Articles Tagged with Cybersecurity

Over the last five years, cybersecurity has consistently been a top priority of the Securities and Exchange Commission (“SEC”). We have written about the SEC’s focus on cybersecurity in July 2020 and January 2020. With an additional enforcement action in June, the SEC is continuing to signal that firms regulated by the SEC need to have appropriate risk management and cybersecurity controls in place. While this case study isn’t directly related to Investment Advisers, they would be wise to learn lessons from this story.

First American Financial Corporation (“First American”) is a real estate settlement services provider. In that capacity, they store certain non-public personal information (“NPPI”) of real estate purchasers and sellers. In an internal audit in 2018, an error was caught that certain NPPI stored by First American was not stored securely.

Subsequently, First American conducted a vulnerability test which culminated in a written report in January 2019. In the report, information security personnel determined that certain website URLs that First American provided to people could be replaced with different numbers to create access to NPPI that was unauthorized. Continue reading ›

The Office of Compliance Inspections and Examinations (“OCIE”) published a Risk Alert highlighting the need for investment advisers to prevent unauthorized access to client data stored on websites.

Recently, cyber attackers have used “credential stuffing” and other methods to breach web-based user accounts. Credential stuffing is when a hacker combines lists of stolen account information from the dark web and customized scripts to compromise user names and passwords to other sites. Hackers prefer this method because it seems to be more efficient and successful than more traditional methods of hacking, like a brute force attack.

OCIE has the following recommendations for Investment Advisers to consider in protecting themselves and their websites against credential stuffing attacks: Continue reading ›

The Securities and Exchange Commission (“SEC”) recently published its sixth risk alert on cybersecurity since 2014. In this alert, the SEC focused on how its regulated firms protect themselves against ransomware risk. I previously wrote about the SEC’s last risk alert on ransomware here.

Ransomware is malware that stops a user from accessing either part or all of the data within their network or other systems until a ransom is paid. For ransomware to be effective, it must gain access to network data in some form or fashion, usually through user error, such as a user clicking a link, downloading a file, or doing something else which affirmatively provides the ransomware access to data. From there, the hacker typically encrypts data and demands payment to unencrypt it.

There are varying studies, but up to 90% of financial services firms, including investment advisers, broker-dealers and investment companies, report that they have been targeted by ransomware. The SEC also reports that these targeted attacks have gotten more sophisticated in nature over the last few years, which necessitates greater allocation of resources from firms to protect themselves.

In our previous post, we described the SEC’s announcement of examination priorities in 2020 for the Commission’s Office of Compliance Inspections and Examinations (OCIE).  In that post, we discussed areas of examination that will apply to a large percentage of registered investment advisors and other regulated entities.  In this post, we focus on another priority, namely robo-advisers.

Otherwise known as automated investment platforms, “robo-advisers” have come under increased scrutiny by OCIE.  The number of these advisers has increased substantially over the last four years.  OCIE intends to focus on issues such as the eligibility of the robo-adviser to register with the SEC, marketing practices engaged in by robo-advisers, the ability to comply with fiduciary duty, the adequacy of the adviser’s disclosures, the effectiveness of the adviser’s compliance program, and the firm’s cybersecurity policies, procedures and practices.

Advisers Act Rule 203A-2(e) permits “internet only advisers” to register with the SEC, provided certain conditions are met and maintained.  Specifically, the adviser must provide investment advice to all clients exclusively through an interactive website and maintain records demonstrating that it does so.  Under the rule, an adviser may provide investment advice through means other than the internet to up to fourteen clients during any twelve-month period. Undoubtedly there are some firms that registered on this basis who were either not eligible at the time or, through the evolution of their business, have strayed from the conditions required to remain eligible for registration.

Continue reading ›

Earlier this month, the SEC’s Office of Compliance Inspections and Examinations (OCIE) announced its examination priorities for 2020.  Many of the priorities listed are similar to those identified in previous years’ priorities lists. The SEC’s approach in addressing them, however, continues to evolve to keep pace with the changing landscape of financial markets, market participants, products, technologies and risks. This post will address some of the areas that should be of concern to a large percentage of registered investment advisers (RIAs), broker-dealers and other regulated entities.

OCIE reiterated that a significant underpinning of any effective compliance program is the “tone at the top” set by C-level executives and owners. Those firms that prioritize compliance and effectively create a “culture of compliance” tend to be more successful in designing and implementing compliance plans than firms that view compliance as an afterthought or business hindrance. One of the “hallmarks” of a firm’s commitment to compliance is the presence of an “empowered” CCO who is routinely consulted regarding most facets of the firm’s operations. There is nothing new to these concepts, but it is worth noting that OCIE continues to emphasize them year after year. Although not stated in the priorities release, the degree to which a firm demonstrates a commitment to compliance often weighs heavily on decisions OCIE examiners must make regarding how deficiencies will be addressed by the Commission. All other things being equal, firms that have made mistakes but demonstrate the ability to make effective corrections will often be provided an opportunity to implement those corrections and are less likely to become the subject of an enforcement referral.

Not surprisingly, OCIE will continue to prioritize examining RIAs to assess compliance with their fiduciary duty to clients. For examinations of RIAs occurring during the second half of 2020, this will undoubtedly include the proper use of Form ADV Part 3, which RIAs are required to complete, file, and place into use with clients by June 30, 2020. Additionally, broker-dealers will be expected to implement compliance with new Regulation BI, requiring adherence to a best interest standard. The priorities list reiterates that advisers and broker-dealers must eliminate, or at least fully and fairly disclose, all conflicts of interest, as more fully explained in Investment Advisor Release 5248, issued in June of last year.

Among other priorities relevant to RIAs, OCIE also listed the protection of retail investors saving for retirement, information security, anti-money laundering programs and financial technology.

Continue reading ›

The North American Securities Administrators Association—also known as “NASAA”—a cooperative association consisting of the chief securities regulators for each of the 50 United States, as well as Canadian and Mexican jurisdictions, has recently voted to adopt a model information security rule. NASAA’s new model information security rule could—if widely implemented by the individual NASAA Member jurisdictions—ultimately have a broad impact on the compliance programs of state-registered investment advisers.

Among its many roles as a confederation of individual regulators, NASAA frequently drafts and circulates “model rules” to its Members, who eventually vote on and adopt these draft rules for use by the various Member jurisdictions. A “model rule” is a familiar regulatory tool, which essentially provides a template upon which laws, rules, and other regulations can be drafted. For example, many of the individual states’ securities acts are variants of the Uniform Securities Act of 2002, a model act created by a group of legal scholars, regulators and veteran attorneys. NASAA’s new model rule is just such a template for regulators. Individual states and other jurisdictions may—at their discretion—adopt it in whole, in part, or not at all. That said, we believe that, especially given the growing importance of cybersecurity issues, it will be used more likely than not as the states come around to developing rules to parallel those already in place at the federal (SEC) level.  Continue reading ›

In its latest Risk Alert, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) heeds advisers and broker/dealers to take a fresh look at their policies and procedures in the area of electronic customer record storage in light of shortcomings discovered by OCIE’s staff as part of recently-conducted regular examinations. These shortcomings include weak or misconfigured security settings on a network storage device that, in the worst-case event, could result in unauthorized access to customer information.

OCIE Risk Alerts are highly useful resources for compliance professionals to consider as these published notices serve as a window into not only the recent experiences of OCIE staffers out in the field, but also the thinking of OCIE management as to where it will be directing its staff to focus on in future examinations. In other words, if the management of OCIE warrants it important enough to publish a Risk Alert on an particular topic, registrants can be assured that future exams will likely focus on deficiencies in that area.

This most recent Risk Alert zeros-in on deficiencies uncovered by examiners with respect to how advisers and brokers are protecting their customers’ electronic records—specifically, records kept in the “cloud” or on other types of networked storage solutions. OCIE defines cloud storage as the “electronic storage of information on infrastructure owned and operated by a hosting company or service provider.” Obviously, such storage systems may be especially vulnerable to hacking or other nefarious activities, and as such, warrant robust protections. Continue reading ›

FINRA has alerted its Member Firms to be on the watch for a fraudulent phishing email scheme targeted at compliance personnel. A phishing scheme typically uses email or some other type of electronic message to trick the recipient into clicking a malicious link or infected file attachment by mimicking a message from a trustworthy party. This particular scheme employs an email purportedly originating from an Anti-Money Laundering compliance officer at an otherwise apparently legitimate Indiana-based credit union. The email—which was received recently by a number of FINRA Member Firms—specifically targets compliance personnel by appearing to be a communication regarding an attempted transfer of money by a client of the recipient’s firm to the credit union which has been placed on hold due to concerns about potential money laundering. The scam is designed to get the recipient to open an attachment, which, according to FINRA “likely contains a malicious virus or malware designed to obtain unauthorized access to the recipient’s computer network.”

FINRA noted the following additional aspects of the fraudulent email that recipients should be alert for:

  • An otherwise legitimate reference to a provision of the USA Patriot Act allowing financial institutions to share information with each other.
  • An actual email address that appears to be from Europe, rather than the U.S.-based credit union.
  • Numerous instances of poor grammar and sentence structure.

Continue reading ›

Investment advisers’ use of clients’ usernames and passwords to access their clients’ accounts to observe the accounts’ performance has come under scrutiny in recent years.  In February 2017, the SEC Office of Compliance Inspections and Examinations (“OCIE”) disclosed in a Risk Alert that investment advisers’ use of client usernames and passwords can create compliance issues with the Custody Rule.  According to OCIE, an investment adviser’s “online access to client accounts may meet the definition of custody when such access provides the adviser with the ability to withdraw funds and securities from the client accounts.”  Accessing a client’s account using a client’s username and password often results in an investment adviser being able to withdraw funds and securities.

The North American Securities Administrators Association (“NASAA”) has also observed in recent years that if an investment adviser logs into a client’s account using the client’s personal information, “the investment adviser is in effect impersonating this client and has the same access to the account as the client.”  As a result, a number of issues arise when investment advisers use their clients’ personal information to gain access to online accounts, including custody, recordkeeping obligations, and potential violations of user agreements. Continue reading ›

On February 13, 2018, the Securities and Exchange Commission announced that it is accepting registrations for the National Compliance Outreach Seminar (“National Seminar”).  The National Seminar, which is part of the SEC’s Compliance Outreach Program, is designed to help educate registered investment advisers’ chief compliance officers (“CCOs”), as well as their senior officers, about “various broad topics applicable to larger investment advisory firms and investment companies.”  The National Seminar will take place on April 12, 2018 at the SEC’s headquarters in Washington, D.C., and it will last from 8:30 a.m. to 5:30 p.m. ET.  While only 500 participants can attend in person, a live webcast will be provided via www.sec.gov.

This year the National Seminar will include six panel discussions between SEC personnel, CCOs, and various other industry representatives.  SEC personnel who participate in the panels typically include officers from the Office of Compliance Inspections and Examinations, the Division of Investment Management, and the Division of Enforcement’s Asset Management Unit, as well as officers from other SEC divisions or offices.  CCOs and other senior staff in private advisory firms typically participate in the panels as well.  Each of these panels reflects areas of concern which the SEC likely intends to prioritize in 2018. Continue reading ›

Contact Information