Consistent with the ongoing guidance/requirements from the SEC and FINRA, all firms must have and enforce data security policies and procedures.  Even the best policies and procedures may, however, not protect the firm in every instance.  So what do you do if there is a breach?19196909_s

One of the most important things to determine is what law governs.  In other words, if you have clients in all 50 states, it is possible that there are 50 different data breach laws that may be implicated.  Fox Rothschild LLP has a free app, Data Breach 411, which provides an overview of state data breach laws.

Knowing what you need to know is imperative when assessing a data breach.



On Monday, September 12, 2016, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced that a “Supervision Initiative” will take place across the country.

OCIE staff will conduct focused RIA examinations of firms employing or contracting with supervised persons, who have a disciplinary history.  OCIE plans to evaluate the effectiveness of RIA compliance programs, supervisory oversight practices, and disclosures to clients and prospective clients, concentrating on the potential risk disclosures arising from financial arrangements initiated by supervised persons with a disciplinary history.  OCIE’s justification for this targeted examination is its belief that firms, who hire those with disciplinary histories, are more likely to have future disciplinary issues arising from these individuals’ conduct.

Frankly, this announcement should come as no surprise to anyone.  The SEC has made it abundantly clear over the years it does not like people who have disciplinary histories working for regulated entities.  However, the SEC always seems to fail to consider that, for a significant part of the securities industry, disciplinary histories have become the norm given the ease where people may make complaints against registered persons, and how expensive and difficult the regulators have made fighting unfounded allegations.  Numerous registered persons have had to make the difficult choice of agreeing to resolve disciplinary charges simply because the price of fighting them would be too great.

Conveniently, the SEC ignores this fact and instead will seek to further stigmatize many hard working and honest members of the securities community.


The SEC has repeatedly included issues around social media in its annual exam priorities for investment advisers. With the SEC’s recent release of a final rule on the subject, the SEC has taken that “exam priority” to the next level.

Under this new rule, investment advisers will have to complete an additional component to their annual Form ADV filed with the SEC. In doing so, investment advisers will have to disclose their addresses for Twitter, Facebook and LinkedIn. So what’s the point?

By requiring this disclosure, the SEC can better focus on each examined firm’s use of social media. Undoubtedly, the SEC will use this information when framing its examination of individual firms.

The SEC can also use this information on an ongoing basis to assess what firms are putting out there on social media. The industry has to assume that the SEC will be doing more with this information than just tucking it away for examination purposes.Core Values

This new rule should incentivize you to review your social media policy, assuming that you have one. If you do not have one, you need to have one prepared.

You should also monitor the information that your firm is putting out there on social media. Does it confirm with SEC rules? Rest assured. If you are not minding the store, the SEC will.

Back in April, the Securities and Exchange Commission sought public comments on modernizing certain business and financial disclosure requirements in Regulation S-K.  In their Concept Release, the SEC noted that some investors and interest groups have “expressed a desire for greater disclosure of a variety of public policy and sustainability matters, stating that these matters are of increasing significance to voting and investment decisions.”

48936020 - man pointing at the brown picture of oil industry components and green eco energy arranged in circle, earth in the centre, concept of environmentIn response to the SEC’s request for comment, numerous environmental groups pressed the SEC to require disclosure of environmental, social, and governance risks in companies’ public filings.  According to Law360’s Juan Carlos Rodriguez, last week the Sierra Club, Greenpeace, Friends of the Earth and several other groups urged the SEC to create uniform environmental, social, and governance (“ESG”) disclosure requirements for companies, which would enable investors to identify companies that reflect their values.

However, as Rodriguez noted in his article, there were others who cautioned the SEC against going too far with ESG disclosures.  For example, the American Fuel & Petrochemical Manufacturers advised the SEC that “Such supplemental discussion beyond the bounds of mandated disclosure enriches the public discussion of ESG issues, but may not be material and should not be conflated with disclosures made pursuant to Regulation S-K according to the longstanding principles of financial relevance and materiality upon which the securities markets rely.”

The takeaway here is that the SEC will likely begin to require ESG disclosures from companies in their public filings.  Rodriguez explained that the SEC’s investor advisory committee has noticed a “significant and growing” number of investors who rely on sustainability and other public policy disclosures to better understand a company’s long-term risk profile.  Thus, while it is unclear what those ESG disclosure requirements will be, it is likely that some additional regulations and disclosures will be forthcoming, so plan accordingly.

To read more, please visit:

The SEC recently created a new position associated with cybersecurity; senior adviser to the chair for cybersecurity (Christopher R. Hetner). Mr. Hetner has an extensive background in information technology and, in particular, cybersecurity.

19196909_sAccording to the SEC, Mr. Hetner will be responsible for (i) coordinating cybersecurity efforts across the SEC; (ii) engaging with external stakeholders; and (iii) enhancing SEC mechanisms for assessing broad-based market risk. This appointment could have a wide-ranging on the industry.

As we know, the SEC has made cybersecurity an exam priority over the last few years. The SEC is also actively conducting cybersecurity investigations and undertaking enforcement actions where appropriate. According to Chairperson White, the SEC is looking to bolster its risk-based approach. So what does this mean on a day-to-day basis?

Understand that the SEC has just upped the stakes. By retaining an industry expert who is solely focused on data-security related issues, the industry must be prepared for the SEC and FINRA to come after firms regardless if the firm sustains a breach or clients suffer harm as a result. Firms with weak or no data-security programs will surely be targeted.

Are you prepared to handle this even more focused mission of the SEC? If not, you need to more fully review you systems and procedures, both internally and externally facing. Are you testing your systems and procedures on a regular basis? If not, you better start.

The SEC is prepared; are you?

If you thought the SEC and FINRA were serious about elder issues, welcome to the Alabama, Indiana and Vermont. Each has focused on elder abuse issues.

These states will have mandatory reporting to state officials in instances involving the disabled or those over 65 years of age. They will also allow advisors to cease disbursing funds from clients and providing advisors with immunity associated with doing so. So what does this all mean?

For one, states are starting to run on the coattails of federal regulators who have made elder issues an examination priority in recent years. In addition, such state laws should be a wake-up call for brokerage and advisory firms who service elder and calculator

The actions of these states should force you to ask yourself; what is my firm doing to prevent, detect and report elder abuse. Although a FINRA proposed rule does not require reporting, its goal is the same because it would allow advisors to designate a third-party to who they can inform of suspected problems.

In the absence of reporting requirements, firms should consider having clients aged 65 or above designate a trusted family member or friend when the advisor suspects that the client may be the subject of some abusive conduct. At that point, you may have a group approach to address suspected abuse.

Firms may also want to consider requiring these elder clients to designate a trusted family member or friend to receive copies of account statements. This way, someone who is “independent” can check an account for irregular activity as well.

Whether you are required to address elder abuse or not, firms should make sure that they are taking special care with their elder clients. Federal regulators and now states are focused on the issue. Are you doing anything to make sure your firm does not get into an elder abuse nightmare?

Anyone in a professional service business, like being a stock broker, have been faced with a client who decides to make a stupid decision. But the issue we all face is when that decision results in the client losing money; who is to be held accountable.whistleblower

Fortunately, the law does not require you to stop a client from making a stupid decision with their investments. As long as a broker-dealer’s advice was suitable and the investment advisor’s advice is in keeping with the fiduciary duty, you should not be held accountable.

But this does not mean a client who has now lost money won’t try to hold you accountable for letting them make a stupid business decision. So how do you protect yourself?

The best way to protection yourself is to send the client a letter or email at the time that the client makes the bad decision. The communication should detail why you think it is a bad decision and the potential ramifications associated with that decision.

At a minimum, you should make a note in your file, either electronic or in hard copy, that the client made the bad decision and that you (presumably) advised against it.

The law should protect you from stupid clients, but make sure you protect yourself. Contemporaneous communication to the client and notation to the file may save you millions of dollars in the future.

Core ValuesThe SEC recently commenced an enforcement action against an investment advisory firm and its principal in connection with the failure to disclose material conflicts of interest in connection with new mutual funds that the firm recently created and managed. The SEC is seeking disgorgement and an injunction against the firm and its principal.

Clients of the firm paid a fee for investment advice. Initially, the clients were invested in an ETF program. The firm subsequently created its own mutual funds that it managed for a fee.
Without disclosing that it would be paid both an investment advisory fee and fees for managing the mutual funds, the firm moved its clients into the mutual funds, which mirrored the investments in the ETF program. So why did the SEC take issue with this?

For one, the firm did not disclose the conflict of interest associated with this new strategy. The conflict of interest is that the firm is going to be paid two fees for an investment program that was the same as the prior program for which clients were only charged one fee.

Interestingly, the SEC in its complaint does not contend that the charging of two fees is per se improper. Instead, the issue is the fact that the firm did not disclose the conflict to its client before shifting the investment program. So what does this mean?

It all comes down to disclosure. If you disclose all conflicts of interest in sufficient detail, you may be able to avoid these types of enforcement issues.

The SEC recently announced that an equity advisory firm and its owner agreed to pay more than $3.1 million to resolve charges that they improperly engaged in brokerage activity, as well as charging fees without registering as a broker-dealer.  In other words, the firm acted like a broker-dealer but never bothered to register as one.

The SEC’s investigation demonstrated that the firm performed brokerage services in-house, instead of using investment banks or broker-dealers to handle the acquisition and sale of portfolio companies for a pair of equity funds they advised.  Interestingly, the firm disclosed to its customers that it would provide brokerage services and charge customers a fee for doing so.

The problem is that the firm provided those services itself even though it was not registered to do so.  This action should serve as warning, particularly for firms who may be engaged in Reg. D offerings.

money and calculatorIf part of the offering you find yourself engaged in the sale of securities, you better be registered as a broker-dealer to be doing so.  Alternatively, you could have retained the services of a broker-dealer to sell interests in the fund.  The law is clear; you need to do one of the two.

Another point of interest is that the SEC uncovered this improper conduct through an ordinary examination of the investment advisory firm.  In other words, there was no customer complaining that it suffered any harm.  So what lessons are to be learned?

For one, only broker-dealers can engage in brokerage services.  Second, the SEC in its exam process is looking for such activity and going after it.  Don’t make the same mistake; register as a broker-dealer or retain one to provide those services for you.

Business Insurance reported late last week that the Securities and Exchange Commission will award $5-6 million to a whistleblower who provided information on securities violations that would have been “nearly impossible” for the SEC to detect on its own.  Such an award would be the third larges award ever granted to a whistleblower by the SEC.  This also comes on the heels of a $3.5 million whistleblower award from the week before.  whistleblower

The takeaway is that the SEC continues to heavily incentivize company insiders to report possible securities violations.  It is critical to have internal controls and monitoring to catch these problems before a whistleblower runs into the SEC.  Self-reporting can drastically reduce exposure to damages and fines, but if you do not have proper compliance checks in place, you may never even catch the problem yourself.  Routine internal investigations and a rigorous compliance and monitoring system will go a long way to preventing and spotting securities issues early, and thereafter managing and mitigating the fallout.