The United States Securities and Exchange Commission (SEC) has recently fined an Iowa-based investment adviser $1 million for alleged cybersecurity failures that led to a data breach that compromised the personal information of its clients. According to the SEC, information from over 5,600 of the investment adviser’s clients was obtained by criminals impersonating independent advisers. The SEC claims that the intruders gained access through weaknesses within the firm’s cybersecurity procedures. Some of these weaknesses had been exposed during previous fraudulent activity. The investment adviser allegedly failed to update and fix those issues.
On August 7, 2017, the Office of Compliance Inspections and Examinations (“OCIE”) of U.S. Securities and Exchange Commission (“SEC”) released a Risk Alert which details its examination of the cybersecurity preparedness of 75 broker-dealers, investment advisers and investment companies in the U.S. In comparison to prior cybersecurity examinations, this exam involved more active testing and validation of the firms’ procedures and controls related to cybersecurity. Click here to read the Risk Alert.
The Colorado Division of Securities recently proposed two new rules that would require investment adviser firms and broker-dealers to assess cybersecurity risks and implement written policies and procedures “reasonably designed to ensure cybersecurity.” Click here to read the Rulemaking Notice. Given the sensitive and confidential nature of their work, cybersecurity is an important and evolving concern for investment adviser firms.
December 29, 2016
The Financial Industry Regulatory Authority (“FINRA”) recently announced fines against 12 broker-dealers for alleged deficiencies related to their cybersecurity and record retention practices. In each case, the firms – who have consented to the fine without admitting or denying the charges – allegedly failed to properly store electronic records in a “write once read many” format that is meant to protect records from illicit alteration. The “write once read many” format is required by FINRA rules and protects broker-dealers against malicious interference with their vital business records, whether by outside hackers or disgruntled insiders.
November 29, 2016
RIA Compliance Consultants updated it Cybersecurity Identity Theft Best Practices checklist in light of the U.S. Department of Treasury Financial Crimes Enforcement Network’s (FinCEN) Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime. On October 25, 2016, FinCEN issued an advisory on reporting requirements for cyber-events. FinCEN issued the advisory because,
August 02, 2016
As in 2015, the Securities and Exchange Commission (“SEC”) Examination Priorities for 2016 identify cybersecurity as an area of “potentially heightened [market-wide] risk.” Citing the Office of Compliance Inspections and Examinations (“OCIE”) 2015 Risk Alert, the SEC promised to continue using its exams to evaluate investment adviser firms’ cybersecurity preparedness. Click here to read our blog on the OCIE Cybersecurity Risk Alert.
The U.S. Securities and Exchange Commission (SEC) continues to promote the importance of cybersecurity and protecting confidential investor information. On September 22, 2015 the SEC’s Office of Investor Education and Advocacy issued an Investor Alert regarding investment accounts if they become victims of identity theft or a data breach. This Investor Alert came one week after the SEC issued a Risk Alert on the topic of its Cybersecurity Exam Initiative (September 15, 2015).
September 25, 2015
The Securities and Exchange Commission (SEC) had a busy week regarding investment adviser and broker-dealer cybersecurity. On September 15, 2015 the SEC’s Office of Compliance Inspections and Examination (OCIE) issued a Risk Alert on the topic of its Cybersecurity Examination Initiative. The Risk Alert provides information on the areas of focus for OCIE’s cybersecurity examination (more on this below). The SEC followed up its Risk Alert with an enforcement action against an investment adviser for a cybersecurity incident. The SEC censured the investment adviser and imposed a fine of $75,000. The SEC found that the investment adviser failed to adopt written policies and procedures reasonably designed to protect customer records and information, in violation of Rule 30(a) of Regulation S-P (17 C.F.R. § 248.30(a)) (the “Safeguards Rule”).
When cybersecurity is covered in the industry press these days, there often is discussion about its importance but unfortunately a lack of specificity in what steps an investment adviser can take to improve information security and IT practices. Even the recent cybersecurity exam sweep results of the Office of Compliance Inspections and Examinations (OCIE) of the U.S. Securities and Exchange Commission (“SEC”) are somewhat difficult for investment advisers to interpret and translate into an information security plan; however, the SEC’s Office of Investor Education and Advocacy recently issued a bulletin giving investors tips on protecting their online accounts. These recommendations to help protect an investor’s online account from fraud appear to RIA Compliance just as applicable to an investment adviser devising its cybersecurity policies and practices.