Home » data security

Tag: data security

SEC Warns About Failures to Protect Personal Information

The SEC’s Office of Compliance Inspections and Examinations has published a Risk Alert calling out advisers and broker-dealers for their failures to protect personal information.  Based on deficiencies identified over the last 2 years, the SEC found failures related to privacy notices, policies and procedures, and physical safeguards.  The SEC faulted registrants for failing to deliver initial and annual privacy notices or for delivering notices that did not accurately reflect policies and procedures.  The SEC found firms that completely failed to adopt policies and procedures by simply restating the Safeguards Rule.  Other firms either adopted weak policies and procedures or failed to properly implement them.  Some common deficiencies included unsecure laptops, unencrypted emails, inadequate training, insufficient control of third-party vendors, inadequate incident response plans, and shared login credentials.  OCIE states that the Risk Alert is intended “to assist advisers and broker-dealers in providing compliant privacy and opt-out notices, and in adopting and implementing effective policies and procedures for safeguarding customer records and information.” 

Compli-pros should ensure the annual testing program includes the privacy notice process and the implementation of policies and procedures to avoid the highlighted issues.  It may make sense to combine the testing with the required cybersecurity assessment. 

NYS Attorney General Reports 1500 Data Breaches in 2017

The New York State Attorney General has issued a report indicating that a record 1583 data breaches affecting 9.2 Million New Yorkers were reported to the NYAG in 2017.   The information exposed included social security numbers (40%) and financial account information (33%).  Hacking was the leading cause of the data security breaches.  NYAG Eric Schneiderman warned “My office will continue to hold companies accountable for protecting the personal information they manage.”  The NYAG has urged the New York State legislature to pass the SHIELD Act, which would require companies to adopt reasonable safeguards to protect sensitive data, including relevant policies and procedures.

OUR TAKE: The state regulators have taken a primary role in enforcing data protection safeguards.  Make sure your compliance procedures have the necessary policies and procedures that include governance, incident response, vulnerability assessment, and vendor management.

 

FINRA Fines 12 Firms $14.4 Million for Failing to Maintain Data in Proper Electronic Format

data-protection

FINRA fined 12 firms a total of $14.4 Million (including individual fines of $4 Million, $3.5 Million and $2 Million) for failing to retain electronic records in the proper format.  FINRA charges that, over extended time periods, the firms failed to maintain required broker-dealer and customer records in “write once, read many” (aka WORM) format as required by Rule 17a-4(f)(2)(ii)(a) (BD records must be preserved “exclusively in a non-rewriteable, non-erasable format”).  FINRA asserts that retaining records in WORM format protects such records from cyber-crimes.  FINRA maintains that the failures affected hundreds of millions of records “spanning multiple systems and categories.”  FINRA’s Enforcement Chief empasized “FINRA’s focus on ensuring that firms maintain accurate, complete and adequately protected electronic records.”

OUR TAKE: These are significant fines for IT breakdowns in the absence of further allegations of customer harm or a specific hacking incident.  Operations professionals should work with their IT teams and compli-pros to ensure that records retention follows regulatory requirements.

http://www.finra.org/newsroom/2016/finra-fines-12-firms-total-144-million-failing-protect-records-alteration

BD Fined for Hack of Third Party Cloud Provider

information-security

A broker-dealer agreed to pay a $650,000 fine because an OSJ’s cloud server vendor  failed to protect customer information.  FINRA asserts that foreign hackers penetrated the cloud-based servers and had access to customers’ nonpublic personal information.  FINRA faults the firm for failing to monitor or test the third party vendor’s information security.  FINRA also alleges that the BD failed to adopt reasonable data security policies that included specific firewall policies and related testing.  FINRA cites violations of Rule 30 of Regulation S-P, which requires the protection of customer records and information.

OUR TAKE: Firms must go the extra mile to protect customer information and not just rely on hiring a third party.  FINRA will hold BDs strictly liable for data breaches, even those occurring at the vendor.