The SEC recently created a new position associated with cybersecurity; senior adviser to the chair for cybersecurity (Christopher R. Hetner). Mr. Hetner has an extensive background in information technology and, in particular, cybersecurity.
According to the SEC, Mr. Hetner will be responsible for (i) coordinating cybersecurity efforts across the SEC; (ii) engaging with external stakeholders; and (iii) enhancing SEC mechanisms for assessing broad-based market risk. This appointment could have a wide-ranging on the industry.
As we know, the SEC has made cybersecurity an exam priority over the last few years. The SEC is also actively conducting cybersecurity investigations and undertaking enforcement actions where appropriate. According to Chairperson White, the SEC is looking to bolster its risk-based approach. So what does this mean on a day-to-day basis?
Understand that the SEC has just upped the stakes. By retaining an industry expert who is solely focused on data-security related issues, the industry must be prepared for the SEC and FINRA to come after firms regardless if the firm sustains a breach or clients suffer harm as a result. Firms with weak or no data-security programs will surely be targeted.
Are you prepared to handle this even more focused mission of the SEC? If not, you need to more fully review you systems and procedures, both internally and externally facing. Are you testing your systems and procedures on a regular basis? If not, you better start.
The SEC is prepared; are you?
The SEC recently charged four investment advisors who allegedly used free dinners to entice older clients to their firm. At these dinners, these individuals allegedly provided fraudulent marketing materials to the attendees and ultimately did not invest all of the money that they were given.
Granted these four advisors may just be bad apples and not an indictment of the use of free lunches or dinners to attract new clients and money. However, if you do engage in these types of “seminars”, this enforcement action should be a wake-up call.
The SEC and FINRA have made it very clearly how they intend to approach marketing efforts directly at seniors. Both regulators will be taking a hard look at these types of seminars used to attract elder investors.
So, if you are going to offer a free meal, make sure that you are giving something of value to your prospects. Do everything on the up and up when offering these types of opportunities because your regulator is watching.
In a recent SEC enforcement action, a registered representative was suspended for 6 months and fined $75,000 for, among other things, forwarding confidential client information from his personal email to a former registered representative who maintained the initial client relationships. The representative also used his personal email to conduct firm business. In some instances, he emailed customer information from his work email to his personal email.
This unfortunate situation shows another side of data security risks that firms must address; the rouge representative who is handling client information in violation of Regulation S-P. In some ways, this type of data breach can be even more difficult to prevent than an external threat.
If someone really wants to get around your system, that person will likely do so. So what to do?
One thing firms should consider is a logging system when an associated person accesses client information subject to Regulation S-P. This way, firm supervisors can monitor who is gaining access to what information, when and how often. The enforcement opinion was silent on any firm protocols in this regard.
Although this type of access-logging system may not have prevented what happened, it could have put the odds in the favor of firm because it may have revealed unusual activity that the firm could have further explored.
The lesson to be learned is that data security is not just an external threat. There are internal risks that must be accounted for in order to have a fulsome data security program.
As you may know, FINRA, last April, launched a senior helpline to address issues pertaining to senior investors. According to recent reports, FINRA received calls on many different issues such as how to read an account statement up fraud targeted to senior investors.
FINRA has reported that some of these calls resulted in follow-up calls from FINRA and ultimate referral to federal and state authorities. So what is the take away from the hotline?
For one, senior investors are actively seeking FINRA’s assistance on issues from the mundane to the serious. With respect to those more serious issues, FINRA, in turn, is showing how serious it takes them.
At a minimum, you should consider placing all accounts of anyone 65 years old and over on some form of heightened supervision. By doing so, you are in a better position to learn about issues before they become a problem and, worse yet, get reported to FINRA through the hotline.
From my perspective, one of the biggest issues you face will be suitability of investment recommendations to seniors. By having policies and procedures that demand your attention to this issue (such as heightened supervision), you may avoid liability and regulatory issues in the future. Many issues can be avoided by simply improving the lines of communication with your senior clients.
Do nothing, and you have already set your boat down a rough course.
* photo from freedigitalphotos.net
The SEC recently issued an investor bulletin regarding one of our favorite topics; data security of customer accounts. The primary areas of the SEC’s focus were:
- Have a strong password, keep it secure and change it often.
- Use a two-step verification process if the firm offers it.
- Use different passwords for different on-line accounts.
- Avoid using public computers to access on-line accounts.
- Cautiously use wireless access to on-line accounts.
- Check and double check any links that are sent to you via email purporting to come from your advisory firm.
- Secure your mobile devices.
- Regularly check your account statements and confirmations for unusual activity.
In my view, the above guidance offers you opportunities with your clients. For example, you should offer a two-step verification process for on-line account access. By doing so, you are telling your clients that you value their business and the protection of their confidential information.
Similarly, you should consider providing similar guidance as an investor alert or the like to all of your clients who have on-line access. First, this gives you another opportunity to be in front of your clients. Second, it demonstrates that your firm takes the issue of data security very seriously.
Although the prospects of suffering a data breach may be ominous, you can do something to educate your clients so that they do not become unwitting targets. Providing this type of client service can only strengthen your client relationships. There is no time like the present to take this affirmative step. Make yourself a valued resource for your clients.
In a recent blog post, I noted that the SEC is undertaking another cybersecurity exam priority. If that was not enough to get your attention about your own cybersecurity program, you need not look any further.
The SEC just sanctioned a registered investment advisor for failing to adopt proper cybersecurity policies and procedures prior to sustaining a data breach. In doing so, the SEC fined (and censured) the firm $75,000.00; it sustained a breach and the records of approximately 100,000 individuals were compromised.
Although the firm took proper steps after it realized it sustained the breach, the firm failed in its pre-breach conduct. Specifically, the SEC concluded that the firm failed to entirely adopt written policies and procedures reasonably designed to safeguard customer information. Among other things, firm:
- Failed to conduct periodic risk assessments.
- Failed to implement a firewall.
- Failed to encrypt PII on its server.
- Failed to maintain a response plan for cybersecurity.
Fortunately for the firm, there was no indication of any client suffering financial harm as a result of the breach. If there would have been customer harm, I suspect that the penalty and censure would have been greater.
This case, together with the SEC exam priority and a recent investor alert, should serve as lessons to everyone. The SEC is focused on and acted upon data security issues. Ask yourself, do we have proper plans and procedures to prevent and address any data breaches. If the answer is no, you need to act fast or suffer the repercussions surrounding a data breach.
It is bad enough that firms and publicly traded companies have to make sure that their respective IT architecture is safe and secure, but recent developments demonstrate that you have to be weary regarding the media outlet with who you share material, non-public information.
The SEC and the DOJ in a joint effort have brought civil and criminal proceedings against individuals part of an international scheme who hacked the systems of certain media outlets to steal and then trade on material non-public information.
Unfortunately, these events only further demonstrate that, no matter how good your security system may be, you are ultimately at risk of a cyber-attack that may be perpetrated on one of your vendors, or a media outlet. As to the latter, it would seem as though the only foolproof protection is not to provide media outlets with this information.
I doubt that any media outlet would give you any sort of assurances going forward that their systems are not exposed to such a strike. Nevertheless, if you are sharing this information before a public announcement, do your homework.
Ask about the media outlet’s data security program. Explore whether and how frequently the outlet tests its systems against unwanted intrusions. Ask whether they have ever been subject to an attack.
Only after you have reasonable comfort should you share such information. Otherwise, just save it for your public announcement or submission with the SEC.
Two years ago, the United States Supreme Court stated in an opinion that the five-year statute of limitations for the SEC to seek civil monetary sanctions began from the date of the fraudulent act, as opposed to when the SEC discovered the fraudulent act. In doing so, the Court rejected the discovery rule.
The discovery rule extends the statute of limitations because it provides that the statute does not begin to run until the party brining the claim discovers the wrongdoing. For example, if the fraud happened 10 years ago, but was discovered yesterday, the SEC would have had five years from yesterday to bring a claim against the fraudster. Applying the Supreme Court’s rule noted above, the SEC would be out of luck to bring a claim for civil penalties.
This week, Senator Reed of Rhode Island introduced a bill that would extend the SEC’s statute of limitations from five to 10 years. Applying this new limitations period, the above-referenced scenario would fall within the time in which the SEC could act.
The logic behind extending the limitations can be seen as a way to insulate the impact of the Court’s decision and the absence of the discovery rule. In other words, it extends greater protection to investors who are the victim of a fraud.
Under the new proposed limitations period, the SEC would have twice as long to uncover a fraud to seek civil monetary penalties. The moral of the story; if you are committing securities fraud be prepared for the SEC to have more time to come after you. Better yet; don’t engage in fraud.
A recent article in Onwallstreet.com highlighted certain areas of focus for investment advisors/broker-dealers when it comes to addressing cyber-threats. The article focused on four areas of particular significance.
First, a firm must have a robust risk assessment approach to cyber-security. After all, a firm cannot develop and deploy cybersecurity policies and procedures unless and until the firm identifies what are its risks.
Just as important, the risk assessment cannot be a one and done project. Best practices dictate that firms continually conduct risk assessments to determine new risks. The hackers are changing their tactics, so you may have to as well.
Second, once you develop and deploy policies and procedures, you should create and test incident response plans. Otherwise, how will you know these policies and procedures work when confronted with an actual data breach.
Third, if you use vendors, perform due diligence on them on an ongoing basis to assess their cyber-security risks. For example, if you outsource email retention, you will want to know how that vendor is going to protect its email storage databases from an unwanted intrusion. Equally important, you want to revisit what the vendor is doing for cyber-security on a regular basis.
Fourth, train and retrain your staff so that they avoid inadvertently exposing the company to malware. Among other things, you should consider a policy for staff to follow before they download anything from an external email or web site.
These are just a few suggestions for this ever increasing focus for both firms and their regulators. Avoid being a victim; assess risk, develop plan/procedures, test the plan/procedures, and educate your staff.