Way back in 2017, the SEC obtained an emergency asset freeze against an internet-based ICO involving certain Canadian residents, who had raised over $15 million on a variety of social media sites through an alleged fraudulent scheme. http://www.sec.gov/litigation/complaints/2017/comp-pr2017-219.pdf.

At the time, it made major news and helped launch the SEC’s Cybersecurity Unit.  Of course, there have been many other actions since that time, but this action demonstrates that, with technology, it is impossible to ignore the potential for cross-border fraud.  Essentially, do you know who you are dealing with on the other screen?  Is it someone in Canada, Lithuania, Malta, Spain, Thailand, Hong Kong or China, among many others?  No one can ever be certain, and this leads to the tremendous risk of hacking or potential for fraud demonstrated by this SEC filing.

In sum, cryptocurrencies and ICOs are not going away, but we must be reminded to be ever vigilant since you may never know who your trading partner is or where they may be– on the other side of your floor or the other side of the world.

 

FINRA has published cybersecurity guidance for all its member firms.  See https://www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf.

In particular, FINRA is indicating that it wants its member firms to bolster their cybersecurity regimes, and limit both internal and external threats.  The FINRA report also provides a number of resources for firms in applying this guidance.

Please make no mistake about this report.  FINRA is not doing it out of the “goodness of its heart;” instead, member firms should assume FINRA will use this report to bludgeon member firms, who have cybersecurity issues in the future.  That is, member firms should work with counsel to ensure that they have the appropriate cybersecurity policies and procedures in place before FINRA “comes a knockin!”

Not one for making people feel at ease, the SEC’s Division of Investment Management has indicated that it is not comfortable with investment companies investing in cryptocurrencies and similar products.

In a letter sent to industry groups, the SEC’s IM Director indicated that the Staff had numerous concerns over funds investing in these instruments.  The concerns boiled down to 5 categories:  valuation, liquidity, custody, arbitrage, potential manipulation and other risks.

The SEC Staff is concerned that funds will not be able to properly value the crypto-assets in question, or reduce them to cash if necessary.  Further, the SEC Staff had serious questions concerning if a fund custodian would be able to properly validate the very existence and location of the assets as well ensure that there would be no arbitrage opportunities for insiders that could harm investors.  Similarly, the SEC Staff was also concerned about the potential for volatility in the cryptocurrency market as recently witnessed in South Korea.

Additionally, the SEC Staff raised concerned that the cryptocurrency markets lack regulation, and could be subject to market manipulation and potential fraud.  These investments also potentially lend themselves to cybersecurity issues such as hacking and the lack of safeguards to protect against these invasions.  The SEC Staff also suggested that funds would not be able to sufficient risk disclosures and transparency in their prospectuses to cover their requirements, and, thus, the funds would like the appropriate risk disclosures to their shareholders.  Finally, the SEC Staff was concerned that there would not be appropriate suitability determinations by those who market and sell these funds– broker-dealers and registered investment advisers– that would ensure their suitability and fiduciary obligations when recommending cryptocurrency investments to the public.

In sum, this may be the millionth (note: exaggeration) time this year, the SEC has made it known that it does not like cryptocurrency investments.  Clearly, the SEC is trying to send a message, therefore, those interested in cryptocurrency markets should beware.

FINRA recently issued a report regarding its examination findings. FINRA issued this report so that firms can gain insight from the work of FINRA’s examination of other firms.

Among the FINRA’s findings are the following areas that need additional attention:

  1. Cybersecurity, including access management, risk assessments, vendor management, branch office security, segregation on internal duties and data loss prevention.
  2. Outside business activities and private securities transactions, including failure to provide notice to firms, notice reviews and post private securities transaction approval conduct.
  3. Anti-money laundering compliance programs, including maintaining adequate policies and procedures for suspicious activities, responsibility for AML monitoring, exclusions from data feeds used for AML monitoring, resources for AML monitoring and independent testing for AML monitoring.
  4. Product suitability, including unit investment trusts, multi-share class and complex products and training.
  5. Best execution.
  6. Market access controls, including establishing pre-trade financial thresholds, implementing and monitoring aggregate financial exposures, tailoring erroneous or duplicative order controls, implementing effective fixed income financial controls, reliance on vendors for fixed income financial controls, and effective testing for fixed income financial controls.

This list and the items in it should provide other firms with the benefit of hindsight. Review the report and then self-critique your firm. Do you have any of these issues? If so, implement modifications and adjustments to address them.

 

Over the last several months, the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) has been conducting a “sweep examination” of over 70 broker-dealers and investment advisers to assess their cybersecurity policies and procedures.  https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf.  In particular, OCIE looked at their preparedness regarding governance and risk assessment; access rights and controls; data loss prevention; vendor management; training; and incident response.

For the most part, OCIE found policies and procedures in place, and these firms did, in fact, conduct penetration tests and vulnerability scans; used a system to prevent data loss; installed software patches; adopted response plans; and conducted vendor risk assessments.  However, all the news was not good.  OCIE believes that these firms should have better tailored policies and procedures; conduct enhanced employee training; replace outdated systems; and make sure that various vulnerabilities were addressed in a timely fashion.  OCIE also informed these firms that it will continue to be vigilant in the cybersecurity sphere in both its examinations and testing.

In sum, with the exception of tweets from the White House, no area is getting more attention from the public and the government than cybersecurity precautions and detection.  It is critical that senior management and compliance at broker-dealers and investment advisers take this threat seriously or there could be serious repercussions if their business is attacked.

The recent cyberattacks across the globe have caused the  SEC’s Office of Compliance Inspections and Examinations (“OCIE”) to issue an alert and highlight certain best practices for firms to handle these ransomware attacks.

The OCIE staff based this guidance on its review of various firms, concluding that these firms should perform a cyber-risk assessment; conduct penetration and vulnerability tests; and ensure software maintenance such as updates and software patches if applicable.  The OCIE staff found that many firms had deficiencies.  Further, according to the OCIE staff, firms should develop contingency plans in the event a cyberattack were to be successful.

Finally, the securities industry is not immune from these cyberattacks, and firms need to take precautions.  Essentially, this is no longer just a compliance issue, but an entire firm issue, and those executives need to take notice because the next time it happens your firm may not be so lucky.

On March 1, New York will go live with cybersecurity rules for financial service providers such as banks, insurance companies and others subject to the Department of Financial Services’ jurisdiction. At its core, the rules require these entities to have cybersecurity programs directed to consumer protection.

New York firms must now have written policies and procedures, as well as a designated chief information security officer to oversee, train, enforce the program and report hacking to the state. Any report of hacking must take place within 72 hours of the hack, where the hack has a reasonable likelihood to impact firm operations.

This program will necessarily create new costs for these companies. Specifically, there is a cost in finding an adequately trained and certified individual to serve in the role of chief information security officer. Additional costs will arise from the mandate that firms monitor all data leaving it and to have email systems that block certain forms of information like Social Security numbers.27782265_s

With this cost, however, will come added protection for consumers and, in turn consumer confidence in their financial institutions. This one of a kind program is likely not to be the only one in the coming years.

More and more states will implement such data security protocols for the purpose of consumer protection.   Are you doing enough now in the absence of regulation to protect consumer information?