On March 1, New York will go live with cybersecurity rules for financial service providers such as banks, insurance companies and others subject to the Department of Financial Services’ jurisdiction. At its core, the rules require these entities to have cybersecurity programs directed to consumer protection.

New York firms must now have written policies and procedures, as well as a designated chief information security officer to oversee, train, enforce the program and report hacking to the state. Any report of hacking must take place within 72 hours of the hack, where the hack has a reasonable likelihood to impact firm operations.

This program will necessarily create new costs for these companies. Specifically, there is a cost in finding an adequately trained and certified individual to serve in the role of chief information security officer. Additional costs will arise from the mandate that firms monitor all data leaving it and to have email systems that block certain forms of information like Social Security numbers.27782265_s

With this cost, however, will come added protection for consumers and, in turn consumer confidence in their financial institutions. This one of a kind program is likely not to be the only one in the coming years.

More and more states will implement such data security protocols for the purpose of consumer protection.   Are you doing enough now in the absence of regulation to protect consumer information?

A recent Investment News article highlighted a burgeoning market for financial advisors looking to protect their practices; namely, data breach insurance. Although such insurance seems like a great idea, you need to exercise due care when purchasing such insurance.19196909_s

According to the article, more and more firms are buying this insurance to supplement any gaps that may exist in regular D&O insurance. After all, the typical D&O insurance policy either does not cover or provides little coverage for the harm caused by a data breach.

Although this may make it seem as though data breach insurance is the easy answer, it may not be. For one, this insurance has historically been fairly expensive when compared to D&O insurance. In addition, data breach insurance often has many exclusions that can limit the coverage your purchase. So what should you look for in such insurance.

According to the article, you want a policy that covers as many of the following business expense as possible:

  • Lost data restoration.
  • Repairing or replacing damaged software or hardware.
  • Hiring public relations firms to address reputational damage.
  • Compensating clients for credit monitoring services.
  • Forensic investigators to investigate the incident.
  • Civil lawsuits, regulatory fines and penalties.
  • Lost profits caused by fraudulent wire transfers.

This list runs the spectrum, but are things you should consider before leaping into a cybersecurity insurance policy. Otherwise, you may not get what you pay for.

According to Fortune, outgoing Securities and Exchange Commission Chair Mary Jo White is refusing to delay adoption of new rules and regulations.  Senate Republicans–in particular the Senate Banking Committee’s top two Republicans, Chairman Richard Shelby and Mike Crapo–requested White delay adopting new rules until after Trump takes office.  However, as reported by Reuters, White responded to Shelby and Crapo on December 12th, stating that she intends to move forward with derivative reforms mandated by Dodd-Frank, including capital and margin requirements for swap dealers, and a limit on how mutual funds and exchange-traded funds use derivatives to leverage returns.

BoardThere remain obstacles to these rules.  First, because two commissioner positions remain vacant, there are only three remaining commissioners, of which there must be a quorum to pass the new rules.  The other two commissioners, Kara Stein and Michael Piwowar, are democrat and republican, respectively.  Second, Congress could quite easily reverse any new rules within 60 legislative days of becoming final, which the Republican-controlled Congress could very well vote to do.

Thus, the takeaway is that firms must still monitor proposed new rulemaking under White’s SEC for the next few weeks, while also keeping an eye on what Congress will do in response to any new rules promulgated over the next month or so.

A broker-dealer recently agreed to pay a $650,000 fine after an OSJ’s cloud vendor failed to adequately protect customer information. Apparently, an outside hacker was able to gain access to non-public personal information about the firm’s customers.27782265_s

This breach and resulting fine should certainly serve as a wake-up to all firms, but, in particular, to smaller firms. These firms are those who are more likely to use outside vendors to maintain cost, but are at greater risk.

If anything, this fine only enhances the fact that firms are responsible for the vendors that they hire. A partner of mine taught me long ago that you can always delegate the task, but not the responsibility. The same holds true here.

It is perfectly fine to use a cloud vendor or some other third-party for your firm operations, but you must, at the same time, engage in heightened diligence. You must do more to protect yourself.

Although you cannot rid yourself of the responsibility to protect client information, you could assign the risk of loss to the other firm. In other words, the other firm would have to indemnify you for any fines if their system is breached.

At the same time, part of your due diligence when hiring a firm must include asking tough questions. Like, have you ever sustained a breach. And, if so, have you had another one since.

In short, go ahead and outsource, but make sure you know who you are using. Ask the hard questions, and protect yourself with negotiated terms in your contract.

Following up on our earlier report that Mary Jo White, the chair of the Securities and Exchange Commission, will step down at the end of the Obama administration, news of other departures within the SEC has begun to spread.  The latest is Keith Higgins, head of the Division of Corporation Finance, who announced his plans to leave the SEC in January.  According to Sarah N. Lynch at Reuters, Higgins was oversaw the adoption of many rules pursuant to the 2012 Jumpstart Our Business Startups (JOBS) Act.

CEO treeOther top SEC officials who have recently announced their planned departures include: Stephen Luparello (Trading and Markets Division Director), Mark Flannery (Chief Economist), Matthew Solomon (Chief Litigation Counsel), and James Schnurr (Chief Accountant).

According to Lynch, Andrew Ceresney (SEC Enforcement Director), who worked alongside White prior to joining the SEC, both in private practice and at the U.S. Attorney’s Office in New York City, declined to comment on any plans to leave the SEC.

As we noted previously, these departures will continue to pave the way for President-Elect Trump to to deregulate the financial sector.

According to Tatyana Shumsky at the Wall Street Journal, the Securities and Exchange Commission has increased efforts to regulate the use of accounting metrics that do not conform to the U.S. Generally Accepted Accounting Principles, known as non-GAAP.  The SEC’s endeavor began through its division of corporation finance, which issued new compliance guidelines and sent more non-compliance letters to companies than it had in the past.  More recently, the SEC’s enforcement division is getting involved and has been probing companies on their non-GAAP financial reporting practices, as reported by the WSJ.  Indeed, according to Michael Maloney, chief accountant of the SEC’s enforcement division is looking into violations of rules governing non-GAAP metrics.  “It is a focus in within the division, we are looking closely at it,” Mr. Maloney told the American Institute of CPAs conference in Washington on Tuesday, as reported by Shumsky.

money and calculatorThe takeaway for companies that use non-GAAP metrics in their financial reporting is that the SEC has signaled their intent to increase regulation and enforcement in this area.  Be sure your compliance team has reviewed your non-GAAP financial reporting practices, particularly in light of the SEC’s division of corporate finance’s new compliance guidelines, which can be found here: https://www.sec.gov/divisions/corpfin/guidance/nongaapinterp.htm

The latest post-election domino has fallen.  Mary Jo White, the chair of the Securities and Exchange Commission, will step down at the end of the Obama administration.  White announced her departure on Monday, paving the way for Trump to implement his plan to deregulate the financial sector. In addition to replacing White, Trump will be able to fill two openings on the five-member commission, according to Renae Merle of the Washington Post.  Thus, it is clear that Trump will be able to reshape the direction of the SEC and quickly pursue a path towards deregulating Wall Street.

Board

Financial institutions, firms, brokers, counsel, and investors should all keep a close eye on potential replacements that Trump is considering, as they will have an immediate impact on securities regulation, or lack thereof.  It is now abundantly clear that the regulatory landscape is about to undergo a major shift.  Stay tuned.

Now that the election is over, it remains to be seen whether a Trump administration will do away with Dodd-Frank and dump the Department of Labor fiduciary duty rule as promised.  Come inauguration, all bets are off.  The one thing for certain is that the world for securities professionals will surely be changing come January.  Hold on for the ride.

In its never-ending effort to thwart senior investor fraud, FINRA recently proposed a new rule to the SEC. This proposal would require member firms to obtain the name of a trusted contact person for the customer’s account. The new rule would also allow firms to place temporary holds on the disbursement of funds or securities when there is a reasonable belief of exploitation, and notify the trusted contact of such a hold.

This proposed rule is consistent with the advice I have been giving clients over the years as senior issues became more and more prevalent. So what does the potential formalized rule mean for the business?Conference Room

It should come as a relief to firms to have this type of safeguard. It is a difficult situation to say the least when a firm is uneasy with what a family member may be doing with a senior client of the firm. This rule change will give you somewhat of an out.

The key for having this proposal work is for the right selection of the trusted contact person. Assuming such a person can be identified, I think that it is a good idea for that person to be designated as a fiduciary to the client on the account applications and the account coded so that this trusted person receives regular account statements regarding the senior account.

By doing this, you as a firm have a separate set of eyes on the account activity by someone who may know the family/personal dynamics better that you. Having that person designated as a fiduciary on the account documents also should lend you some protection in the event that the trusted person is not so trustworthy.

Either way, this new rule should be embraced a positive step to protect both firm and clients.

Consistent with the ongoing guidance/requirements from the SEC and FINRA, all firms must have and enforce data security policies and procedures.  Even the best policies and procedures may, however, not protect the firm in every instance.  So what do you do if there is a breach?19196909_s

One of the most important things to determine is what law governs.  In other words, if you have clients in all 50 states, it is possible that there are 50 different data breach laws that may be implicated.  Fox Rothschild LLP has a free app, Data Breach 411, which provides an overview of state data breach laws.

Knowing what you need to know is imperative when assessing a data breach.