Articles Posted in Cybersecurity

The SEC’s Office of Compliance Inspections and Examinations and (OCIE) has issued “Cybersecurity and Resiliency Observations,” which summarizes and reflects on the risks of cybersecurity its examiners have observed in thousands of examinations of broker-dealers and investment advisers over the past eight years. Fittingly, OCIE observed that one size does not fit all when it comes to cybersecurity. The paper, however, provides detailed commentary on several segments of risks and the responses to those risks. One of those areas, governance and risk management, is an area of overall concern for most firms.

As with compliance in general, an effective cybersecurity program “starts with the right tone at the top,” according to OCIE. Other studies demonstrate that without leadership support and continuous engagement, information securities policies fail. In an effective program, the firm’s C-level executives and the board must coordinate activities of several key employees and potentially outside service providers. The initial priority should be to make an inventory of cyber risks and analyze and prioritize those risks. Essentially this must be a team exercise because expertise is required from multiple quarters and points of view. Larger firms may wish to coordinate cybersecurity policies at the enterprise level, but differences among different constituencies within the enterprise may strongly suggest that policies should be addressed at the level of the subsidiary level.  Factors to consider are threats from malicious insiders, unintentional breaches through regular internal operations, risks relating to remote working and traveling, and geopolitical risks.

Continue reading

In our previous post, we described the SEC’s announcement of examination priorities in 2020 for the Commission’s Office of Compliance Inspections and Examinations (OCIE).  In that post, we discussed areas of examination that will apply to a large percentage of registered investment advisors and other regulated entities.  In this post, we focus on another priority, namely robo-advisers.

Otherwise known as automated investment platforms, “robo-advisers” have come under increased scrutiny by OCIE.  The number of these advisers has increased substantially over the last four years.  OCIE intends to focus on issues such as the eligibility of the robo-adviser to register with the SEC, marketing practices engaged in by robo-advisers, the ability to comply with fiduciary duty, the adequacy of the adviser’s disclosures, the effectiveness of the adviser’s compliance program, and the firm’s cybersecurity policies, procedures and practices.

Advisers Act Rule 203A-2(e) permits “internet only advisers” to register with the SEC, provided certain conditions are met and maintained.  Specifically, the adviser must provide investment advice to all clients exclusively through an interactive website and maintain records demonstrating that it does so.  Under the rule, an adviser may provide investment advice through means other than the internet to up to fourteen clients during any twelve-month period. Undoubtedly there are some firms that registered on this basis who were either not eligible at the time or, through the evolution of their business, have strayed from the conditions required to remain eligible for registration.

Continue reading

The North American Securities Administrators Association—also known as “NASAA”—a cooperative association consisting of the chief securities regulators for each of the 50 United States, as well as Canadian and Mexican jurisdictions, has recently voted to adopt a model information security rule. NASAA’s new model information security rule could—if widely implemented by the individual NASAA Member jurisdictions—ultimately have a broad impact on the compliance programs of state-registered investment advisers.

Among its many roles as a confederation of individual regulators, NASAA frequently drafts and circulates “model rules” to its Members, who eventually vote on and adopt these draft rules for use by the various Member jurisdictions. A “model rule” is a familiar regulatory tool, which essentially provides a template upon which laws, rules, and other regulations can be drafted. For example, many of the individual states’ securities acts are variants of the Uniform Securities Act of 2002, a model act created by a group of legal scholars, regulators and veteran attorneys. NASAA’s new model rule is just such a template for regulators. Individual states and other jurisdictions may—at their discretion—adopt it in whole, in part, or not at all. That said, we believe that, especially given the growing importance of cybersecurity issues, it will be used more likely than not as the states come around to developing rules to parallel those already in place at the federal (SEC) level.  Continue reading

In its latest Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) heeds advisers and broker/dealers to take a fresh look at their policies and procedures in the area of electronic customer record storage in light of shortcomings discovered by OCIE’s staff as part of recently-conducted regular examinations. These shortcomings include weak or misconfigured security settings on a network storage device that, in the worst-case event, could result in unauthorized access to customer information.

OCIE Risk Alerts are highly useful resources for compliance professionals to consider as these published notices serve as a window into not only the recent experiences of OCIE staffers out in the field, but also the thinking of OCIE management as to where it will be directing its staff to focus on in future examinations. In other words, if the management of OCIE warrants it important enough to publish a Risk Alert on an particular topic, registrants can be assured that future exams will likely focus on deficiencies in that area.

This most recent Risk Alert zeros-in on deficiencies uncovered by examiners with respect to how advisers and brokers are protecting their customers’ electronic records—specifically, records kept in the “cloud” or on other types of networked storage solutions. OCIE defines cloud storage as the “electronic storage of information on infrastructure owned and operated by a hosting company or service provider.” Obviously, such storage systems may be especially vulnerable to hacking or other nefarious activities, and as such, warrant robust protections. Continue reading

FINRA has alerted its Member Firms to be on the watch for a fraudulent phishing email scheme targeted at compliance personnel. A phishing scheme typically uses email or some other type of electronic message to trick the recipient into clicking a malicious link or infected file attachment by mimicking a message from a trustworthy party. This particular scheme employs an email purportedly originating from an Anti-Money Laundering compliance officer at an otherwise apparently legitimate Indiana-based credit union. The email—which was received recently by a number of FINRA Member Firms—specifically targets compliance personnel by appearing to be a communication regarding an attempted transfer of money by a client of the recipient’s firm to the credit union which has been placed on hold due to concerns about potential money laundering. The scam is designed to get the recipient to open an attachment, which, according to FINRA “likely contains a malicious virus or malware designed to obtain unauthorized access to the recipient’s computer network.”

FINRA noted the following additional aspects of the fraudulent email that recipients should be alert for:

  • An otherwise legitimate reference to a provision of the USA Patriot Act allowing financial institutions to share information with each other.
  • An actual email address that appears to be from Europe, rather than the U.S.-based credit union.
  • Numerous instances of poor grammar and sentence structure.

Continue reading

Earlier this year, Securities and Exchange Commission Chairman Jay Clayton appointed Stephanie Avakian and Steven Peikin as co-directors of the SEC’s Enforcement Division.  In an interview with Reuters, Avakian and Peikin expressed particular concern about cyber threats and how the SEC should make cybersecurity an enforcement priority.  According to Peikin, “The greatest threat to our markets right now is the cyber threat… That crosses not just this building, but all over the country.”

The SEC has expanded of investigations relating to cybercrimes.  There also appears to be an increase in incidents of hackers attempting to gain access to brokerage accounts.  In response, the SEC has begun obtaining statistics about cybercrimes to assess market-wide issues. Continue reading

On May 17, 2017, the Securities and Exchange Commission’s (“SEC’s”) Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert pertaining to cybersecurity.  According to the Risk Alert, an extensive ransomware attack called WannaCry, WCry, or Wanna Decryptor “rapidly affected numerous organizations across over one hundred countries.”  In light of the WannaCry attack, OCIE is urging registered investment advisers, broker-dealers, and investment companies, to address cybersecurity vulnerabilities.

According to the Risk Alert and an alert published by the Department of Homeland Security, U.S. Cert Alert TA17-132A, the hacker or hacking group who instigated the WannaCry attack obtained access to enterprise servers by way of exploiting a Windows Server Message Block vulnerability. WannaCry infects computers using software that encrypts data on a server using a .WCRY file-name extension, which prevents the rightful owner from accessing the data. Once infected, the ransomware software demands payment from the business in return for access to the business’ data. Microsoft released a patch to this vulnerability in March of 2017, but many users of Microsoft operating systems do not diligently update their software. Continue reading

On October 18, 2016, Parker MacIntyre hosted a seminar addressing legal issues that registered investment advisers (“RIAs”) often face, including developing cybersecurity guidance and implications of the new Department of Labor Fiduciary Rule.  The attendees consisted of sixteen individuals representing thirteen RIAs registered from around the southeast.  Both SEC-registered and state-registered RIAs were represented among the attendees.

Parker MacIntyre was pleased to welcome Noula Zaharis, the Director of the Securities and Charities Division of the Secretary of State of Georgia, as a guest speaker.  She began the seminar with a presentation on how the Georgia Secretary of State registers and regulates investment advisers and common deficiencies encountered by the Georgia regulators.  Highlights from another presentation, entitled “Common Deficiencies, Exam Priorities, and Regulatory Initiatives,” included common deficiencies found in RIA examinations, exam priorities that RIAs should ideally be aware of, and the Secretary of State’s regulatory initiatives. Continue reading

The Consumer Financial Protection Bureau (“CFPB”) recently instituted a cybersecurity enforcement action against an online payment platform, Dwolla, Inc., in the form of a consent order. This consent order is significant because it is the first time the CFPB has sought to institute an enforcement action in the cybersecurity arena after it was given the authority to do so under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), highlighting the increasing emphasis being placed by financial regulators on cybersecurity practices. The Securities and Exchange Commission (“SEC”), Financial Industry Regulatory Authority (“FINRA”), and the Federal Trade Commission (“FTC”), among others, have all been quite active in policing data security practices of financial institutions in recent years. The SEC even listed cybersecurity control procedures of registered broker-dealers and investment advisers as one of its examination priorities for 2016.

The Dodd-Frank Act gives CFPB supervisory authority over providers of consumer financial products or services. It also authorizes CFPB to take enforcement action to prevent unfair, deceptive or abusive acts or practices from these providers. In this case, Dwolla allegedly made several exaggerated claims regarding the strength of its data security practices that the CFPB found to be deceptive within the meaning of the Dodd-Frank Act.

Continue reading