Ernie Badway and I have prepared a series of podcasts addressing risk avoidance issues for broker-dealers and investment advisors. The latest in the series addressing issues surrounding elder clients.
We hope you’ll take a listen.
A recent Investment News article highlighted issues investments advisors face regarding their cybersecurity programs when it comes to regulatory examinations.
First; don’t assume that your insurance policy covers the aftermath of a cyber-event. If you think you have coverage, make sure you document that understanding so that you do not have a shock when it is too late to do anything. A sound policy will cover, among other things, the costs of notifying your customers of a breach and the costs of technical support to close the gap.
Second; be certain that you have detailed written policies and procedures on cybersecurity, including what must be done in the event of a breach. These policies should also detail the known risks – such as working with third parties – and how the firm intends to address them.
Third; be certain that these policies and procedures are communicated to all individuals associated with the firm. Conduct adequate training on those policies, and emphasize the importance of diligence when it comes to cyber-awareness.
Fourth; you should use your cybersecurity as a way to market to your clients. Clients are well aware of these issues and want to have some sort of assurance if they are going to trust you with their money.
If you don’t believe that this is one of your most important areas of focus, do nothing and see what your regulator thinks during your next exam. Worse yet, see what your clients think after a data breach when you scramble because you did not take steps before the breach to prepare for the worst.
* photo from freedigitalphotos.net
Any data security program has to have three critical components. Those key components are the following:
First; risk assessment. You must test, retest, and retest your systems (including your staff) for gaps and vulnerabilities. Hackers are very sophisticated. Do what you can to stay ahead of the curve on understanding the risks to your systems and staff.
Second; training. You have to train everyone in your organization top to bottom on your data security protocols. When new protocols are rolled out, you have to train again. A well-trained staff can help you avoid such things as phishing scams and missteps in the event of a breach.
Third; an incident response plan. An incident response plan is like insurance; you make a large investment that you hope you never have to use. If you have a breach, then you have to have a detailed plan on what you are going to do about it. The plan should detail what you will do in the event of a breach vis a vis your regulators, your employees and your customers, how you will fix the gap and prevent it from happening again.
If your firm does not have these key elements in its data security program, you have set yourself up for disaster. Take the time, spend the funds necessary; protect yourself and your clients.
The Securities and Exchange Commission released its 2015 Annual Report on its Whistleblower Program this week and announced another rise in the number of whistleblower tips that it received. The SEC reported receiving 3,923 tips during its 2015 Fiscal Year, which is up from 3,620 in 2014 (as we previously reported), and up over 30% from 2012, which was the first full year that these numbers were reported. Additionally, in its FY 2015, the SEC paid out $37 million to whistleblowers, which included a whopping reward of over $30 million to just one whistleblower. The SEC’s Office of the Whistleblower (OWB) rewards whistleblowers for “their provision of original information that led to a successful Commission enforcement action with monetary sanctions totaling over $1 million” and can net tipsters between 10% and 30%, which is the statutory maximum allowed under the Dodd-Frank Act.
The OWB determines the reward percentage for whistleblowers based on the particular facts and circumstances of each case, rather than any hard-set mathematical formula. Some of the positive factors that may increase an award percentage include “the significance of the information provided by the whistleblower, the level of assistance provided by the whistleblower, the law enforcement interests at stake, and whether the whistleblower reported the violation internally through his or her firm’s internal reporting channels or mechanisms.” Negative factors that may decrease an award percentage include “whether the whistleblower was culpable or involved in the underlying misconduct, interfered with internal compliance systems, or unreasonably delayed in reporting the violation to the Commission.”
A positive takeaway for companies from the OWB’s report is that 80% of the 2015 whistleblower award recipients initially raised their concerns internally to their supervisors or compliance personnel before reporting their information to the SEC. The Dodd-Frank Act allows whistleblowers to do so, as it is designed to protect individuals who report internally to their companies, as well as those who report directly to the SEC. Thus, for the most part, companies are still able to get an early notice of any wrongdoing prior to the SEC’s involvement, so that it can promptly respond, such as engaging counsel as early as possible to investigate and advise on the proper path forward.
In order to have sound cyber-security protocols, you need to do more than just physically protecting your systems and having written supervisory programs. Specifically, you need to fully engage your clients to be part of the protocol. Their participation can make your program work that much better than without them.
How so? For one, every firm should educate their clients of what type of materials, electronic or otherwise, that the client should expect to receive from the firm. You should likewise tell clients to report back to you if they receive something not in keeping with the list you previously provided.
For example, clients should be reminded that trades and money transfers are not handled via email. Any email solicitation of trades or transfers should be reported to the firm because that may reflect a security gap.
Many clients have access to their accounts on line. These clients should be reminded not to share their passwords with anyone. Likewise, the firms should have a multiple verification process to allow clients to access their statements on-line; i.e., a password and a security question to which only the client would know the answer.
Finally, you should consider having a standard presentation that you can provide clients about your cyber-security protocols. In other words, let your clients know what you have and what you are doing to protect their data.
In short, any sound data security program is going to engage a firm’s clients as much as its own internal systems, programs and policies. A collective effort is the best course to protect firm and client data. Without this joint engagement, you only run a greater risk of client harm when you have a breach.
No one likes being a victim, let alone being a victim twice. But that is what you may face if you have a data breach.
If your firm had a vulnerability that a hacker exposed, your regulator may come after you regardless if there is any client harm. After all, your system had a gap that a hacker exploited. So what should you do?
First, you have to know what you have on your systems that need protection. How can you protect what you do not even know that you have. Therapeutic neglect is not the way to go.
Second, do your systems (including portable devices) have adequate encryption. If an unprotected device is stolen and information exposed, you can bet your regulator will have an issue.
Third, how secure are the passwords your employees are using. Many phishing schemes will poke and prod a firm until a weak link in your employ is exposed. Have your IT or security consultant conduct a phishing scam directed to your employees to figure out who may be a weak link, and then address those weak links.
Fourth, are you educating your employees on data security issues. If not, you should make this education a common and repeated part of your internal education program.
There is a saying that there are those who know that they have been breached and those who have not yet learned that they have been breached. Regardless of what camp you are in, take action to protect your systems and employees so that you can hopefully avoid the wrath of your regulator.
One area of focus for FINRA has been on recidivist registered representatives. A recidivist is an associated person who has repeated rule violations or customer complaints of a specific nature.
FINRA has used a risk-based approach in order to be proactive to identify the bad behavior that these undesirable registered representatives tend to display. In doing so, FINRA has developed systematic way to review data for repeated patterns of certain bad conduct.
Once FINRA identifies these individuals, FINRA will focus on them and their supervisors. There is a particular focus on branch offices for those individuals who act in a manner inconsistent with firm practices.
FINRA then undertakes to remove the repeat offenders from the industry. If you follow FINRA disciplinary matters, it is apparent that FINRA is seeing this process through and removing repeat offenders from the industry.
Why should you care? For one, it should give you the impetus to review your own ranks. Is there someone who has had repeat issues? If so, what are you doing about it; nothing, heightened supervision, termination, etc.
Firms have a choice. They can help flush out bad seeds in their firms, or have FINRA do it for them. If you take the later course, you are likely to be the focus of FINRA as well. Be proactive; remove recidivists from your ranks.
* Photo from freedigitalphotos.com
Ernie Badway and I have prepared a series of podcasts that highlights client-issues and risk avoidance techniques for broker-dealers and investment advisors. We hope you’ll take a listen.
The SEC and FINRA have made it very clear that they are focused on senior customers and elder abuse. Granted, firms must be focused on the elder customers, but, at the same time, must also focus on the fact that many advisors are included in the graying generation.
What are firms to do about that? Before you do anything definitive, you should vet your ideas with an employment consultant or lawyer to make sure that any plan does not run afoul of labor and employment laws because older advisors may be within a protected class.
Separate and apart from any legal analysis, you should consider doing certain things to make sure your advisors are acting properly and clients are being protected. Here are some suggestions that, in reality, apply across all age groups; these areas of inquiry could include:
- Having a supervisor meet with the advisor on a more regular basis just to see how they are doing; i.e., are they acting properly in the office or are they even in the office.
- Monitor trading activity; has it changed radically over a short period of time.
- Analyze the outflows of cash from customer accounts.
- Analyze the loss of customers over time (i.e., has the advisor lost a number of clients in short order).
- Randomly contact customers to vet their recent experiences with their advisor.
These oversight tools may help you uncover an elder advisor who is suffering from dementia, or, quite possibly, uncover a young advisor who is defrauding customers. Either way, the key is simple, properly monitor your advisors’ activity and protect your clients in the process.
* photo from freedigitalphotos.net
The SEC recently issued an investor bulletin regarding one of our favorite topics; data security of customer accounts. The primary areas of the SEC’s focus were:
- Have a strong password, keep it secure and change it often.
- Use a two-step verification process if the firm offers it.
- Use different passwords for different on-line accounts.
- Avoid using public computers to access on-line accounts.
- Cautiously use wireless access to on-line accounts.
- Check and double check any links that are sent to you via email purporting to come from your advisory firm.
- Secure your mobile devices.
- Regularly check your account statements and confirmations for unusual activity.
In my view, the above guidance offers you opportunities with your clients. For example, you should offer a two-step verification process for on-line account access. By doing so, you are telling your clients that you value their business and the protection of their confidential information.
Similarly, you should consider providing similar guidance as an investor alert or the like to all of your clients who have on-line access. First, this gives you another opportunity to be in front of your clients. Second, it demonstrates that your firm takes the issue of data security very seriously.
Although the prospects of suffering a data breach may be ominous, you can do something to educate your clients so that they do not become unwitting targets. Providing this type of client service can only strengthen your client relationships. There is no time like the present to take this affirmative step. Make yourself a valued resource for your clients.