On September 22, the Securities and Exchange Commission (“SEC”) announced an important cybersecurity enforcement action that has broad implications to registered investment advisers. In a Settlement Order, the SEC found R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, “willfully violated” the Safeguards Rule. From September 2009 through July 2013, the firm stored unencrypted, sensitive personally identifiable information (“PII”) of clients and others on its unencrypted, third party-hosted, web server.

In requiring that brokers-dealers, investment companies, and registered investment advisers guard against cybersecurity breaches, the SEC has relied on its authority under Sections 501, 504, and 505 of the Gramm-Leach-Bliley Act of 1999, to create the new regulations. The “Safeguard Rule” is Rule 30(a) of Regulation S-P (17 C.F.R. ยง 248.30(a)). Enforcement actions initiated by the SEC relating to computer security are often grounded in violations of the Safeguard Rule.
Continue reading

The Investment Advisers Act of 1940 requires that investment advisers exercise a fiduciary responsibility toward clients. Traditionally, this duty extends to protecting clients against fraud and abuse. But how does this fiduciary duty change when faced with an aging population? It’s no secret: the average age of the American population is increasing. Baby Boomers dominate the world of investment management. In 2008 the SEC staff reported Boomers hold 50% of total U.S. household investment assets. This poses special duties and challenges on today’s registered investment advisers and broker-dealers.

NASAA (the North American Securities Administrators Association) has as of September 29th 2015, proposed a new model law that incorporates best broker-dealer and investment adviser practices for dealing with suspected financial exploitation of seniors and diminished capacity investors. That proposal is available here.
Continue reading

On August 5th, 2015 in a decision that has implications for registered investment advisers and broker-dealers, SEC judge Cameron Elliot ruled on an enforcement action regarding the extent of liability for Compliance Officers in In the Matter of Judy K. Wolf, available here. Sanctions were not imposed against Ms. Wolf due to the violation being “decisively outweighed by the remaining public interest factors: egregiousness, degree of harm, and deterrence.” However, it was found that Wolf purposefully lied about her records violation.

In In the Matter of Judy K. Wolf, Judge Elliot stated he believed the further sanction against Wolf would be pursuit of “the low-hanging fruit” that is compliance officers.
Continue reading

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) on Sept. 15, 2015 issued Risk Alert to announce its new focus on cybersecurity of securities firms and registered investment advisers. Cybersecurity programs of securities firms had best be strengthened, otherwise they may be subject to additional regulatory scrutiny according to the Risk Alert, which is meant to serve as helpful guidance for firms that need to create or heighten a cybersecurity program. The National Exam Program in 2014 conducted cybersecurity examinations on 106 securities firms. As a follow-up to the 2014 SEC security examinations The Risk Alert highlights certain additional measures the national registered entities need to be aware of when the SEC is conducting examinations.

A sample examination request with a list of information that the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations may review in conducting examinations of registered entities regarding cybersecurity matters may be viewed here.
Continue reading