Articles Tagged with Cybersecurity

Investment advisers’ use of clients’ usernames and passwords to access their clients’ accounts to observe the accounts’ performance has come under scrutiny in recent years.  In February 2017, the SEC Office of Compliance Inspections and Examinations (“OCIE”) disclosed in a Risk Alert that investment advisers’ use of client usernames and passwords can create compliance issues with the Custody Rule.  According to OCIE, an investment adviser’s “online access to client accounts may meet the definition of custody when such access provides the adviser with the ability to withdraw funds and securities from the client accounts.”  Accessing a client’s account using a client’s username and password often results in an investment adviser being able to withdraw funds and securities.

The North American Securities Administrators Association (“NASAA”) has also observed in recent years that if an investment adviser logs into a client’s account using the client’s personal information, “the investment adviser is in effect impersonating this client and has the same access to the account as the client.”  As a result, a number of issues arise when investment advisers use their clients’ personal information to gain access to online accounts, including custody, recordkeeping obligations, and potential violations of user agreements. Continue reading

On February 13, 2018, the Securities and Exchange Commission announced that it is accepting registrations for the National Compliance Outreach Seminar (“National Seminar”).  The National Seminar, which is part of the SEC’s Compliance Outreach Program, is designed to help educate registered investment advisers’ chief compliance officers (“CCOs”), as well as their senior officers, about “various broad topics applicable to larger investment advisory firms and investment companies.”  The National Seminar will take place on April 12, 2018 at the SEC’s headquarters in Washington, D.C., and it will last from 8:30 a.m. to 5:30 p.m. ET.  While only 500 participants can attend in person, a live webcast will be provided via www.sec.gov.

This year the National Seminar will include six panel discussions between SEC personnel, CCOs, and various other industry representatives.  SEC personnel who participate in the panels typically include officers from the Office of Compliance Inspections and Examinations, the Division of Investment Management, and the Division of Enforcement’s Asset Management Unit, as well as officers from other SEC divisions or offices.  CCOs and other senior staff in private advisory firms typically participate in the panels as well.  Each of these panels reflects areas of concern which the SEC likely intends to prioritize in 2018. Continue reading

On February 7, 2018, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published its Examination Priorities for 2018.  The Examination Priorities cover “certain practices, products, and services that OCIE believes may present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.”  The five priorities that OCIE specifically listed are (1) issues crucial to retail investors, such as seniors and those saving for retirement, (2) compliance and risks in critical market infrastructure, (3) FINRA and MSRB, (4) cybersecurity, and (5) anti-money laundering programs.  This is not an exclusive list, and OCIE invited comments concerning how it can adequately promote compliance.

OCIE intends to continue to make shielding retail investors from fraud a priority.  OCIE plans to focus especially on senior investors and those saving for retirement.  For example, examiners will pay particular attention to firms’ internal controls that are intended to monitor their representatives, especially in relation to products targeted at senior investors.  OCIE will also focus on disclosure of the costs of investing, examination of investment advisers and broker-dealers who primarily offer advice through digital platforms, wrap fee programs, mutual funds and exchange traded funds, municipal advisors and underwriters, and the growth of the cryptocurrency and initial coin offering markets. Continue reading

On November 15, 2017, Stephanie Avakian and Steven Peikin, the Co-Directors of the Securities and Exchange Commission’s Division of Enforcement, published the Division’s Annual Report for fiscal year 2017.  Avakian and Peikin emphasized the Division’s commitment to enforcing the federal securities laws in order to “combat wrongdoing, compensate harmed investors, and maintain confidence in the integrity and fairness of our markets.”  They also emphasized their goals of shielding investors, discouraging misconduct, and reprimanding and penalizing those who violate the federal securities laws.  To accomplish these goals, five core principles, according to Avakian and Peikin, will serve as the Division’s road map.

First, the Division will focus primarily on retail investors, who Avakian and Peikin believe are not only the most common market participants, but also are the most susceptible and least equipped to handle financial loss.  The Division plans to keep confronting violations of the securities laws that can have a strong impact on retail investors, such as accounting fraud, sales of unsuitable products, Ponzi schemes, and pump and dump schemes.  The Division has also established a Retail Strategy Task Force to formulate competent methods of confronting securities law violations that affect retail investors.  The Retail Strategy Task Force will work with the SEC’s examination staff and the Office of Investor Education and Advocacy to pinpoint risk areas common to retail investors. Continue reading

Earlier this year, Securities and Exchange Commission Chairman Jay Clayton appointed Stephanie Avakian and Steven Peikin as co-directors of the SEC’s Enforcement Division.  In an interview with Reuters, Avakian and Peikin expressed particular concern about cyber threats and how the SEC should make cybersecurity an enforcement priority.  According to Peikin, “The greatest threat to our markets right now is the cyber threat… That crosses not just this building, but all over the country.”

The SEC has expanded of investigations relating to cybercrimes.  There also appears to be an increase in incidents of hackers attempting to gain access to brokerage accounts.  In response, the SEC has begun obtaining statistics about cybercrimes to assess market-wide issues. Continue reading

On May 17, 2017, the Securities and Exchange Commission’s (“SEC’s”) Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert pertaining to cybersecurity.  According to the Risk Alert, an extensive ransomware attack called WannaCry, WCry, or Wanna Decryptor “rapidly affected numerous organizations across over one hundred countries.”  In light of the WannaCry attack, OCIE is urging registered investment advisers, broker-dealers, and investment companies, to address cybersecurity vulnerabilities.

According to the Risk Alert and an alert published by the Department of Homeland Security, U.S. Cert Alert TA17-132A, the hacker or hacking group who instigated the WannaCry attack obtained access to enterprise servers by way of exploiting a Windows Server Message Block vulnerability. WannaCry infects computers using software that encrypts data on a server using a .WCRY file-name extension, which prevents the rightful owner from accessing the data. Once infected, the ransomware software demands payment from the business in return for access to the business’ data. Microsoft released a patch to this vulnerability in March of 2017, but many users of Microsoft operating systems do not diligently update their software. Continue reading

On October 18, 2016, Parker MacIntyre hosted a seminar addressing legal issues that registered investment advisers (“RIAs”) often face, including developing cybersecurity guidance and implications of the new Department of Labor Fiduciary Rule.  The attendees consisted of sixteen individuals representing thirteen RIAs registered from around the southeast.  Both SEC-registered and state-registered RIAs were represented among the attendees.

Parker MacIntyre was pleased to welcome Noula Zaharis, the Director of the Securities and Charities Division of the Secretary of State of Georgia, as a guest speaker.  She began the seminar with a presentation on how the Georgia Secretary of State registers and regulates investment advisers and common deficiencies encountered by the Georgia regulators.  Highlights from another presentation, entitled “Common Deficiencies, Exam Priorities, and Regulatory Initiatives,” included common deficiencies found in RIA examinations, exam priorities that RIAs should ideally be aware of, and the Secretary of State’s regulatory initiatives. Continue reading

Increased focus on cybersecurity by the Security Exchange Commission’s (“SEC”) continues as it recently issued charges against Morgan Stanley Smith Barney (“Morgan Stanley”) for failing to adopt written policies and procedures reasonably designed to protect confidential client information. These charges stemmed from a cybersecurity breach which began in 2011 and continued until 2014, resulting in the misappropriation of confidential client information in over 730,000 client accounts.

Broker-dealers and investment advisers are required pursuant to Regulation S-P and comparable regulation of the Federal Trade Commission to adopt written policies and procedures reasonably designed to protect client records and information. These policies and procedures must address the administrative, technical, and physical safeguards in place, and must be reasonably designed to insure the security and confidentiality of client records and information, protect against unanticipated threats, and prevent unauthorized access.

Continue reading

The Consumer Financial Protection Bureau (“CFPB”) recently instituted a cybersecurity enforcement action against an online payment platform, Dwolla, Inc., in the form of a consent order. This consent order is significant because it is the first time the CFPB has sought to institute an enforcement action in the cybersecurity arena after it was given the authority to do so under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), highlighting the increasing emphasis being placed by financial regulators on cybersecurity practices. The Securities and Exchange Commission (“SEC”), Financial Industry Regulatory Authority (“FINRA”), and the Federal Trade Commission (“FTC”), among others, have all been quite active in policing data security practices of financial institutions in recent years. The SEC even listed cybersecurity control procedures of registered broker-dealers and investment advisers as one of its examination priorities for 2016.

The Dodd-Frank Act gives CFPB supervisory authority over providers of consumer financial products or services. It also authorizes CFPB to take enforcement action to prevent unfair, deceptive or abusive acts or practices from these providers. In this case, Dwolla allegedly made several exaggerated claims regarding the strength of its data security practices that the CFPB found to be deceptive within the meaning of the Dodd-Frank Act.

Continue reading

On September 22, the Securities and Exchange Commission (“SEC”) announced an important cybersecurity enforcement action that has broad implications to registered investment advisers. In a Settlement Order, the SEC found R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, “willfully violated” the Safeguards Rule. From September 2009 through July 2013, the firm stored unencrypted, sensitive personally identifiable information (“PII”) of clients and others on its unencrypted, third party-hosted, web server.

In requiring that brokers-dealers, investment companies, and registered investment advisers guard against cybersecurity breaches, the SEC has relied on its authority under Sections 501, 504, and 505 of the Gramm-Leach-Bliley Act of 1999, to create the new regulations. The “Safeguard Rule” is Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). Enforcement actions initiated by the SEC relating to computer security are often grounded in violations of the Safeguard Rule.
Continue reading