The Securities Bureau of the Nebraska Department of Banking and Finance has proposed a new rule which would require investment advisers to develop and maintain physical and cybersecurity policies and procedures designed to protect client records and information.
Category Archives: Cyber Security
NASAA Cybersecurity Model Rule Package
May 31, 2019
On May 21, 2019, the North American Securities Administrators Association (NASAA) released a model cybersecurity rule package. NASAA’s proposed rule would require investment advisers to adopt policies and procedures regarding information security and to deliver annually its privacy policy to clients.
SEC Risk Alert – Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies
May 07, 2019
On April 16, 2019, the United States Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert about “Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies” to encourage investment adviser firms to review their written policies and procedures to, “ensure compliance with the relevant regulatory requirements.”
Cybersecurity Survey – Nebraska Registered Investment Advisers
January 22, 2019
On December 3, 2018 the Nebraska Department of Banking and Finance (NDBF) released their 2018 Cybersecurity Survey of Nebraska-Registered Investment Advisers. NDBF surveyed fifty-seven Nebraska registered investment advisers. The survey focused on devices used in advisory activities, Wi-Fi access points, passwords, encryption policies, and anti-virus/anti-malware services. The full report can be viewed here.
SEC Fines Investment Adviser for Cybersecurity Failures
October 09, 2018
The United States Securities and Exchange Commission (SEC) has recently fined an Iowa-based investment adviser $1 million for alleged cybersecurity failures that led to a data breach that compromised the personal information of its clients. According to the SEC, information from over 5,600 of the investment adviser’s clients was obtained by criminals impersonating independent advisers. The SEC claims that the intruders gained access through weaknesses within the firm’s cybersecurity procedures. Some of these weaknesses had been exposed during previous fraudulent activity. The investment adviser allegedly failed to update and fix those issues.
On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of U.S. Securities and Exchange Commission (“SEC”) released a Risk Alert which details its examination of the cybersecurity preparedness of 75 broker-dealers, investment advisers and investment companies in the U.S. In comparison to prior cybersecurity examinations, this exam involved more active testing and validation of the firms’ procedures and controls related to cybersecurity. Click here to read the Risk Alert.
The Colorado Division of Securities recently proposed two new rules that would require investment adviser firms and broker-dealers to assess cybersecurity risks and implement written policies and procedures “reasonably designed to ensure cybersecurity.” Click here to read the Rulemaking Notice. Given the sensitive and confidential nature of their work, cybersecurity is an important and evolving concern for investment adviser firms.
The Financial Industry Regulatory Authority (“FINRA”) recently announced fines against 12 broker-dealers for alleged deficiencies related to their cybersecurity and record retention practices. In each case, the firms – who have consented to the fine without admitting or denying the charges – allegedly failed to properly store electronic records in a “write once read many” format that is meant to protect records from illicit alteration. The “write once read many” format is required by FINRA rules and protects broker-dealers against malicious interference with their vital business records, whether by outside hackers or disgruntled insiders.
Updates to Cybersecurity Identity Theft Best Practices Checklist
November 29, 2016
RIA Compliance Consultants updated it Cybersecurity Identity Theft Best Practices checklist in light of the U.S. Department of Treasury Financial Crimes Enforcement Network’s (FinCEN) Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime. On October 25, 2016, FinCEN issued an advisory on reporting requirements for cyber-events. FinCEN issued the advisory because,
As in 2015, the Securities and Exchange Commission (“SEC”) Examination Priorities for 2016 identify cybersecurity as an area of “potentially heightened [market-wide] risk.” Citing the Office of Compliance Inspections and Examinations (“OCIE”) 2015 Risk Alert, the SEC promised to continue using its exams to evaluate investment adviser firms’ cybersecurity preparedness. Click here to read our blog on the OCIE Cybersecurity Risk Alert.
