Not one for making people feel at ease, the SEC’s Division of Investment Management has indicated that it is not comfortable with investment companies investing in cryptocurrencies and similar products.

In a letter sent to industry groups, the SEC’s IM Director indicated that the Staff had numerous concerns over funds investing in these instruments.  The concerns boiled down to 5 categories:  valuation, liquidity, custody, arbitrage, potential manipulation and other risks.

The SEC Staff is concerned that funds will not be able to properly value the crypto-assets in question, or reduce them to cash if necessary.  Further, the SEC Staff had serious questions concerning if a fund custodian would be able to properly validate the very existence and location of the assets as well ensure that there would be no arbitrage opportunities for insiders that could harm investors.  Similarly, the SEC Staff was also concerned about the potential for volatility in the cryptocurrency market as recently witnessed in South Korea.

Additionally, the SEC Staff raised concerned that the cryptocurrency markets lack regulation, and could be subject to market manipulation and potential fraud.  These investments also potentially lend themselves to cybersecurity issues such as hacking and the lack of safeguards to protect against these invasions.  The SEC Staff also suggested that funds would not be able to sufficient risk disclosures and transparency in their prospectuses to cover their requirements, and, thus, the funds would like the appropriate risk disclosures to their shareholders.  Finally, the SEC Staff was concerned that there would not be appropriate suitability determinations by those who market and sell these funds– broker-dealers and registered investment advisers– that would ensure their suitability and fiduciary obligations when recommending cryptocurrency investments to the public.

In sum, this may be the millionth (note: exaggeration) time this year, the SEC has made it known that it does not like cryptocurrency investments.  Clearly, the SEC is trying to send a message, therefore, those interested in cryptocurrency markets should beware.

FINRA recently issued a report regarding its examination findings. FINRA issued this report so that firms can gain insight from the work of FINRA’s examination of other firms.

Among the FINRA’s findings are the following areas that need additional attention:

  1. Cybersecurity, including access management, risk assessments, vendor management, branch office security, segregation on internal duties and data loss prevention.
  2. Outside business activities and private securities transactions, including failure to provide notice to firms, notice reviews and post private securities transaction approval conduct.
  3. Anti-money laundering compliance programs, including maintaining adequate policies and procedures for suspicious activities, responsibility for AML monitoring, exclusions from data feeds used for AML monitoring, resources for AML monitoring and independent testing for AML monitoring.
  4. Product suitability, including unit investment trusts, multi-share class and complex products and training.
  5. Best execution.
  6. Market access controls, including establishing pre-trade financial thresholds, implementing and monitoring aggregate financial exposures, tailoring erroneous or duplicative order controls, implementing effective fixed income financial controls, reliance on vendors for fixed income financial controls, and effective testing for fixed income financial controls.

This list and the items in it should provide other firms with the benefit of hindsight. Review the report and then self-critique your firm. Do you have any of these issues? If so, implement modifications and adjustments to address them.

 

Over the last several months, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has been conducting a “sweep examination” of over 70 broker-dealers and investment advisers to assess their cybersecurity policies and procedures.  https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.  In particular, OCIE looked at their preparedness regarding governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response.

For the most part, OCIE found policies and procedures in place, and these firms did, in fact, conduct penetration tests and vulnerability scans; used a system to prevent data loss; installed software patches; adopted response plans; and conducted vendor risk assessments.  However, all the news was not good.  OCIE believes that these firms should have better tailored policies and procedures; conduct enhanced employee training; replace outdated systems; and make sure that various vulnerabilities were addressed in a timely fashion.  OCIE also informed these firms that it will continue to be vigilant in the cybersecurity sphere in both its examinations and testing.

In sum, with the exception of tweets from the White House, no area is getting more attention from the public and the government than cybersecurity precautions and detection.  It is critical that senior management and compliance at broker-dealers and investment advisers take this threat seriously or there could be serious repercussions if their business is attacked.

The recent cyberattacks across the globe have caused the  SEC’s Office of Compliance Inspections and Examinations (“OCIE”) to issue an alert and highlight certain best practices for firms to handle these ransomware attacks.

The OCIE staff based this guidance on its review of various firms, concluding that these firms should perform a cyber-risk assessment; conduct penetration and vulnerability tests; and ensure software maintenance such as updates and software patches if applicable.  The OCIE staff found that many firms had deficiencies.  Further, according to the OCIE staff, firms should develop contingency plans in the event a cyberattack were to be successful.

Finally, the securities industry is not immune from these cyberattacks, and firms need to take precautions.  Essentially, this is no longer just a compliance issue, but an entire firm issue, and those executives need to take notice because the next time it happens your firm may not be so lucky.

On March 1, New York will go live with cybersecurity rules for financial service providers such as banks, insurance companies and others subject to the Department of Financial Services’ jurisdiction. At its core, the rules require these entities to have cybersecurity programs directed to consumer protection.

New York firms must now have written policies and procedures, as well as a designated chief information security officer to oversee, train, enforce the program and report hacking to the state. Any report of hacking must take place within 72 hours of the hack, where the hack has a reasonable likelihood to impact firm operations.

This program will necessarily create new costs for these companies. Specifically, there is a cost in finding an adequately trained and certified individual to serve in the role of chief information security officer. Additional costs will arise from the mandate that firms monitor all data leaving it and to have email systems that block certain forms of information like Social Security numbers.27782265_s

With this cost, however, will come added protection for consumers and, in turn consumer confidence in their financial institutions. This one of a kind program is likely not to be the only one in the coming years.

More and more states will implement such data security protocols for the purpose of consumer protection.   Are you doing enough now in the absence of regulation to protect consumer information?

A recent Investment News article highlighted a burgeoning market for financial advisors looking to protect their practices; namely, data breach insurance. Although such insurance seems like a great idea, you need to exercise due care when purchasing such insurance.19196909_s

According to the article, more and more firms are buying this insurance to supplement any gaps that may exist in regular D&O insurance. After all, the typical D&O insurance policy either does not cover or provides little coverage for the harm caused by a data breach.

Although this may make it seem as though data breach insurance is the easy answer, it may not be. For one, this insurance has historically been fairly expensive when compared to D&O insurance. In addition, data breach insurance often has many exclusions that can limit the coverage your purchase. So what should you look for in such insurance.

According to the article, you want a policy that covers as many of the following business expense as possible:

  • Lost data restoration.
  • Repairing or replacing damaged software or hardware.
  • Hiring public relations firms to address reputational damage.
  • Compensating clients for credit monitoring services.
  • Forensic investigators to investigate the incident.
  • Civil lawsuits, regulatory fines and penalties.
  • Lost profits caused by fraudulent wire transfers.

This list runs the spectrum, but are things you should consider before leaping into a cybersecurity insurance policy. Otherwise, you may not get what you pay for.

A broker-dealer recently agreed to pay a $650,000 fine after an OSJ’s cloud vendor failed to adequately protect customer information. Apparently, an outside hacker was able to gain access to non-public personal information about the firm’s customers.27782265_s

This breach and resulting fine should certainly serve as a wake-up to all firms, but, in particular, to smaller firms. These firms are those who are more likely to use outside vendors to maintain cost, but are at greater risk.

If anything, this fine only enhances the fact that firms are responsible for the vendors that they hire. A partner of mine taught me long ago that you can always delegate the task, but not the responsibility. The same holds true here.

It is perfectly fine to use a cloud vendor or some other third-party for your firm operations, but you must, at the same time, engage in heightened diligence. You must do more to protect yourself.

Although you cannot rid yourself of the responsibility to protect client information, you could assign the risk of loss to the other firm. In other words, the other firm would have to indemnify you for any fines if their system is breached.

At the same time, part of your due diligence when hiring a firm must include asking tough questions. Like, have you ever sustained a breach. And, if so, have you had another one since.

In short, go ahead and outsource, but make sure you know who you are using. Ask the hard questions, and protect yourself with negotiated terms in your contract.