FINRA has issued a report on cybersecurity best practices to assist firms in the development of their cybersecurity programs. FINRA notes that it continues to see “problematic cybersecurity practices” during examinations and that firms identify cybersecurity as a “primary operational risk.” The report focuses on strengthening cybersecurity controls in branch offices, ways to limit phishing attacks, how to mitigate insider threats, the elements of an effective penetration testing program, and adequate controls for mobile devices. The report also includes an appendix that lists core cybersecurity controls for small firms including patch maintenance, access management, vulnerability scanning, and email protection.
The 19-page report does a good job describing every cybersecurity nightmare scenario, which may be instructive for those C-suite executives still in denial. The best part of the report is the small firm appendix that focuses on key issues.
The SEC has issued and investigative report that advises public companies to enhance internal accounting controls to prevent losses from cyber-related frauds. The SEC report describes frauds at 9 issuers that involved spoofing emails and false vendor invoices that resulted in significant losses when internal employees transferred funds to the wrongdoers. One of the companies made 14 wire payments, resulting in a loss of over $45 Million. Another paid 8 invoices totaling $1.5 Million. Although the SEC did not bring enforcement actions against these registrants, the SEC alleges that the companies violated their obligations to implement internal accounting controls sufficient to ensure transactions are only permitted with management’s authorization. In particular, the SEC advises companies to review and enhance their payment authorization and verification procedures and employee training. SEC Chairman Jay Clayton warned: “Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies.”
OUR TAKE:You’ve been warned. The SEC gave these 9 companies a pass, but we don’t expect the same treatment for future violators who should now take action to prevent spoofing and email cyber-frauds.
A large BD/IA agreed to pay a $1 Million fine and retain an independent compliance consultant as a result of a third-party intrusion into its customer system. Outside hackers impersonated independent consultant registered representatives and tricked internal IT personnel to change passwords over the phone. Although there was no unauthorized transfer of funds, the impersonators were able to access personally identifiable information of over 5000 customers. The SEC charges the firm with violating the Safeguards Rule and with failing to implement an effective Identity Theft Prevention Program. The SEC faults the firm for allowing outside contractors to use their own equipment, which often had security and encryption problems, and with failures to follow remote session termination procedures.
OUR TAKE: This is the nightmare scenario for retail BD/IAs. The desire to make life easier for the producing reps creates IT vulnerabilities exploited by bad actors. Our recommendation is to retain an outside firm that can conduct an honest vulnerability assessment.
OUR TAKE: When it comes to cybersecurity incidents, time is not on your side. Because of the potential harm to clients and investors, it is better to provide immediate disclosure that will be followed up with additional information rather than waiting and thereby compounding the potential harm. Hacked firms must move quickly to investigate, assess, and remediate the harm to minimize damages.
OUR TAKE: The state regulators have taken a primary role in enforcing data protection safeguards. Make sure your compliance procedures have the necessary policies and procedures that include governance, incident response, vulnerability assessment, and vendor management.
The SEC has issued cybersecurity guidance that directs public companies to adopt effective disclosure controls and procedures and overhaul their disclosure about incidents and threats. The SEC believes that public companies should adopt and implement cybersecurity risk management policies and procedures that ensure timely disclosure, internal reporting, processing of risks and incidents, and prevention of insider trading. The SEC also admonishes public companies to review all public disclosures including the materiality of incidents and security, risk factors, MD&A disclosure, business description, legal proceedings, financial statements, and board risk oversight. Firms should also consider disclosing past incidents “in order to place discussions of these risks in the appropriate context.” The SEC believes that “the importance of data management and technology to business is analogous to the importance of electricity and other forms of power in the past century.” The SEC said that it will be reviewing cybersecurity disclosures.
OUR TAKE: We expect institutional investors will add similar cybersecurity inquiries into their Operational Due Diligence processes before choosing an investment firm. So, even if you do not work for a public company, you should consider implementing the SEC’s recommendations.
The SEC obtained an emergency asset freeze against a fraudulent internet-based initial coin offering. According to the SEC, the Canadian respondents promised outlandish returns and made other significant misrepresentations as part of a scheme that raised over $15 Million from thousands of investors through offerings of a crypto-currency advertised on various social media sites. The SEC asserts that the offering of virtual tokens constituted an illegal offering of securities and that it was made available to U.S. investors through the internet. The SEC announced that this case is the first filed by its new Cyber Unit, which was created in September to focus on “misconduct involving distributed ledger technology and initial coin offerings, the spread of false information through electronic and social media, hacking and threats to trading platforms.”
OUR TAKE: Perhaps most significant is the SEC asserting (without much precedent or support) that an initial coin offering is an offering of securities subject to the securities laws. This view may lead to broader regulatory oversight of cryptocurrency offerings. Also, we expect that this first action by the Cyber Unit won’t be its last.
OUR TAKE: We suspect that this Cyber Unit will ultimately morph into its own office (See OCIE, Whistleblowers). If you have been on vacation in the woods for the last 3 years and have not yet retained a third party firm to test your cybersecurity readiness, we recommend moving quickly to catch up to the rest of the industry.
A large insurance company agreed to pay a total of $5.5 Million to settle charges brought by 32 states resulting from the loss of critical consumer information attributable to a criminal data breach. According to the Settlement Agreement, the respondent lost the data for 1.27 million customer across the country when hackers exploited a security breach created when the respondent failed to implement a security patch. As part of the settlement, the insurance company agreed to appoint a security patch supervisor, implement security patch policies and procedures, and perform internal assessments. The New York State Attorney General criticized the respondent for its “true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” He warned, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”
OUR TAKE: The NYS Attorney General implies that companies can be held liable for data breaches that result from simple negligence rather than recklessness or intent. A solid compliance program that includes a robust cybersecurity assessment can help defend charges that a firm acted negligently.
The SEC Office of Compliance Inspections and Examinations (OCIE) released the results of its Cybersecurity 2 sweep initiative. OCIE reviewed policies and procedures and assessed cybersecurity preparedness of 75 firms with respect to governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. OCIE found that most firms have adopted policies and procedures, conducted penetration tests and vulnerability scans, used a system to prevent data loss, installed software patches, adopted response plans, and conducted vendor risk assessments. OCIE recommended that registrants better tailor policies and procedures, conduct enhanced employee training, replace outdated systems, and ensure remediation of identified vulnerabilities. OCIE warned that cybersecurity “remains one of the top compliance risks for financial firms” and that it “will continue to examine for cybersecurity compliance procedures and controls, including testing the implementation of those procedures and controls at firms.”
OUR TAKE: Advisers, broker-dealers, and funds that fail these compliance best practices risk falling behind their competitors and incurring the wrath of the OCIE examiners. Compliance officers must become conversant in the required elements of an adequate cybersecurity program and implement the required policies and procedures, testing, and remediation.