers by way of exploiting a Windows Server Message Block vulnerability. WannaCry infects computers using software that encrypts data on a server using a .WCRY file-name extension, which prevents the rightful owner from accessing the data. Once infected, the ransomware software demands payment from the business in return for access to the business’ data. Microsoft released a patch to this vulnerability in March of 2017, but many users of Microsoft operating systems do not diligently update their software. Continue reading

On April 13, 2015, the North American Securities Administrators Association (“NASAA”) adopted a model rule concerning business continuity and succession planning for investment advisers. The model rule is intended as guidance for state-registered investment advisers to determine how to develop succession planning policies and procedures. Investment advisers without business continuity and succession plans face serious risks if the adviser is temporarily or permanently unable to service its clients. Included with the model rule are scenarios to help illustrate when business continuity plans are important for an investment advisory firm and many questions to help determine how to craft the plan properly.

Many different types of disasters can strike an investment advisers’ business. From naturally occurring disasters such as hurricanes and snow storms to unnatural disasters like terrorist attacks or a sudden death, it is important to have thought about and created a succession plan to ensure that your clients’ interests are not harmed. A business continuity and succession plan allows the adviser to safeguard critical business functions so that your firm can continue as long as needed when a disaster strikes.
Continue reading

On June 19, 2015, new amendments to Regulation A took effect which should increase capital raising options of some smaller businesses. Formerly, the Regulation A exemption was limited to $5 million. The new amendments provide an avenue for businesses to raise up to $50 million of capital. As a result of the new amendments, Regulation A is now divided into two tiers, “Tier 1” and “Tier 2.”

In Tier 1 offerings, companies can raise up to $20 million over a one year period, with not more than $6 million in offers by selling security-holders that are affiliates of the issuer. Under Tier 1, the offering must pass state securities regulation in any state where investors are located.

In Tier 2 offerings, companies can raise up to $50 million over a one year period, with not more than $15 million in offers by selling security-holders that are affiliates of the issuer. A Tier 2 offering has the significant advantage of being exempt from many state registration requirements.
Continue reading

Earlier this year, the SEC announced one of its focus areas for examinations in 2014 would be cybersecurity. The SEC Office of Compliance Inspections and Examinations published a Cybersecurity Initiative Risk Alert in April that provides a sample request for information and documents, which are designed to determine the preparedness of a firm for a cybersecurity threats. Examples of questions asked include:

– Please provide a copy of the Firm’s written business continuity of operations plan that addresses mitigation of the effects of a cybersecurity incident and/or recovery from such an incident if one exists;

– Does the Firm have a Chief Information Security Officer or equivalent position? If so, please identify the person and title. If not, where does principal responsibility for overseeing cybersecurity reside within the firm?;

– Please provide a copy of the Firm’s procedures for verifying the authenticity of email requests seeking to transfer customer funds. If no written procedures exist, please describe the process.

Continue reading

The Indiana Securities Division recently issued an emergency rule to explain new distinctions in Indiana’s crowdfunding exemptions, which became effective July 1, 2014. Indiana’s new rule is similar to Georgia’s “Invest Georgia” rule, which we have previously profiled.

The Invest Indiana Crowdfunding Exemption, Sec. 23-19-2-2(27), permits Indiana-organized entities to offer or sell securities for intrastate offerings to Indiana residents only. The exemption requires the Indiana-organized entity to file with the Indiana Securities Division SEC Form D, which clearly states “Indiana Only” on the first page, and to include a cover letter identifying that the filing is for the 23-19-2-2 (27) exemption, and to include a $100 filing fee. The Exemption details the requirements for both issuers and investors in regards to an Invest Indiana offering.
Continue reading

In a consented-to Administrative Order dated July 2, 2014, the Securities and Exchange Commission fined a Missouri-based Registered Investment Adviser, SignalPoint Asset Management (“SignalPoint” or “SAM”), $215,000 for breaching its’ fiduciary duty to clients.

Prior to the formation of SignalPoint, the Principals of SignalPoint were registered as registered representatives and investment adviser representatives for a dually-registered broker-dealer and investment adviser. In 2008, the principals asked the dually-registered broker-dealer and investment adviser to allow them to have ownership and control of SignalPoint but were told that they could not have an ownership in an outside RIA.
Continue reading

Several Congressmen and an SEC Commissioner have independently urged the SEC to move forward with adopting proposed rules that impose additional requirements on public solicitations of Rule 506 offerings. At the same time that the SEC finalized its initial rulemaking on the subject last September, it proposed additional rules that would require filing Form D prior to any general solicitation and would impose advertising restrictions, among other things. We discussed that action and the proposed rules in two earlier posts.

Rule 506 was adopted as a safe harbor under Section 4(2) of the Securities Act of 1933, which provides that securities sold “by an issuer not involving any public offering” are exempt from registration under the Act. However, under Title II of the JOBS Act, passed in 2012, Congress required the SEC to adopt a rule allowing for the use of public solicitation in those offerings under conditions to be prescribed by the SEC. The initial rule adopted last September – requiring enhanced verification of accredited investor status – was the Commission’s first small step on the issue.

The comment period on the simultaneous rule proposal imposing additional requirements expired on November 4, 2013, but the Commission has taken no further action to date. On December 5, 2013, however, SEC Commissioner Luis Aguilar, speaking at a Consumer Federation of America conference, forcefully called upon the rest of the Commission to move forward in adopting the strengthened rules. “Every day that these proposals are not adopted is another day that investors face great harm. I’m frustrated because investors are going to be damaged” said Commissioner Aguilar. “Unfortunately, it’s been almost five months since those proposals have been issued for comment.”
Continue reading

The SEC has released the results of the 686 2013 enforcement actions it filed in federal court, which resulted in $3.4 billion in sanctions against offenders. Of the $3.4 billion, securities violators were required to disgorge illegal profits of approximately $2.257 billion and pay penalties of approximately $1.167 billion. The chairperson of the SEC, Mary Jo White, stated, “A strong enforcement program helps produce financial markets that operate with integrity and transparency, and reassures investors that they can invest with confidence.”

The 2013 total sanction amount is 10 percent higher than 2012 and 22 percent higher than 2011. In 2013, the SEC pursued many categories of enforcement actions including:

– Broker-dealers (121)
– Delinquent Filings (132)
– Foreign Corrupt Practices Act (5)
– Financial Fraud/Issuer Disclosure (68)
– Insider Trading (44)
– Investment Adviser/Investment Co. (140)
– Market Manipulation (50)
– Securities Offering (103)
– Other (23)

The SEC highlighted certain enforcement programs on which they had focused in 2013 and programs that they will emphasize for the foreseeable future. The SEC is focused on making sure gatekeepers, people that have special duties to ensure that the interests of investors are protected, safeguard and protect investors’ rights.
Continue reading