Articles Tagged with Cybersecurity

On February 7, 2018, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) published its Examination Priorities for 2018.  The Examination Priorities cover “certain practices, products, and services that OCIE believes may present potentially heightened risk to investors and/or the integrity of the U.S. capital markets.”  The five priorities that OCIE specifically listed are (1) issues crucial to retail investors, such as seniors and those saving for retirement, (2) compliance and risks in critical market infrastructure, (3) FINRA and MSRB, (4) cybersecurity, and (5) anti-money laundering programs.  This is not an exclusive list, and OCIE invited comments concerning how it can adequately promote compliance.

OCIE intends to continue to make shielding retail investors from fraud a priority.  OCIE plans to focus especially on senior investors and those saving for retirement.  For example, examiners will pay particular attention to firms’ internal controls that are intended to monitor their representatives, especially in relation to products targeted at senior investors.  OCIE will also focus on disclosure of the costs of investing, examination of investment advisers and broker-dealers who primarily offer advice through digital platforms, wrap fee programs, mutual funds and exchange traded funds, municipal advisors and underwriters, and the growth of the cryptocurrency and initial coin offering markets. Continue reading

On November 15, 2017, Stephanie Avakian and Steven Peikin, the Co-Directors of the Securities and Exchange Commission’s Division of Enforcement, published the Division’s Annual Report for fiscal year 2017.  Avakian and Peikin emphasized the Division’s commitment to enforcing the federal securities laws in order to “combat wrongdoing, compensate harmed investors, and maintain confidence in the integrity and fairness of our markets.”  They also emphasized their goals of shielding investors, discouraging misconduct, and reprimanding and penalizing those who violate the federal securities laws.  To accomplish these goals, five core principles, according to Avakian and Peikin, will serve as the Division’s road map.

First, the Division will focus primarily on retail investors, who Avakian and Peikin believe are not only the most common market participants, but also are the most susceptible and least equipped to handle financial loss.  The Division plans to keep confronting violations of the securities laws that can have a strong impact on retail investors, such as accounting fraud, sales of unsuitable products, Ponzi schemes, and pump and dump schemes.  The Division has also established a Retail Strategy Task Force to formulate competent methods of confronting securities law violations that affect retail investors.  The Retail Strategy Task Force will work with the SEC’s examination staff and the Office of Investor Education and Advocacy to pinpoint risk areas common to retail investors. Continue reading

Earlier this year, Securities and Exchange Commission Chairman Jay Clayton appointed Stephanie Avakian and Steven Peikin as co-directors of the SEC’s Enforcement Division.  In an interview with Reuters, Avakian and Peikin expressed particular concern about cyber threats and how the SEC should make cybersecurity an enforcement priority.  According to Peikin, “The greatest threat to our markets right now is the cyber threat… That crosses not just this building, but all over the country.”

The SEC has expanded of investigations relating to cybercrimes.  There also appears to be an increase in incidents of hackers attempting to gain access to brokerage accounts.  In response, the SEC has begun obtaining statistics about cybercrimes to assess market-wide issues. Continue reading

On May 17, 2017, the Securities and Exchange Commission’s (“SEC’s”) Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert pertaining to cybersecurity.  According to the Risk Alert, an extensive ransomware attack called WannaCry, WCry, or Wanna Decryptor “rapidly affected numerous organizations across over one hundred countries.”  In light of the WannaCry attack, OCIE is urging registered investment advisers, broker-dealers, and investment companies, to address cybersecurity vulnerabilities.

According to the Risk Alert and an alert published by the Department of Homeland Security, U.S. Cert Alert TA17-132A, the hacker or hacking group who instigated the WannaCry attack obtained access to enterprise servers by way of exploiting a Windows Server Message Block vulnerability. WannaCry infects computers using software that encrypts data on a server using a .WCRY file-name extension, which prevents the rightful owner from accessing the data. Once infected, the ransomware software demands payment from the business in return for access to the business’ data. Microsoft released a patch to this vulnerability in March of 2017, but many users of Microsoft operating systems do not diligently update their software. Continue reading

On October 18, 2016, Parker MacIntyre hosted a seminar addressing legal issues that registered investment advisers (“RIAs”) often face, including developing cybersecurity guidance and implications of the new Department of Labor Fiduciary Rule.  The attendees consisted of sixteen individuals representing thirteen RIAs registered from around the southeast.  Both SEC-registered and state-registered RIAs were represented among the attendees.

Parker MacIntyre was pleased to welcome Noula Zaharis, the Director of the Securities and Charities Division of the Secretary of State of Georgia, as a guest speaker.  She began the seminar with a presentation on how the Georgia Secretary of State registers and regulates investment advisers and common deficiencies encountered by the Georgia regulators.  Highlights from another presentation, entitled “Common Deficiencies, Exam Priorities, and Regulatory Initiatives,” included common deficiencies found in RIA examinations, exam priorities that RIAs should ideally be aware of, and the Secretary of State’s regulatory initiatives. Continue reading

Increased focus on cybersecurity by the Security Exchange Commission’s (“SEC”) continues as it recently issued charges against Morgan Stanley Smith Barney (“Morgan Stanley”) for failing to adopt written policies and procedures reasonably designed to protect confidential client information. These charges stemmed from a cybersecurity breach which began in 2011 and continued until 2014, resulting in the misappropriation of confidential client information in over 730,000 client accounts.

Broker-dealers and investment advisers are required pursuant to Regulation S-P and comparable regulation of the Federal Trade Commission to adopt written policies and procedures reasonably designed to protect client records and information. These policies and procedures must address the administrative, technical, and physical safeguards in place, and must be reasonably designed to insure the security and confidentiality of client records and information, protect against unanticipated threats, and prevent unauthorized access.

Continue reading

The Consumer Financial Protection Bureau (“CFPB”) recently instituted a cybersecurity enforcement action against an online payment platform, Dwolla, Inc., in the form of a consent order. This consent order is significant because it is the first time the CFPB has sought to institute an enforcement action in the cybersecurity arena after it was given the authority to do so under the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), highlighting the increasing emphasis being placed by financial regulators on cybersecurity practices. The Securities and Exchange Commission (“SEC”), Financial Industry Regulatory Authority (“FINRA”), and the Federal Trade Commission (“FTC”), among others, have all been quite active in policing data security practices of financial institutions in recent years. The SEC even listed cybersecurity control procedures of registered broker-dealers and investment advisers as one of its examination priorities for 2016.

The Dodd-Frank Act gives CFPB supervisory authority over providers of consumer financial products or services. It also authorizes CFPB to take enforcement action to prevent unfair, deceptive or abusive acts or practices from these providers. In this case, Dwolla allegedly made several exaggerated claims regarding the strength of its data security practices that the CFPB found to be deceptive within the meaning of the Dodd-Frank Act.

Continue reading

On September 22, the Securities and Exchange Commission (“SEC”) announced an important cybersecurity enforcement action that has broad implications to registered investment advisers. In a Settlement Order, the SEC found R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, “willfully violated” the Safeguards Rule. From September 2009 through July 2013, the firm stored unencrypted, sensitive personally identifiable information (“PII”) of clients and others on its unencrypted, third party-hosted, web server.

In requiring that brokers-dealers, investment companies, and registered investment advisers guard against cybersecurity breaches, the SEC has relied on its authority under Sections 501, 504, and 505 of the Gramm-Leach-Bliley Act of 1999, to create the new regulations. The “Safeguard Rule” is Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)). Enforcement actions initiated by the SEC relating to computer security are often grounded in violations of the Safeguard Rule.
Continue reading

Parker MacIntyre attorneys Steve Parker and Bryan Gort attended the 2015 annual conference of the North American Securities Administrators Association (NASAA) held last week in San Juan, Puerto Rico. As usual, the conference provided valuable guidance and updated information on areas of importance to state-registered investment advisers, as well as federal notice filed broker-dealers and SEC registered investment advisers.

Of interest to state-registered investment advisers are proposed amendments to Part 1B of Form ADV that would attempt to capture an RIA’s use of social media and information on the use of third-party compliance professionals.

NASAA also presented the findings of its 2015 coordinated investment adviser examination review, compiled from the results of over 1100 investment adviser examinations. Once again, books and records deficiencies was the leading category, with 78% of all examined entities having deficiencies in that area. Within that category the failure to maintain adequate client suitability data was the leading deficiency, accounting for 10% of the deficiencies noted within the books and record category.
Continue reading

The U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) on Sept. 15, 2015 issued Risk Alert to announce its new focus on cybersecurity of securities firms and registered investment advisers. Cybersecurity programs of securities firms had best be strengthened, otherwise they may be subject to additional regulatory scrutiny according to the Risk Alert, which is meant to serve as helpful guidance for firms that need to create or heighten a cybersecurity program. The National Exam Program in 2014 conducted cybersecurity examinations on 106 securities firms. As a follow-up to the 2014 SEC security examinations The Risk Alert highlights certain additional measures the national registered entities need to be aware of when the SEC is conducting examinations.

A sample examination request with a list of information that the U.S. Securities and Exchange Commission’s Office of Compliance Inspections and Examinations may review in conducting examinations of registered entities regarding cybersecurity matters may be viewed here.
Continue reading