On Thursday, April 4, we received numerous inquiries from investment adviser firm owners and/or senior executives who had received an unexpected email supposedly from FINRA’s Chief Legal Officer or Chief Information Officer which utilized an email address ending in @ data-finra .org. In response, our Consulting Team contacted the IARD Entitlement Support Line which confirmed that these emails did not originate from FINRA.
On April 18, 2022, Kentucky announced that it had adopted Senate Bill (“SB”) 298, making it the newest state to adopt an investment adviser representative continuing education (“IAR CE”) requirement, joining Mississippi, Vermont, Maryland, Michigan, and Wisconsin. Along with Michigan and Wisconsin, Kentucky’s new rule will become effective January 1, 2023. For investment adviser representatives in Mississippi, Vermont, and Maryland, an IAR CE requirement is already in effect.
It was brought recently to our attention that many of our investment adviser clients have received a suspicious email similar to the sample below. This email appears to be sent from the email domain: claims-finra.org and includes a subject line such as “Re: FINRA URGENT REQUEST FOR….”
Recently, several of our RIA clients have received suspicious emails claiming to be from FINRA. The suspicious emails used the subject line “New FINRA Request – (Firm Name),” and came from an email address with the domain, “@gateway-finra.org” Below is a screenshot of one of these suspicious emails.
On January 7, 2021, the North American Securities Administrators Association (NASAA) reminded state-registered investment advisers to report to their primary securities regulator any known issues or concerns related to a recent RIA cybersecurity incident.
In this new environment of working from home during the COVID-19 pandemic, it’s important for investment adviser firms to remember to conduct initial and ongoing due diligence of the cybersecurity policies and practices (including incident response plans) of third-party vendors which maintain confidential information of your investment advisory clients and provide services through the cloud over the Internet.
The Securities Bureau of the Nebraska Department of Banking and Finance has proposed a new rule which would require investment advisers to develop and maintain physical and cybersecurity policies and procedures designed to protect client records and information.
On May 21, 2019, the North American Securities Administrators Association (NASAA) released a model cybersecurity rule package. NASAA’s proposed rule would require investment advisers to adopt policies and procedures regarding information security and to deliver annually its privacy policy to clients.
On April 16, 2019, the United States Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert about “Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies” to encourage investment adviser firms to review their written policies and procedures to, “ensure compliance with the relevant regulatory requirements.”
On December 3, 2018 the Nebraska Department of Banking and Finance (NDBF) released their 2018 Cybersecurity Survey of Nebraska-Registered Investment Advisers. NDBF surveyed fifty-seven Nebraska registered investment advisers. The survey focused on devices used in advisory activities, Wi-Fi access points, passwords, encryption policies, and anti-virus/anti-malware services. The full report can be viewed here.
