The SEC recently issued an investor bulletin regarding one of our favorite topics; data security of customer accounts. The primary areas of the SEC’s focus were:

  1. Have a strong password, keep it secure and change it often.
  2. Use a two-step verification process if the firm offers it.
  3. Use different passwords for different on-line accounts.
  4. Avoid using public computers to access on-line accounts.
  5. Cautiously use wireless access to on-line accounts.
  6. Check and double check any links that are sent to you via email purporting to come from your advisory firm.
  7. Secure your mobile devices.
  8. Regularly check your account statements and confirmations for unusual activity.

In my view, the above guidance offers you opportunities with your clients. For example, you should offer a two-step verification process for on-line account access. By doing so, you are telling your clients that you value their business and the protection of their confidential information.

Similarly, you should consider providing similar guidance as an investor alert or the like t27782265_so all of your clients who have on-line access. First, this gives you another opportunity to be in front of your clients. Second, it demonstrates that your firm takes the issue of data security very seriously.

Although the prospects of suffering a data breach may be ominous, you can do something to educate your clients so that they do not become unwitting targets. Providing this type of client service can only strengthen your client relationships. There is no time like the present to take this affirmative step. Make yourself a valued resource for your clients.

The recent Putnam Social Advisor Study reported on in the Investment News should tell you all you need to know; 79% of advisors responding to the study gained new clients from social media.

While social media is a great avenue to expose yourself to a new audience, it must be used in a purposeful manner. Merely putting yourself out there so to speak, will do little more than give you carpal tunnel and calculator

So how should you use social media? Here are a few useful points from the study to keep in mind:

  1. Post original content as a way to build credibility and your presence.
  2. Use catchy titles to attract your target audience.
  3. Suggest that your readers share your postings with family and friends.
  4. Engage in some self-promotion; i.e, provide a link to your social media page in your electronic signature.
  5. Engage journalists; mention them in your pieces and they may mention you in the future.
  6. Tell your readers something about yourself unrelated to being a financial advisor.
  7. Make sure you have mobile apps so that you can access social media wherever you may be.

The key to making social media work for you is trial and error. It may take some time to make connections and build your credibility. If you opt instead to use the tired hard copy newsletter to reach your target audience, you are sure to miss out on what 79% of your colleagues have already learned; social media properly used is the key to build a practice.

Since Al Gore invented the internet, we have had an unprecedented amount of information and data right at our fingertips.  However, given the immeasurable quantity of this information, it has always been a challenge to quickly and efficiently gather intel and perform research on the internet, especially in the context of a securities practice.  While search engines like Google and Yahoo have helped, they do not always provide the up-to-the-second results that are demanded in the securities world.

To describe the securities industry as “fast paced” is a gross understatement.  In a world where high frequency trading has become acceptable and securities respond almost instantaneously to breaking news, it is critical to have up-to-the-second access to news, information, and search results.  For the most part, news sites and search engines fail in this regard.  However, there is one online tool, which is often overlooked, that does provide moment-by-moment news and information:  Twitter.

For those who have never accessed Twitter before, you may just think of it as another social media tool, like Facebook or LinkedIn.  However, unlike those sites, Twitter provides its users access to ALL of the information that is being posted on its site in an up-to-the-second streaming and searchable fashion.  When news breaks, users tweet about it.  They share information, data, links, photos, and even on-the-ground details about what is happening.

No other forum on the internet exists with so many sources of information (236 million users and counting) and provides short, concise, and instantaneous updates about anything you are interested in knowing about.  Importantly, Twitter has been adopted almost universally by reporters and news outlets, which will often tweet out breaking news before it even hits their own websites.  However, it is often the average Joe, who may just be in the right place at the right time, to first to share the news on some major happening; and if he or she is on Twitter, that is where the news will break.

So if you are not already familiar with the streaming news and search functions of Twitter, you should get familiar with it.  Whether you are in the securities industry or catering to its demands, you need information as fast as you can get it.  In today’s internet, the best place for that is Twitter, and there is no rival.

A recent Investment News article highlighted the pervasive problem associated with cyberattacks and offered some guidance in the event of an attack. Before visiting that guidance, understand how pervasive these attacks are.

The SEC recently conducted a sweep on cyberattacks. This sweep revealed that 88% of broker-dealers and 74% of advisors have experienced some form of cyberattack, either directly or indirectly through a vendor. These statistics suggest that it is a matter of when, not if you will sustain some form of cyberattack.

Accepting this reality, the SEC has urged firms to be proactive and develop and deploy cybersecurity plans that address what should be done in the event of a breach. The SEC has found that most broker-dealers and advisors have such plans, which include periodic system assessments, encryption and proper backup.fraud.jpg

So what do you do in the event of an attack? Some action steps include the following:

  1. Each adviser should change all of his/her passwords.
  2. Fully investigate what happened across systems and seek proper assistance (which should include determining what your state law is on cybersecurity breaches) before contacting the impacted parties. We have an app known as Data Breach 411 that can help you determine the state law where you are located.
  3. Notify those impacted, including what you are doing to ensure that it does not happen again.

We are living in a challenging world when it comes to cyber-crime. Make sure your systems are up to date and as secure as possible. Have a cybersecurity plan. If the event you are a victim, deploy your plan of action to minimize the impact.*

* photo from

The SEC and FINRA have continued to designate cybersecurity as an exam priority.  Both the SEC and FINRA have also recently published the findings of their exam sweeps.  As reported by the Investment News, the results of those sweeps when it comes to cybersecurity are telling.

The sweeps show that firms, much like with compliance, are not but must set the tone at the top when it comes to data security.  In order to have a successful cybersecurity programs, data security has to be a firm-wide concern, not just a creature of the IT department.

Of additional interest are the differences between brokers and investment advisors.  Although the majority of all firms have written policies on cybersecurity, more brokers than investment advisors audit those policies to determine firm compliance, which raises a fundamental issue.  A policy is only as good as those who stand behind it and ensure compliance with it.robber.jpg

Firms should expect little sympathy from their regulators if they think that only having a written policy on cybersecurity is enough.  Undoubtedly, the SEC and FINRA will want to know what you have done to ensure compliance with those policies.

So what should firms do to avoid this impending wrath?  First, make sure you have robust written policies that address cybersecurity from a firm-wide standpoint.  Second, deploy the resources necessary to ensure that you are executing on those policies.

Although no data security program is perfect, make sure you have one and enforce it.  Protect your clients.  Protect your firm.  And avoid regulatory sanctions in the process.

* photo from

FINRA recently sanction a registered representative for tweets made some time ago.  The offending tweets referenced a stock that he did not disclose that he owned and were otherwise biased and not backed up by facts. 

The registered representative was fined $15,000 and given a ten day suspension.  In the larger scheme of things, a relative slap of the wrist.  What was more interesting was the age of the tweets. idea.jpg

The first offending tweets dated back to 2009.  The most recent offending tweets were from 2011.   So what does this mean for those of you who like to use social media to get the word out? 

For one, it certainly appears as though FINRA is taking a long look at tweets to determine if any are offensive.  If you tweeted a few years ago, you may still be subject to FINRA review. 

For those of you who want to tweet, make sure you look at your firm WSPs on the use of social media.  Typically, static content (like LinkedIn) would have to be preapproved advertisement by the member firm.  Interactive media (like Twitter) generally will not require pre-approval, but the firm will be required to be maintained by the firm for review and supervision. 

Social media is great, but use your head.  Check firm policies and be smart.  Believe it or not, the “if it feels wrong it is wrong” test does work.  Don’t tout stocks on Twitter and, if you do, disclose if you own it.  FINRA is serious about social media abuse.

* photo from

As firm clients demand more and more access to their registered representatives, member firms must do more to make sure that their brokers do not run afoul of the firm communication written supervisory procedures.  One firm recently failed that test, resulting in a FINRA fine and censure. 

In that matter, FINRA found that the member firm allowed representatives to use personal email for firm business, including client communication.  Making that matter worse, the firm was aware of the practice and allowed storage of email communications on personal computers, exposing those emails to alteration and deletion.

The first question you should have is where compliance was and supervision regarding the pre-approval of client communications was.  The firm did have such WSPs requiring pre-approval of client communications, but lacked access to the personal computers to perform this supervisory task.  FINRA took issue with this type of supervision; more like the lack of supervision. 

This case is the perfect of example of the question, why have WSPs if the firm is not going to enforce them.  Client communications represent a hotbed of issues for large to small firms.  Allowing representatives to use personal email for client communications is not one of the better decisions a firm can make. 

The key to supervision is to be able to supervise.  This firm, by allowing the use of personal email accounts without meaningful supervision, set itself up for failure and sanction. 

Some may say this firm was lucky because there was no client harm.  I recently tried a case where the representative used a personal email account and made some statements that could be considered admissions.  Since the representative ignored firm policy, she and the firm were exposed to liability. spying.jpg

When it comes to client communications, you need a robust email review policy.  By having such a program, you may be able to uncover the more problematic issue of unauthorized use of personal email accounts.  Either way, firms need to really focus on client communications to avoid FINRA enforcement and civil liability. *


* photo from

The SEC recently issued two interpretations that address your use of interactive social media, like Twitter, in accordance with the securities laws.   These interpretations permit your firm to now use a hyperlink to satisfy the legend requirements and, at the same time, limit your responsibility where your communications are retransmitted, like a retweet. 

The major aspect of these interpretations regards the use of otherwise lengthy legends that disclose, among other things, a disclaimer or warning to a customer that can be lengthy at times.  With the limitations on the number of characters you can use in say Twitter or LinkedIn, firms were essentially foreclosed from posting anything that required a legend; not any more. buyholdsell.jpg

Under certain conditions, the SEC has opened the door for firms to use a hyperlink to the otherwise lengthy legends.  The most important condition is that the social media in question has a limitation on the number of characters that can be posted. 

Having now allowed firms to post under this condition, what happens if a third-party, over who the firm has no control, reposts the firm post and omits the legend from the repost.  The SEC has stated that the retransmission of the firm post, as long as the firm was not involved with it, will not be attributed to the original posting firm. 

In these interpretations, the SEC has finally acknowledged the viability of social media to a firm.  So, feel free to Tweet or post to LinkedIn, but make sure that you have a legend hyperlink.  *

Photo from

The SEC announced that it will not pursue an enforcement action against a company CEO for violating Regulation FD when he announced on his personal Facebook page certain information.  The SEC noted that neither the CEO nor the company had previously used the Facebook page to announce company information or had they informed shareholders that the Facebook page would be used to disclose information about the company

The SEC issued a report of investigation acknowledging that there was market uncertainty about the application of Regulation FD to social media and outlined its expectation that issuers will rigorously analyze whether a chosen channel of distribution is recognized by their investors.  See Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: Nextflix Inc., and Reed Hastings, Release No.34-69279 is reported at ¶80,253.

Regulation FD prohibits public companies or persons acting on their behalf from selectively disclosing material, nonpublic information to certain securities professionals or shareholders where it is reasonably foreseeable that they will trade on the information before it is made available to the general public.  For purposes of Regulation FD, a company makes public disclosure when it distributes information through a recognized channel for distribution.  The SEC cautioned issuers that a deviation from their usual practice for making public disclosure may influence its view on if a chosen method in a particular case was reasonable.  The SEC also suggested that the disclosure of material, non-public information on a personal media site of an individual corporate officer without advance notice to investors would unlikely qualify as an appropriate method for disclosing information to the public.

As such, executives must be weary and avoid such announcements.

The Financial Industry Regulatory Authority announced that it sent targeted examination letters asking broker-dealer members about their social media use.  See

In the letter, FINRA warned that each member firm’s written and electronic communications are subject to periodic spot checks.  Among other questions, FINRA asked the member firms to explain their use of social media, the social media platforms used to post their communications, and the identity of each individual, who posts or updates content on the sites.

FINRA also requested information about the firms’ written supervisory procedures in effect from earlier this year regarding social media communications, and the measures taken to monitor compliance with the policies.  Targeted exam letters — also known as “sweep” letters – assist FINRA and the United States Securities and Exchange Commission gather data that subsequently will be used to focus their exams and investigations.  FINRA is looking for ways to clarify regulations that touch on social media.

In sum, FINRA will likely issue new guidance soon.