Consistent with the ongoing guidance/requirements from the SEC and FINRA, all firms must have and enforce data security policies and procedures.  Even the best policies and procedures may, however, not protect the firm in every instance.  So what do you do if there is a breach?19196909_s

One of the most important things to determine is what law governs.  In other words, if you have clients in all 50 states, it is possible that there are 50 different data breach laws that may be implicated.  Fox Rothschild LLP has a free app, Data Breach 411, which provides an overview of state data breach laws.

Knowing what you need to know is imperative when assessing a data breach.



The SEC recently created a new position associated with cybersecurity; senior adviser to the chair for cybersecurity (Christopher R. Hetner). Mr. Hetner has an extensive background in information technology and, in particular, cybersecurity.

19196909_sAccording to the SEC, Mr. Hetner will be responsible for (i) coordinating cybersecurity efforts across the SEC; (ii) engaging with external stakeholders; and (iii) enhancing SEC mechanisms for assessing broad-based market risk. This appointment could have a wide-ranging on the industry.

As we know, the SEC has made cybersecurity an exam priority over the last few years. The SEC is also actively conducting cybersecurity investigations and undertaking enforcement actions where appropriate. According to Chairperson White, the SEC is looking to bolster its risk-based approach. So what does this mean on a day-to-day basis?

Understand that the SEC has just upped the stakes. By retaining an industry expert who is solely focused on data-security related issues, the industry must be prepared for the SEC and FINRA to come after firms regardless if the firm sustains a breach or clients suffer harm as a result. Firms with weak or no data-security programs will surely be targeted.

Are you prepared to handle this even more focused mission of the SEC? If not, you need to more fully review you systems and procedures, both internally and externally facing. Are you testing your systems and procedures on a regular basis? If not, you better start.

The SEC is prepared; are you?

It was great speaking at the May 17 New York NSCP regional conference on risk issues facing firms where Ernie Badway and I discussed cyber-security, risk issues, regulatory matters, issues involving elder clients and ways compliance personnel can protect themselves.  For those of you who could not make the conference, these topics are frequently discussed in our various publications.  Feel free to access them here and use them as you see fit.  Core Values

On Tuesday, May 17, Ernie Badway and I are the keynote speakers at the NSCP Spring Conference in New York, entitled “Juggling Compliance Risks — Maintaining the Balance“. BoardAmong other things, Ernie and I will be speaking about cybersecurity, risk avoidance techniques, government regulations, elder client issues and compliance.  We hope to see you at the conference.

Believe it or not, the old fashioned telephone may be one of your best defenses to a data breach and corresponding fraud. How so, you may ask.

19196909_sOne of the greatest data security risks that firms have is not necessarily a hack into your IT systems. Instead, the hacking into your client’s email account may pose an even greater risk.

For example, an email account can be hacked and the hacker pose as your client and then makes an email request for a wire transfer of a significant amount of money. The easiest way to ensure that the email is legitimate is to pick up that thing that sits on the corner of your desk and call your client to confirm that he/she is requesting the wire.

This phone call takes no more than five minutes and will avoid you having to file a SAR and being out of pocket to your client. You should have a written policy that all wires should be confirmed over the phone where the failure to do so will be termination.

Hackers are getting more and more creative. Yet, the oldest technology in your office may be the difference between a data breach and a satisfied customer. Don’t forget to use it.

In a recent SEC enforcement action, a registered representative was suspended for 6 months and fined $75,000 for, among other things, forwarding confidential client information from his personal email to a former registered representative who maintained the initial client relationships. The representative also used his personal email to conduct firm business. In some instances, he emailed customer information from his work email to his personal email.

This unfortunate situation shows another side of data security risks that firms must address; the rouge representative who is handling client information in violation of Regulation S-P. In some ways, this type of data breach can be even more difficult to prevent than an external threat.19196909_s

If someone really wants to get around your system, that person will likely do so. So what to do?

One thing firms should consider is a logging system when an associated person accesses client information subject to Regulation S-P. This way, firm supervisors can monitor who is gaining access to what information, when and how often. The enforcement opinion was silent on any firm protocols in this regard.

Although this type of access-logging system may not have prevented what happened, it could have put the odds in the favor of firm because it may have revealed unusual activity that the firm could have further explored.

The lesson to be learned is that data security is not just an external threat. There are internal risks that must be accounted for in order to have a fulsome data security program.

As we all know, cybersecurity remains a top priority for the SEC and FINRA. Unfortunately, a recent Investment News article would suggest that firms do not take it as seriously, or, at least, firm employees do not.

A recent study of passwords by SplashData demonstrates that advisers and firm employees are not taking to heart their role in the firm’s cybersecurity. The study showed that login passwords still include such impossible ones to decode like “12345” or “password”.

It is hard to believe that in this day advisers do not accept their own responsibility for securing client and firm data. For example, firms should consider multilevel verification for access to client information. Another change would be to have computers lock (requiring a password entry) after a shorter period of time. Although possibly inconvenient, this will better protect firm systems.19196909_s

It seems to me that this study and article show that something is missing. That something seems to be adequate education and training. How else can you explain anyone using “12345” or “password” as a password?

Quite frankly, time is running out for firms. Your regulators are, no doubt, going to ding you if you have such weak passwords protecting client data. So what should you do?

First, adequately train all staff about the importance of an effective password. Second, make it a firm requirement that passwords be changed every 60 to 90 days. Third, implement multilevel steps to access client data.

You don’t want your clients reading about you being dinged by a regulator for not having adequate passwords. Take action now, and before it is too late.

Other than the non-defined “culture”, FINRA’s 2016 exam priorities are also focused on supervision and risk management. At least these categories are a bit more defined so that you are not left guessing what FINRA means.

Under these broad topics, FINRA is focused on four primary areas, which include:money and calculator

  1. Management of conflicts of interest, including incentive structures, investment banking and research business lines, information leakage, and position valuation.
  2. Technology, including the ever-present cyber-security, technology management and data quality governance.
  3. Outsourcing; what are firms doing to reduce costs by outsourcing but, at the same time, maintain responsibility for the work performed by that third-party.
  4. Anti-money laundering monitoring and controls.

So what do all of these have in common? Yes, you guessed it; all would fall within the general culture of compliance that is also a focus of these exam priorities.

All of the above-referenced priorities have appeared in some form in the past, but a couple warrant special attention; technology and outsourcing. This is a particular issue for smaller firms who, because of cost and infrastructure limitations, need to outsource cyber-security.

If so, the most important thing to remember is that you can outsource the work, but not the responsibility. So what do you have to do when you outsource?

For one, you need to vet your vendors. What are they doing to make sure they are adequately protected and, in turn, protect your electronically stored information? What does your contract provide for in the event of a breach under the vendor’s watch? Will the vendor defend and indemnify you?

These are only a couple of the issues to explore, but explore you must. After all you can never delegate the responsibly to protect customer information from cyber-attack. FINRA will want to know.

As the New Year dawns, financial firms should only expect greater and more sophisticated attacks. After all, not only do you house personal identifying information, you also have access to client funds.
In a recent Investments News round-table, this threat was considered in more detail. There were a number of concerns noted, which include:

  1. Email. In particular, client generated email should be a real focus because it may be very difficult to determine if it is really the client or a hacker emailing you.
  2. Your IT infrastructure (hardware/software). Make sure you understand your IT architecture because this is one of the only ways you can assess and correct weaknesses in your systems against possible attack.
  3. Education. Are you educating your advisors about your systems, policies and procedures and are they educating their clients about caring for their sensitive information that hackers are looking to steal or manipulate to gain access to your systems?27782265_s
  4. Vendors. You have to ask yourself how safe is the vendor and should you trust it to have access to your systems because a hacker can access your IT system through a vendor weakness.

There are many more issues that you will likely face when it comes to cyber threats in the coming year. But take one step at a time.

Can you honestly say you are doing all you can about the above. If not, regroup and revisit. If so, move on to review additional risks to your IT environment. After all, you are on the front lines of this battle.

Most people say that New Year resolutions are only as good as the paper on which they are written. Notwithstanding that ringing endorsement, I will give it a shot.

Here are some things that you should be resolved to doing in the New Year:

  1. Read the SEC and FINRA exam priority letters that each issue shortly after the New Year.
  2. Reevaluate your data security policies and procedures by testing it with internal and external threats.confusion.jpg
  3. Reevaluate your policies and procedures regarding the client relationships you maintain with anyone over the age of 65.
  4. Communicate (in either writing or telephonically) with all of your clients at least once a quarter.
  5. Only communicate with your clients through a form of communication that is approved and monitored by your firm.
  6. Have a written follow-up communications after you speak with your clients.
  7. Put in writing to your clients those instances where your clients ignore your advice.
  8. Never put anything in an email that you are unwilling to see blown up 1000 times as an exhibit in a trial or disciplinary proceeding.
  9. Hold on tight for the roller-coaster ride that we may see in the markets next year; your clients will expect you to be the voice and reason and calm.
  10. If a client makes a complaint, immediately report it up the chain, and do not try to resolve it yourself.

I am sure each of you could think of more thinks to resolve yourself to doing. So have it and best wishes for a healthy, happy and prosperous New Year.

* photo from