Articles Tagged with Cybersecurity

Earlier this year, Securities and Exchange Commission Chairman Jay Clayton appointed Stephanie Avakian and Steven Peikin as co-directors of the SEC’s Enforcement Division.  In an interview with Reuters, Avakian and Peikin expressed particular concern about cyber threats and how the SEC should make cybersecurity an enforcement priority.  According to Peikin, “The greatest threat to our markets right now is the cyber threat… That crosses not just this building, but all over the country.”

The SEC has expanded of investigations relating to cybercrimes.  There also appears to be an increase in incidents of hackers attempting to gain access to brokerage accounts.  In response, the SEC has begun obtaining statistics about cybercrimes to assess market-wide issues. Continue reading

On May 17, 2017, the Securities and Exchange Commission’s (“SEC’s”) Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert pertaining to cybersecurity.  According to the Risk Alert, an extensive ransomware attack called WannaCry, WCry, or Wanna Decryptor “rapidly affected numerous organizations across over one hundred countries.”  In light of the WannaCry attack, OCIE is urging registered investment advisers, broker-dealers, and investment companies, to address cybersecurity vulnerabilities.

According to the Risk Alert and an alert published by the Department of Homeland Security, U.S. Cert Alert TA17-132A, the hacker or hacking group who instigated the WannaCry attack obtained access to enterprise servers by way of exploiting a Windows Server Message Block vulnerability. WannaCry infects computers using software that encrypts data on a server using a .WCRY file-name extension, which prevents the rightful owner from accessing the data. Once infected, the ransomware software demands payment from the business in return for access to the business’ data. Microsoft released a patch to this vulnerability in March of 2017, but many users of Microsoft operating systems do not diligently update their software. Continue reading

On October 18, 2016, Parker MacIntyre hosted a seminar addressing legal issues that registered investment advisers (“RIAs”) often face, including developing cybersecurity guidance and implications of the new Department of Labor Fiduciary Rule.  The attendees consisted of sixteen individuals representing thirteen RIAs registered from around the southeast.  Both SEC-registered and state-registered RIAs were represented among the attendees.

Parker MacIntyre was pleased to welcome Noula Zaharis, the Director of the Securities and Charities Division of the Secretary of State of Georgia, as a guest speaker.  She began the seminar with a presentation on how the Georgia Secretary of State registers and regulates investment advisers and common deficiencies encountered by the Georgia regulators.  Highlights from another presentation, entitled “Common Deficiencies, Exam Priorities, and Regulatory Initiatives,” included common deficiencies found in RIA examinations, exam priorities that RIAs should ideally be aware of, and the Secretary of State’s regulatory initiatives. Continue reading

Increased focus on cybersecurity by the Security Exchange Commission’s (“SEC”) continues as it recently issued charges against Morgan Stanley Smith Barney (“Morgan Stanley”) for failing to adopt written policies and procedures reasonably designed to protect confidential client information. These charges stemmed from a cybersecurity breach which began in 2011 and continued until 2014, resulting in the misappropriation of confidential client information in over 730,000 client accounts.

Broker-dealers and investment advisers are required pursuant to Regulation S-P and comparable regulation of the Federal Trade Commission to adopt written policies and procedures reasonably designed to protect client records and information. These policies and procedures must address the administrative, technical, and physical safeguards in place, and must be reasonably designed to insure the security and confidentiality of client records and information, protect against unanticipated threats, and prevent unauthorized access.

Continue reading

The Consumer Financial Protection Bureau (“CFPB”) recently instituted a cybersecurity enforcement action against an online payment platform, Dwolla, Inc., in the form of a consent order. This consent order is significant because it is the first time the CFPB has sought to institute an enforcement action in the cybersecurity arena after it was given the authority to do so under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), highlighting the increasing emphasis being placed by financial regulators on cybersecurity practices. The Securities and Exchange Commission (“SEC”), Financial Industry Regulatory Authority (“FINRA”), and the Federal Trade Commission (“FTC”), among others, have all been quite active in policing data security practices of financial institutions in recent years. The SEC even listed cybersecurity control procedures of registered broker-dealers and investment advisers as one of its examination priorities for 2016.

The Dodd-Frank Act gives CFPB supervisory authority over providers of consumer financial products or services. It also authorizes CFPB to take enforcement action to prevent unfair, deceptive or abusive acts or practices from these providers. In this case, Dwolla allegedly made several exaggerated claims regarding the strength of its data security practices that the CFPB found to be deceptive within the meaning of the Dodd-Frank Act.

Continue reading

On September 22, the Securities and Exchange Commission (“SEC”) announced an important cybersecurity enforcement action that has broad implications to registered investment advisers. In a Settlement Order, the SEC found R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, “willfully violated” the Safeguards Rule. From September 2009 through July 2013, the firm stored unencrypted, sensitive personally identifiable information (“PII”) of clients and others on its unencrypted, third party-hosted, web server.

In requiring that brokers-dealers, investment companies, and registered investment advisers guard against cybersecurity breaches, the SEC has relied on its authority under Sections 501, 504, and 505 of the Gramm-Leach-Bliley Act of 1999, to create the new regulations. The “Safeguard Rule” is Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). Enforcement actions initiated by the SEC relating to computer security are often grounded in violations of the Safeguard Rule.
Continue reading

Parker MacIntyre attorneys Steve Parker and Bryan Gort attended the 2015 annual conference of the North American Securities Administrators Association (NASAA) held last week in San Juan, Puerto Rico. As usual, the conference provided valuable guidance and updated information on areas of importance to state-registered investment advisers, as well as federal notice filed broker-dealers and SEC registered investment advisers.

Of interest to state-registered investment advisers are proposed amendments to Part 1B of Form ADV that would attempt to capture an RIA’s use of social media and information on the use of third-party compliance professionals.

NASAA also presented the findings of its 2015 coordinated investment adviser examination review, compiled from the results of over 1100 investment adviser examinations. Once again, books and records deficiencies was the leading category, with 78% of all examined entities having deficiencies in that area. Within that category the failure to maintain adequate client suitability data was the leading deficiency, accounting for 10% of the deficiencies noted within the books and record category.
Continue reading

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) on Sept. 15, 2015 issued Risk Alert to announce its new focus on cybersecurity of securities firms and registered investment advisers. Cybersecurity programs of securities firms had best be strengthened, otherwise they may be subject to additional regulatory scrutiny according to the Risk Alert, which is meant to serve as helpful guidance for firms that need to create or heighten a cybersecurity program. The National Exam Program in 2014 conducted cybersecurity examinations on 106 securities firms. As a follow-up to the 2014 SEC security examinations The Risk Alert highlights certain additional measures the national registered entities need to be aware of when the SEC is conducting examinations.

A sample examination request with a list of information that the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations may review in conducting examinations of registered entities regarding cybersecurity matters may be viewed here.
Continue reading

Last month, the SEC division of Investment Management released Investment Management Guidance in which it discusses a number of measures that investment advisers may wish to consider when addressing cybersecurity risks. This guidance is just the last in a long list of guidance and alerts issued by the SEC and other regulators as to the need for financial firms to improve their policies and procedures dealing with cybersecurity threats.

Among the recommendations made in the current IM are that firms:

• Conduct a periodic assessment of the nature, sensitivity and location of information, what types of cybersecurity threats and vulnerabilities exist, what security controls and processes are currently in place, the impact that would occur in the event of compromise of information, and the effectiveness of the current structure confirms current structure for managing cyber security risks

Continue reading

During the January 7th Practising Law Institute conference on Hedge Fund Compliance and Regulatory Challenges, the Director of the SEC Office of Compliance Inspections and Examinations (“OCIE”), Andrew Bowden, previewed some of the new priorities on which the SEC will focus in 2015. Some of the areas of focus include protecting investors, specifically those in or close to retirement, cyber security, and the use of data analytics to identify potential wrongdoers. One of the other priorities discussed was OCIE’s new initiative to use “presence exams” to examine certain investment advisers that have never been examined. Investment advisers who have been registered with the SEC for three or more years will potentially be selected for a presence exam.

Presence exams are less intensive, shorter exams, taking up about two-thirds the time of a regular SEC examination. These exams tend to be more narrow in scope and focus on specific areas of concern that the SEC may have. In October 2012, SEC staff created presence exams for investment advisers who were required to register with the SEC for the first time because of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank”). These newly required SEC registrants under Dodd-Frank included, for example, hedge fund advisers with more than $150 million in assets under management. Bowden stated that the SEC performed close to 400 of these exams and that OCIE’s goal to examine 25% of the investment advisers required to register with the SEC under Dodd-Frank by 2014 was met.
Continue reading