The New York State Attorney General has issued a report indicating that a record 1583 data breaches affecting 9.2 Million New Yorkers were reported to the NYAG in 2017. The information exposed included social security numbers (40%) and financial account information (33%). Hacking was the leading cause of the data security breaches. NYAG Eric Schneiderman warned “My office will continue to hold companies accountable for protecting the personal information they manage.” The NYAG has urged the New York State legislature to pass the SHIELD Act, which would require companies to adopt reasonable safeguards to protect sensitive data, including relevant policies and procedures.
OUR TAKE: The state regulators have taken a primary role in enforcing data protection safeguards. Make sure your compliance procedures have the necessary policies and procedures that include governance, incident response, vulnerability assessment, and vendor management.
FINRA fined a large broker-dealer $1.5 Million for failing to properly maintain electronic brokerage records. According to FINRA, the respondent’s ATS business failed to maintain over 100 million trading records in “write once, read only” (WORM) format over a 6-year period. FINRA also faults the BD for failing to maintain duplicate copies of over 300 million orders placed over the same period. The failures also resulted in charges that the firm did not have adequate audit or compliance procedures. FINRA said the required records and formats are necessary for regulatory examinations and internal audits.
OUR TAKE: The IT folks must connect with the compi-pros to understand the specific regulatory requirements for electronic data retention. Then, the compli-pros must determine how to implement effective audit and compliance surveillance. The most dangerous phrase in financial services: “That’s not my job.”
A large insurance company agreed to pay a total of $5.5 Million to settle charges brought by 32 states resulting from the loss of critical consumer information attributable to a criminal data breach. According to the Settlement Agreement, the respondent lost the data for 1.27 million customer across the country when hackers exploited a security breach created when the respondent failed to implement a security patch. As part of the settlement, the insurance company agreed to appoint a security patch supervisor, implement security patch policies and procedures, and perform internal assessments. The New York State Attorney General criticized the respondent for its “true carelessness while collecting and retaining information from prospective customers, needlessly exposing their personal data in the process.” He warned, “This settlement should serve as a reminder that companies have a responsibility to protect consumers’ personal information regardless of whether or not those consumers become customers. We will hold companies to account if they don’t.”
OUR TAKE: The NYS Attorney General implies that companies can be held liable for data breaches that result from simple negligence rather than recklessness or intent. A solid compliance program that includes a robust cybersecurity assessment can help defend charges that a firm acted negligently.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a Risk Alert about recent ransomware attacks and offered some best practices for smaller firms for dealing with ransomware incidents. Based on a recent review of 75 registrants, the OCIE staff recommends that firms perform a cyber-risk assessment, conduct penetration and vulnerability tests, and ensure software maintenance including adequate software patches. The OCIE staff stressed the importance of developing a “rapid response capability.” OCIE found widespread deficiencies among advisers during its review: 57% did not conduct penetration and vulnerability testing and 26% did not conduct periodic risk assessments of critical systems.
OUR TAKE: Cybersecurity has become one of the most significant compliance issues facing investment management firms. CCOs and their bosses must take action to address outside threats. We recommend reviewing the SEC’s 2014 guidance.
FINRA fined 12 firms a total of $14.4 Million (including individual fines of $4 Million, $3.5 Million and $2 Million) for failing to retain electronic records in the proper format. FINRA charges that, over extended time periods, the firms failed to maintain required broker-dealer and customer records in “write once, read many” (aka WORM) format as required by Rule 17a-4(f)(2)(ii)(a) (BD records must be preserved “exclusively in a non-rewriteable, non-erasable format”). FINRA asserts that retaining records in WORM format protects such records from cyber-crimes. FINRA maintains that the failures affected hundreds of millions of records “spanning multiple systems and categories.” FINRA’s Enforcement Chief empasized “FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records.”
OUR TAKE: These are significant fines for IT breakdowns in the absence of further allegations of customer harm or a specific hacking incident. Operations professionals should work with their IT teams and compli-pros to ensure that records retention follows regulatory requirements.
A broker-dealer agreed to pay a $650,000 fine because an OSJ’s cloud server vendor failed to protect customer information. FINRA asserts that foreign hackers penetrated the cloud-based servers and had access to customers’ nonpublic personal information. FINRA faults the firm for failing to monitor or test the third party vendor’s information security. FINRA also alleges that the BD failed to adopt reasonable data security policies that included specific firewall policies and related testing. FINRA cites violations of Rule 30 of Regulation S-P, which requires the protection of customer records and information.
OUR TAKE: Firms must go the extra mile to protect customer information and not just rely on hiring a third party. FINRA will hold BDs strictly liable for data breaches, even those occurring at the vendor.