Ransomware is an ever increasing problem. To learn more about it and to avoid its impact, check out this blog.
The SEC recently announced fraud charges, and sought an emergency asset freeze against a pastor who was accused of exploiting church members, retirees, and laid-off autoworkers. Apparently, he mislead these people by purportedly selling them on a successful real estate business.
The pastor cloaked his fraud in faith-based rhetoric, including references to the bible and suggestions that he was praying for investors. As a result, his defrauded investors thought that he was more trustworthy than a banker, investing nearly $7 million in this scheme.
The message here is that fraud lurks everywhere and that affinity schemes are alive and well. Unfortunately, for those defrauded, they had access to public information that may have helped them avoid the fraud.
Neither the pastor nor his investment firm were registered with the SEC. A simple check on the SEC’s investor web side would have revealed no records for the pastor or his firm.
Undoubtedly, he would have still gotten some of those who checked, but look before you leap into an investment. Be wary of those who are focused on a particular group as a source of investing funds; it may be an affinity fraud.
The SEC recently created a new position associated with cybersecurity; senior adviser to the chair for cybersecurity (Christopher R. Hetner). Mr. Hetner has an extensive background in information technology and, in particular, cybersecurity.
According to the SEC, Mr. Hetner will be responsible for (i) coordinating cybersecurity efforts across the SEC; (ii) engaging with external stakeholders; and (iii) enhancing SEC mechanisms for assessing broad-based market risk. This appointment could have a wide-ranging on the industry.
As we know, the SEC has made cybersecurity an exam priority over the last few years. The SEC is also actively conducting cybersecurity investigations and undertaking enforcement actions where appropriate. According to Chairperson White, the SEC is looking to bolster its risk-based approach. So what does this mean on a day-to-day basis?
Understand that the SEC has just upped the stakes. By retaining an industry expert who is solely focused on data-security related issues, the industry must be prepared for the SEC and FINRA to come after firms regardless if the firm sustains a breach or clients suffer harm as a result. Firms with weak or no data-security programs will surely be targeted.
Are you prepared to handle this even more focused mission of the SEC? If not, you need to more fully review you systems and procedures, both internally and externally facing. Are you testing your systems and procedures on a regular basis? If not, you better start.
The SEC is prepared; are you?
The SEC recently charged four investment advisors who allegedly used free dinners to entice older clients to their firm. At these dinners, these individuals allegedly provided fraudulent marketing materials to the attendees and ultimately did not invest all of the money that they were given.
Granted these four advisors may just be bad apples and not an indictment of the use of free lunches or dinners to attract new clients and money. However, if you do engage in these types of “seminars”, this enforcement action should be a wake-up call.
The SEC and FINRA have made it very clearly how they intend to approach marketing efforts directly at seniors. Both regulators will be taking a hard look at these types of seminars used to attract elder investors.
So, if you are going to offer a free meal, make sure that you are giving something of value to your prospects. Do everything on the up and up when offering these types of opportunities because your regulator is watching.
In a recent SEC enforcement action, a registered representative was suspended for 6 months and fined $75,000 for, among other things, forwarding confidential client information from his personal email to a former registered representative who maintained the initial client relationships. The representative also used his personal email to conduct firm business. In some instances, he emailed customer information from his work email to his personal email.
This unfortunate situation shows another side of data security risks that firms must address; the rouge representative who is handling client information in violation of Regulation S-P. In some ways, this type of data breach can be even more difficult to prevent than an external threat.
If someone really wants to get around your system, that person will likely do so. So what to do?
One thing firms should consider is a logging system when an associated person accesses client information subject to Regulation S-P. This way, firm supervisors can monitor who is gaining access to what information, when and how often. The enforcement opinion was silent on any firm protocols in this regard.
Although this type of access-logging system may not have prevented what happened, it could have put the odds in the favor of firm because it may have revealed unusual activity that the firm could have further explored.
The lesson to be learned is that data security is not just an external threat. There are internal risks that must be accounted for in order to have a fulsome data security program.
As you may know, FINRA, last April, launched a senior helpline to address issues pertaining to senior investors. According to recent reports, FINRA received calls on many different issues such as how to read an account statement up fraud targeted to senior investors.
FINRA has reported that some of these calls resulted in follow-up calls from FINRA and ultimate referral to federal and state authorities. So what is the take away from the hotline?
For one, senior investors are actively seeking FINRA’s assistance on issues from the mundane to the serious. With respect to those more serious issues, FINRA, in turn, is showing how serious it takes them.
At a minimum, you should consider placing all accounts of anyone 65 years old and over on some form of heightened supervision. By doing so, you are in a better position to learn about issues before they become a problem and, worse yet, get reported to FINRA through the hotline.
From my perspective, one of the biggest issues you face will be suitability of investment recommendations to seniors. By having policies and procedures that demand your attention to this issue (such as heightened supervision), you may avoid liability and regulatory issues in the future. Many issues can be avoided by simply improving the lines of communication with your senior clients.
Do nothing, and you have already set your boat down a rough course.
* photo from freedigitalphotos.net
The SEC recently issued an investor bulletin regarding one of our favorite topics; data security of customer accounts. The primary areas of the SEC’s focus were:
- Have a strong password, keep it secure and change it often.
- Use a two-step verification process if the firm offers it.
- Use different passwords for different on-line accounts.
- Avoid using public computers to access on-line accounts.
- Cautiously use wireless access to on-line accounts.
- Check and double check any links that are sent to you via email purporting to come from your advisory firm.
- Secure your mobile devices.
- Regularly check your account statements and confirmations for unusual activity.
In my view, the above guidance offers you opportunities with your clients. For example, you should offer a two-step verification process for on-line account access. By doing so, you are telling your clients that you value their business and the protection of their confidential information.
Similarly, you should consider providing similar guidance as an investor alert or the like to all of your clients who have on-line access. First, this gives you another opportunity to be in front of your clients. Second, it demonstrates that your firm takes the issue of data security very seriously.
Although the prospects of suffering a data breach may be ominous, you can do something to educate your clients so that they do not become unwitting targets. Providing this type of client service can only strengthen your client relationships. There is no time like the present to take this affirmative step. Make yourself a valued resource for your clients.
In a recent blog post, I noted that the SEC is undertaking another cybersecurity exam priority. If that was not enough to get your attention about your own cybersecurity program, you need not look any further.
The SEC just sanctioned a registered investment advisor for failing to adopt proper cybersecurity policies and procedures prior to sustaining a data breach. In doing so, the SEC fined (and censured) the firm $75,000.00; it sustained a breach and the records of approximately 100,000 individuals were compromised.
Although the firm took proper steps after it realized it sustained the breach, the firm failed in its pre-breach conduct. Specifically, the SEC concluded that the firm failed to entirely adopt written policies and procedures reasonably designed to safeguard customer information. Among other things, firm:
- Failed to conduct periodic risk assessments.
- Failed to implement a firewall.
- Failed to encrypt PII on its server.
- Failed to maintain a response plan for cybersecurity.
Fortunately for the firm, there was no indication of any client suffering financial harm as a result of the breach. If there would have been customer harm, I suspect that the penalty and censure would have been greater.
This case, together with the SEC exam priority and a recent investor alert, should serve as lessons to everyone. The SEC is focused on and acted upon data security issues. Ask yourself, do we have proper plans and procedures to prevent and address any data breaches. If the answer is no, you need to act fast or suffer the repercussions surrounding a data breach.
It is bad enough that firms and publicly traded companies have to make sure that their respective IT architecture is safe and secure, but recent developments demonstrate that you have to be weary regarding the media outlet with who you share material, non-public information.
The SEC and the DOJ in a joint effort have brought civil and criminal proceedings against individuals part of an international scheme who hacked the systems of certain media outlets to steal and then trade on material non-public information.
Unfortunately, these events only further demonstrate that, no matter how good your security system may be, you are ultimately at risk of a cyber-attack that may be perpetrated on one of your vendors, or a media outlet. As to the latter, it would seem as though the only foolproof protection is not to provide media outlets with this information.
I doubt that any media outlet would give you any sort of assurances going forward that their systems are not exposed to such a strike. Nevertheless, if you are sharing this information before a public announcement, do your homework.
Ask about the media outlet’s data security program. Explore whether and how frequently the outlet tests its systems against unwanted intrusions. Ask whether they have ever been subject to an attack.
Only after you have reasonable comfort should you share such information. Otherwise, just save it for your public announcement or submission with the SEC.