The Cybersecurity Law Report

Incisive intelligence on cybersecurity law and regulation

Articles By Topic

By Topic: Financial Services Regulation

  • From Vol. 4 No.33 (Oct. 10, 2018)

    Lessons From the SEC’s First Red Flags Rule Settlement

    Broker-dealer Voya’s $1-million settlement with the SEC for alleged violations of the Safeguards Rule and the Identity Theft Red Flags Rule shows that the SEC is willing to act when it believes firms could have done more to prevent attacks. “The SEC expects companies to not only have in place commercially reasonable standards, policies and procedures for cybersecurity, but to implement them along with compliance and audit procedures to assure that they are working as intended,” Jason Elmer, managing partner at Drawbridge Partners, told The Cybersecurity Law Report. We analyze the case, which involved a network intrusion by people impersonating third-party contractors, and its lessons, including the mistakes Voya made, how companies can avoid them and what the case says about SEC cybersecurity enforcement. See “How Financial Services Firms Should Structure Their Cybersecurity Programs” (May 9, 2018).

    Read Full Article …
  • From Vol. 4 No.31 (Sep. 26, 2018)

    Five Takeaways From the Fiserv Wake-Up Call

    A software vulnerability recently identified at Fiserv served as another wake-up call for the financial industry that the security practices of third parties handling customer information are just as vital as measures taken in-house. Experts agree that outsourcing certain tasks remains efficient and effective, but have emphasized the importance of using bug bounty programs and effective vendor vetting and oversight. We provide five takeaways from the Fiserv vulnerability discovery with insight from both technical and legal experts. See also “How to Maintain Effective and Secure Long-Term Vendor Relationships: Understanding the Risks (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).

    Read Full Article …
  • From Vol. 4 No.29 (Sep. 12, 2018)

    Information Sharing in the Private Sector: Lessons From the Financial Services Industry

    Sharing cyber intelligence has become a vital best practice for organizations in fending off cyber attacks. The financial services industry formed the first formal information sharing and analysis center (FS-ISAC) in 1999 and has helped other industries launch their own information sharing and analysis organizations (ISAOs). Alfred Saikali, a partner at Shook, Hardy & Bacon, spoke to The Cybersecurity Law Report about why FS‑ISAC is so effective, and what organizations should look for before joining an ISAO. See also “ISAO Organization Releases a Roadmap to Cyber Threat Information Sharing” (Oct. 5, 2016); and “Using Information Sharing to Combat Cyber Crime While Protecting Privacy” (Sep. 7, 2016).

    Read Full Article …
  • From Vol. 4 No.28 (Sep. 5, 2018)

    How the GDPR Will Affect Private Funds’ Use of Alternative Data

    More funds are using alternative data in their operations – notably in driving their trading strategies and making investment decisions – and if that data contains personal information of people in the E.U., the GDPR may impact how funds are able to obtain and use it. The Cybersecurity Law Report spoke to Peter D. Greene, a partner and vice-chair of the investment management group at Lowenstein Sandler, about how the GDPR may affect funds’ use of alternative data and relevant compliance steps funds can take. See also “What Are the GDPR’s Implications for Alternative Investment Managers? (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).

    Read Full Article …
  • From Vol. 4 No.26 (Aug. 22, 2018)

    A Fund Manager’s Roadmap to Big Data: Privacy Concerns, Third Parties and Drones

    The collection and use of big data can provide many benefits for fund managers and others, but can also present new and complex risks, especially when the data sets contain PII. This final article in our three-part series discusses big-data risk, including risks related to privacy, the use of third-party data and drones, as well as recommended methods for mitigating those risks. The first article explored the big-data landscape, along with how fund managers can acquire and use big data in their businesses. The second article analyzed issues and best practices surrounding the acquisition of material nonpublic information, web scraping and the quality and testability of data. See also “Using Big Data Legally and Ethically While Leveraging Its Value (Part One of Two)” (May 17, 2017); Part Two (May 31, 2017).

    Read Full Article …
  • From Vol. 4 No.25 (Aug. 15, 2018)

    A Fund Manager’s Roadmap to Big Data: MNPI, Web Scraping and Data Quality

    As fund managers increasingly turn to sophisticated data streams to boost investment returns and produce greater operational efficiencies, it is critical that they understand the legal and practical risks posed by the use of big data. This second article in our three-part series on big data analyzes issues and best practices surrounding the acquisition of material non-public information, web scraping and the quality and testability of data. The first article explored the big-data landscape and how fund managers can acquire and use big data in their businesses. The third article will discuss risks associated with data privacy and the acquisition of data from third parties and the use of drones, as well as recommended methods for mitigating those risks. For more on big data, see “Best Practices for Managing the Risks of Big Data and Web Scraping” (Jul. 26, 2017).

    Read Full Article …
  • From Vol. 4 No.24 (Aug. 8, 2018)

    Essential Cyber, Tech and Privacy M&A Due Diligence Considerations

    Evolving threats, regulatory focus and innovation require every transaction to now include some technology, privacy and cybersecurity due diligence. A target’s problems in these areas can manifest themselves in painful ways, whereas a robust infrastructure can dramatically improve value. This article covers a recent ACA Aponix program that detailed key issues to consider when reviewing cybersecurity, information technology and regulatory compliance at target and portfolio companies. See also “Effective M&A Contract Drafting and Internal Cyber Diligence and Disclosure” (Dec. 20, 2017).

    Read Full Article …
  • From Vol. 4 No.22 (Jul. 25, 2018)

    GDPR Essentials for the Financial Sector: Staying Compliant and Special Challenges (Part Three of Three)

    Once the initial fervor over GDPR implementation dies down, companies will have to ensure that their program is properly maintained long-term. This final installment of our three-part GDPR series for the financial sector addresses how to monitor and assess the program and examines special considerations – such as determining the identity of controllers and processors and accounting for Member-State specificities. The first article in the series discussed the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. Part two detailed specific compliance steps and how to preserve defenses to a class action that companies may be unwittingly waiving. See “What Are the GDPR’s Implications for Alternative Investment Managers? (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).

    Read Full Article …
  • From Vol. 4 No.21 (Jul. 18, 2018)

    GDPR Essentials for the Financial Sector: Compliance Steps (Part Two of Three)

    Can a bank or financial services firm partially comply with the GDPR? Some say it is an all-or-nothing proposition, but others assert that some economical steps can take a U.S.-based entity with limited E.U. contact most of the way. In this article, we discuss some of those compliance steps and how to preserve defenses to a class action that companies may be unwittingly waiving. The first article in the series discussed the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. The third installment in the series will examine special considerations of the law – such as determining the identity of controllers and processors and accounting for Member-State specificities – and will provide advice on monitoring ongoing compliance. See “What Are the GDPR’s Implications for Alternative Investment Managers? (Part One of Two)” (Jun. 20, 2018); Part Two (Jun. 27, 2018).

    Read Full Article …
  • From Vol. 4 No.20 (Jul. 11, 2018)

    GDPR Essentials for the Financial Sector: Benchmarking and Assessing the Risks (Part One of Three)

    Most banks and financial services firms are certainly aware of the GDPR, but the level of compliance and focus on it varies across the industry. “There are inquiries about GDPR on information-sharing sites, such as ‘Have you done a risk assessment for GDPR?’” Jeff Patterson, executive vice president at ANB Bank, told The Cybersecurity Law Report, “but I don’t think a lot of the professional associations in the industry think it is a big risk at this point.” Is that a mistake? In this article, we discuss the current state of compliance in the financial sector, the extraterritorial applicability of the GDPR, its relationship to U.S. laws, enforcement priorities and the risk of collective action. The second installment in the series will address specific compliance steps and identify common errors. The third article will examine special considerations of the law – such as determining the identity of controllers and processors and accounting for Member-State specificities – and will provide advice on monitoring ongoing compliance. See “Countdown to GDPR Enforcement: Final Steps and Looking Ahead” (May 16, 2018).

    Read Full Article …
  • From Vol. 4 No.19 (Jul. 4, 2018)

    How Financial Services Firms Should Structure Their Cybersecurity Programs

    Governments and regulators – including the SEC and the U.K. Financial Conduct Authority (FCA) – are intensifying their scrutiny of financial services firms’ cybersecurity programs. At a minimum, firms must ensure that they comply with industry best practices, including adopting one or more cybersecurity frameworks and creating a culture of cybersecurity compliance. This article discussed the roles of the CISO and CCO in cybersecurity programs, regulator priorities, steps firms can take to mitigate cyber risk, and outsourcing cybersecurity functions. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.18 (Jun. 27, 2018)

    What Are the GDPR’s Implications for Alternative Investment Managers? (Part Two of Two)

    As in other industries, the GDPR does not just affect investment managers domiciled in the E.U. – it can have broad extraterritorial applicability. This two-part series breaks down how the key provisions of the GDPR impact advisers and private funds. This second article discusses the rights of data subjects, minimum requirements applicable to a processor, the role of a DPO, cybersecurity measures required by the GDPR, the obligation to report breaches of the GDPR and parallel legislation introduced in the U.K. in light of Brexit. The first article reviewed the driving forces behind the enactment of the GDPR, its territorial scope, the data-protection principles that apply when processing personal data, the legal bases pursuant to which in-scope firms may process personal data and the rules surrounding cross-border transfers of personal data. See “Using Technology to Comply With the GDPR” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.17 (Jun. 20, 2018)

    What Are the GDPR’s Implications for Alternative Investment Managers? (Part One of Two)

    While the business of an alternative investment fund manager will not involve the systematic processing of natural persons’ data, all investment management firms and funds will receive and process personal data in some way, shape or form in relation to their day-to-day business activities, thereby subjecting them to the most significant development in E.U. privacy law in two decades. This two-part guest article series breaks down the key provisions of the GDPR and how they may affect advisers and private funds. This first part reviews the driving forces behind the enactment of the GDPR, the territorial scope of the GDPR, the data-protection principles that apply when processing personal data, the legal bases pursuant to which in-scope firms may process personal data and the rules surrounding cross-border transfers of personal data. The second article will discuss the rights of data subjects, minimum requirements applicable to processors, the role of a DPO, cybersecurity measures required by the GDPR, the obligation to report breaches of the GDPR and parallel legislation introduced in the U.K. in light of Brexit. See also our two-part interview with the Irish Data Commissioner: “Supervising Facebook” (April. 25, 2018); and “GDPR Enforcement Priorities” (May 2, 2018).

    Read Full Article …
  • From Vol. 4 No.16 (Jun. 13, 2018)

    CFTC Commissioner Encourages Formation of Self-Regulatory Organization for Cryptocurrency Spot Platforms

    Cryptocurrencies have generated a fair amount of interest from the financial sector – and in turn, from regulators. A cohesive approach to regulating this developing asset class has yet to emerge, however. In a recent speech delivered before the Eurofi High Level Seminar 2018, CFTC Commissioner Brian Quintenz examined the role of regulators such as the CFTC during periods of technological change, the use of blockchain technology by financial services firms and current approaches to cryptocurrencies by U.S. and global regulators. He also called for the formation of a self-regulatory organization by cryptocurrency spot platforms to enforce customer protection rules in spot commodity markets. This article highlights the key points from Quintenz’s remarks. See also “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.11 (May 9, 2018)

    How Financial Services Firms Should Structure Their Cybersecurity Programs

    Governments and regulators – including the SEC and the U.K. Financial Conduct Authority – are intensifying their scrutiny of financial services firms’ cybersecurity programs. At a minimum, firms must ensure that they comply with industry best practices, including adopting one or more cybersecurity frameworks and creating a culture of cybersecurity compliance. This article discusses the roles of the CISO and CCO in cybersecurity programs, regulator priorities, steps firms can take to mitigate cyber risk, and the outsourcing of cybersecurity functions. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.7 (Apr. 11, 2018)

    Virtual Currencies Ruled Commodities Under the Commodities Exchange Act by District Court

    Virtual currencies are rapidly developing and regulators are trying to keep up to prevent fraud and abuse. Multiple regulatory entities have moved to oversee this uncharted territory. A federal district court recently concluded the CFTC has authority, concurrent with other entities, over fraudulent conduct involving virtual currencies, reasoning that virtual currencies are commodities as defined by the Commodities Exchange Act. This article details the facts and circumstances leading up to the enforcement action and the Court’s reasoning. See also “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.6 (Mar. 28, 2018)

    Beware of False Friends: A Hedge Fund Manager’s Guide to Social Engineering Fraud

    Cybercriminals are increasingly relying on social engineering to attack corporate systems. Certain types of companies such as hedge funds are particularly vulnerable, given that they typically lack extensive in-house cybersecurity expertise, deal with large sums of capital and have relationships with powerful clients and individuals. Social engineering fraud poses a number of risks to fund managers. Fortunately, managers can mitigate these risks by training employees, instituting multi-factor authentication, adopting verification procedures, limiting user access and monitoring cybersecurity regulations. In addition, managers are increasingly able to rely on insurance to cover social engineering fraud losses. In a guest article, Ron Borys, senior managing director in Crystal & Company’s financial institutions group, and Jordan Arnold, executive managing director in K2 Intelligence’s New York and Los Angeles offices and head of the firm’s private client services and strategic risk and security practices, examine the risks of social engineering fraud, how fund managers can prevent it and how insurance policies can be used to protect against related losses. See also ­­­­“What the Financial Industry Should Know to Recognize and Combat Cyber Threats (Part One of Two)” (Jul. 26, 2017); Part Two (Aug. 9, 2017).  

    Read Full Article …
  • From Vol. 4 No.5 (Mar. 14, 2018)

    FTC Enters Into Stiff Settlement With PayPal for Venmo’s Deceptive Practices, but Eases up on a 2009 Sears Order 

    A pair of recent FTC orders demonstrate that despite aggressive action against businesses deemed to have made false or deceptive disclosures on privacy and cybersecurity matters, the Commission is also open to a more nuanced approach to disclosure and is willing to reconsider existing consent orders when circumstances change. This article analyzes (1) the recent settlement order with PayPal, whose Venmo unit misled users about the privacy of transactions and the availability of their funds and (2) the Order Reopening and Modifying a 2009 Order, which does away with a requirement that Sears make extensive disclosures on its mobile apps about how it tracks certain web browsing. See “Lessons and Trends From FTC’s 2017 Privacy and Data Security Update: Enforcement Actions (Part One of Two)” (Jan. 31, 2018).

    Read Full Article …
  • From Vol. 4 No.5 (Mar. 14, 2018)

    Developing an Effective Third-Party Management Program

    Companies rely on third parties for a variety of critical services. Identifying and managing those relationships in a systematic way is essential to minimizing enterprise risk and ensuring compliance with regulatory requirements. A MyComplianceOffice (MCO) presentation, “4 Principles of a Strong Third-Party Management Program,” provided a framework for developing a program for managing third-party relationships. Although the primary focus of the program was on the financial services industry, the principles discussed are relevant to outsourcing decisions made by a wide range of organizations and their dealings with administrators, technology vendors, research firms and other key third parties. The program was hosted by Joe Boyhan of MCO and featured Linda Tuck Chapman, president of Ontala, a virtual organization of seasoned professionals in strategic sourcing and procurement. This article summarizes the key takeaways from the presentation. See our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). Also see “Tech Meets Legal Spotlight: What to Do When IT and Legal Slow the Retention of a Third-Party Vendor” (Nov. 30, 2016).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    How South Korea Regulates Cryptocurrency and Why U.S. Lawyers and Investors Should Take Notice

    The Republic of Korea has recently required investors to have bank accounts under their real names in cryptocurrency transactions and imposed anti-money laundering requirements on banks with those exchanges. According to South Korea’s Financial Services Commission, which issued the regulation, the law aims to “curb cryptocurrency speculation and prevent cryptocurrencies from being exploited for illegal activities.” The Cybersecurity Law Report spoke with Nicolas Morgan, a partner at Paul Hastings, about why this fairly straightforward development in the often complicated world of cryptocurrency is noteworthy. See “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    SEC Confirms Cyber Disclosure Expectations in New Guidance

    The SEC’s latest guidance emphasizes proper and full disclosures related to cybersecurity risks and incidents throughout relevant filings. In its “Statement and Guidance on Public Company Cybersecurity Disclosures,” the SEC stated that “informing investors about material cybersecurity risks and incidents in a timely fashion” even if they have “not yet have been the target of a cyber attack,” is critical. Some say that this guidance is repetitive of the SEC’s 2011 guidance on the topic, but the new guidance adds discussions related to cybersecurity policies and procedures as well as preventing insider trading tied to cybersecurity information. In this article, we analyze this guidance with advice on risk disclosures from EXL Chief Compliance Officer Nancy Saltzman. See also “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two)” (Aug. 12, 2015); Part Two (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 4 No.4 (Feb. 28, 2018)

    Financial Firms Must Supervise Their IT Providers to Avoid CFTC Enforcement Action

    The CFTC recently announced a settlement with futures firm AMP Global Clearing LLC (AMP), which had tens of thousands of client records compromised after its IT vendor unknowingly installed a backup drive on AMP’s network that included an unsecured port. The settlement order requires AMP to cease and desist from future violations, pay a civil penalty of $100,000 and report to the CFTC for the next year on its efforts to improve its digital security. “As this case shows, the CFTC will work hard to ensure regulated entities live up to that responsibility, which has taken on increasing importance as cyber threats extend across our financial system,” said CFTC Director of Enforcement James McDonald. In particular, it is a reminder of the importance of monitoring third-party service providers. In this article, we analyze the case and relevant remedial steps AMP agreed to take. For more from the CFTC, see “Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair” (Feb. 14, 2018).

    Read Full Article …
  • From Vol. 4 No.3 (Feb. 14, 2018)

    Virtual Currencies Present Significant Risk and Opportunity, Demanding Focus From Regulators, According to CFTC Chair

    Keeping up with the exploding use of cryptocurrencies like bitcoin demands a special focus from regulators, CFTC Chairman J. Christopher Giancarlo stated in recent remarks to the ABA Derivatives and Futures Section Conference. He noted that virtual currencies represent both significant risk and opportunity for investors, discussed the role of the CFTC and other regulators in overseeing virtual currencies and outlined the CFTC staff review checklist of virtual currency futures markets. Giancarlo also examined the importance of mutual cross-border regulatory deference, using the E.U.’s and CFTC’s approach to margin rules to illustrate the benefits of global regulatory cooperation. See our three-part series on blockchain technology: “Basics of the Blockchain Technology and How the Financial Sector Is Currently Employing It” (Jun. 14, 2017); “How Financial Service Providers Can Use Blockchain to Improve Operations and Compliance” (Jun. 28, 2017); and “Blockchain and the Financial Services Industry: Potential Impediments to Its Eventual Adoption” (Jul. 12, 2017).

    Read Full Article …
  • From Vol. 4 No.2 (Jan. 31, 2018)

    Lessons and Trends From FTC’s 2017 Privacy and Data Security Update: Enforcement Actions (Part One of Two)

    In its recently released Privacy & Data Security Update, the FTC recapped its 2017 privacy and data security enforcement actions, advocacy, workshops and guidance, providing valuable information about steps companies can take to ensure their privacy and data security measures are up-to-snuff. In this first part of our article series covering lessons from the Update, we examine, with expert insight, enforcement highlights – from financial services actions to general privacy cases – and what these actions tell us about steps companies should take to comply with applicable laws and steer clear of the FTC’s reach. Part two will cover what can be learned from the FTC’s 2017 workshops and guidance and shed light on what to expect from the agency in 2018. See also “FTC Priorities for 2017 and Beyond” (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 4 No.1 (Jan. 17, 2018)

    How Blockchain Will Continue to Revolutionize the Private Funds Sector in 2018

    Although blockchain trading has generated some skepticism and regulatory criticism, bitcoin traded at record highs in 2017 and looks poised to climb even higher in 2018. Karl Cole-Frieman, a founding partner of boutique law firm Cole-Frieman & Mallon and an expert on the evolving blockchain and bitcoin markets, spoke to The Cybersecurity Law Report about the issues surrounding blockchain trading and how to best approach to the new technologies in the months to come. See also our three-part series on blockchain technology: “Basics of the Blockchain Technology and How the Financial Sector Is Currently Employing It” (Jun. 14, 2017); “How Financial Service Providers Can Use Blockchain to Improve Operations and Compliance” (Jun. 28, 2017); and “Blockchain and the Financial Services Industry: Potential Impediments to Its Eventual Adoption” (Jul. 12, 2017).

    Read Full Article …
  • From Vol. 3 No.25 (Dec. 20, 2017)

    Electronic Signatures: Implementation Considerations for the Financial Sector (Part Two of Two)

    Digital signatures are becoming more prevalent in financial transactions given the volume of documents and number of contracts involved. While e-signatures can offer efficiency, understanding when and how they work in the contracting process and navigating the variety of available technologies remains perplexing to many businesses. In this second installation of our two-part series on electronic signatures, we offer practical advice from lawyers and technical consultants on how to implement a compliant e-signatures program, and how to vet and use vendors that provide these services. In the first part, K&L Gates attorneys discussed the legal landscape for electronic signatures, how an electronic signature differs from a digital signature and the legal risks associated with the adoption of electronic signatures. See also “Overcoming the Challenges and Reaping the Benefits of Multi-Factor Authentication in the Financial Sector (Part One of Two)” (Jul. 26, 2017); Part Two (Aug. 9, 2017).

    Read Full Article …
  • From Vol. 3 No.24 (Dec. 6, 2017)

    Electronic Signatures: Implementation Considerations for the Financial Sector (Part One of Two)

    Electronic signatures have been around for a while, and the U.S. laws governing them are more than 15 years old. However, understanding when and how an electronic signature works in the contracting process and navigating the variety of available technologies is still perplexing to many businesses, especially in the financial services sector, which is governed by a complex regulatory backdrop. In this guest article, the first part of our two-part series on electronic signatures, K&L Gates attorneys discuss the legal landscape for electronic signatures, how an electronic signature differs from a digital signature and the legal risks associated with the adoption of electronic signatures. Part two of the series will include practical advice from other lawyers and consultants on how to implement an e-signatures program while avoiding risks and how to vet and use vendors that provide these services. See also “What the Financial Industry Should Know to Recognize and Combat Cyber Threats (Part One of Two)” (Jul. 26, 2017); Part Two (Aug. 9, 2017).

    Read Full Article …
  • From Vol. 3 No.21 (Oct. 25, 2017)

    Survey Finds Cybersecurity Preparedness of Alternative Asset Managers to be Inadequate Relative to Traditional Asset Managers and Broker-Dealers

    Alternative asset managers may have some catching up to do with their compliance and cybersecurity programs. In its 2017 C-Suite Survey, Cipperman Compliance Services asked financial services executives about the role of their firms’ chief compliance officers; attitudes toward compliance; and the sophistication of their firms’ compliance programs and cybersecurity preparedness. Based upon the responses of executives from alternative asset managers, the survey suggests that their compliance programs are less likely to withstand SEC scrutiny and their firms are less prepared on cybersecurity matters, relative to traditional asset manager and broker-dealer participants. This article analyzes CCS’ findings with insights from CCS president Rob Prucnal. See also “Surveys Show Cyber Risk Remains High for Financial Services Despite Preventative Steps” (Jun. 28, 2017); and “SEC Report Cites Cybersecurity Progress Along With Gaps in Training and Compliance” (Aug. 23, 2017).

    Read Full Article …
  • From Vol. 3 No.19 (Sep. 27, 2017)

    Deloitte Survey Shows Getting Skilled Cybersecurity Talent and Addressing Cyber Threats Among the Top Challenges for Financial Institutions

    Financial institutions anticipate cybersecurity to be one of the top risks they will face over the next two years, according to a Deloitte survey. Exacerbating the challenge is recruiting skilled cybersecurity talent as well as obtaining near-real-time threat intelligence. The survey also found that some organizations have turned to corporate risk officers to assist them, while others have seen increasingly activist boards of directors. We analyze the results of the survey. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.17 (Aug. 23, 2017)

    SEC Report Cites Cybersecurity Progress Along With Gaps in Training and Compliance

    Depite progress since 2014 in developing cybersecurity policies, there are still some critical areas where asset managers fall short with cyber preparedness, according to a new SEC risk alert. One particular shortcoming the SEC sets forth is the failure of some firms to act upon their own codified cybersecurity policies. With expert insight and advice, we detail the new alert’s findings, recommendations and implications. See “What the Financial Industry Should Know to Recognize and Combat Cyber Threats (Part One of Two)” (Jul. 26, 2017); Part Two (Aug. 9, 2017).

    Read Full Article …
  • From Vol. 3 No.17 (Aug. 23, 2017)

    Inside Advice on the Growing Cyber Insurance Market for the Financial Sector

    In light of increasing cyber threats, regulatory focus, and the realization that complete breach prevention is impossible, interest in cybersecurity insurance has rapidly increased in the financial sector. Graig Vicidomino, associate director of Crystal & Company, spoke to The Cybersecurity Law Report about trends in the financial market for cyber insurance, particularly for fund managers, including costs, amounts of coverage, scope of coverage and policy benefits. He also provides practical post-breach advice and insights from clients seeking to cover specific types of incidents. See also “How to Make an Informed Policy Selection in the Dynamic Cyber Insurance Market” (Aug. 9, 2017); and “Navigating the Evolving Cyber Insurance Market” (Jun. 14, 2017).

    Read Full Article …
  • From Vol. 3 No.16 (Aug. 9, 2017)

    Overcoming the Challenges and Reaping the Benefits of Multi-Factor Authentication in the Financial Sector (Part Two of Two)

    The use of more than one factor to establish identity online – multi-factor authentication (MFA) – is a crucial way to protect against breaches that involve stolen credentials or compromised accounts. Various combinations of authentication factors are emerging, and continually evolving, as hackers become more sophisticated. In this second part of our two-article series about MFA for the financial sector, we explore MFA innovations (including those from the Fast Identity Online Alliance), what regulators expect around the world, resources and guidance for best practices and how companies can economically implement an MFA system. In part one, we discussed the MFA landscape for the financial sector, strategies for ensuring both security and user friendliness, challenges that certain factors present and the means to overcome those challenges. See also “Finding the Best Ways to Secure Digital Transactions in a Mobile World” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 3 No.16 (Aug. 9, 2017)

    What the Financial Sector Should Know to Recognize and Combat Cyber Threats (Part Two of Two)

    Financial Trojans are a widespread threat faced by the financial industry, and the U.S. is among the top five countries with the greatest number of detections, according to Symantec’s 2017 Internet Security Threat Report (ISTR). In a recent webinar, Symantec’s technical and threat experts provided insight on the key findings of the ISTR, with a focus on the latest and growing threats to the financial sector, noting that attackers will increasingly target large organizations and financial institutions. This second part of our two-part article series covering the ISTR and Symantec’s webinar details common sources of financial Trojans, looks at potential future attack targets and trends, and provides best practices for avoiding and mitigating these attacks. Part one summarized the threat landscape and the speakers’ insights on what common attacks look like, new threat actors and tools, and how to recognize them. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.16 (Aug. 9, 2017)

    Identifying and Managing Third-Party Cybersecurity Risks for Asset Managers

    As connectivity grows, the risk that data entrusted to vendors could be compromised or that a company’s own system may be breached through one of its vendors continues to increase. A recent Advise Technologies program focused on how private fund managers can understand and mitigate third-party risks. A panel of attorneys and compliance and regulatory consultants discussed the regulatory emphasis on third-party risk, ways to assess this risk, and common errors and best practices for managing vendors, including due diligence questionnaires. While certain regulatory considerations are specific to fund managers, the due diligence concerns and best practices provide important advice to all companies working with third-party vendors.  See our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016).

    Read Full Article …
  • From Vol. 3 No.15 (Jul. 26, 2017)

    Overcoming the Challenges and Reaping the Benefits of Multi-Factor Authentication in the Financial Sector (Part One of Two)

    As hackers phish their way into SMS messages with one-time passcodes or use photos of fingerprints or eye veins to bypass biometric factors, developing effective online multi-factor authentication (MFA) systems is becoming more difficult. Using two or even three ways to establish identity online is particularly significant in the financial sector, where failure to secure the accounts of clients or employees can lead to massive losses. Online authentication factors must not only be secure, but also convenient for the user and, of course, make economic sense. In this first part of our two-article series, we explore the MFA landscape for the financial sector, strategies for ensuring both security and user friendliness, challenges that certain factors present and the means to overcome those challenges. In the second part, we will discuss MFA innovations, including those from the Fast Identity Online Alliance, what regulators expect around the world, and how companies can economically implement an MFA system. See also “Finding the Best Ways to Secure Digital Transactions in a Mobile World” (Oct. 19, 2016).

    Read Full Article …
  • From Vol. 3 No.15 (Jul. 26, 2017)

    How the CCO Can Use SEC Guidance to Tackle Cyber Threats 

    Increasing cyber threats and a shifting regulatory landscape have expanded the role of CCOs, who need to ensure proper cyber defenses are in place and regulatory compliance is up-to-date. The CCO must manage a capable team and monitor developments while continuously updating the company’s compliance program and efforts. In this guest article, Alaric Founder and CEO of Alaric Compliance Services Guy Talarico explores changing threat sources, regulatory priorities, best practices with an emphasis on SEC guidance, as well as the information sources a CCO must track to fulfill this critical and dynamic role. See also “How to Effectively Find, Compensate and Structure Cybersecurity Leadership (Part One of Two)” (Dec. 14, 2016); Part Two (Jan. 11, 2017).

    Read Full Article …
  • From Vol. 3 No.14 (Jul. 12, 2017)

    Blockchain and the Financial Services Industry: Potential Impediments to Its Eventual Adoption (Part Three of Three)

    Although excitement about the potential use of blockchain technology – an immutable, time-stamped and decentralized digital ledger of transactions – in the financial services industry has been growing, numerous impediments to its large-scale adoption remain. Issues ranging from a lack of regulatory support of blockchain to basic concerns about the resources required to implement the technology could slow its growth in the private funds industry. This third article in our series about the nature and uses of blockchain for the financial services industry details issues that could stymie the spread of blockchain, while also setting forth a realistic timeline and manner for its likely adoption by the private funds industry. The first article provided a primer on the technology and detailed several financial industry uses that are already being explored. The second article explored potential private fund back-office functions (e.g., regulatory reporting and maintaining shareholder ledgers) that could be optimized using blockchain technology. See “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.14 (Jul. 12, 2017)

    Navigating the Intersection of ERISA Fiduciary Duties and Cybersecurity Risk

    Last year, two retirement-plan administrators experienced data breaches, and unlike the liability standards for breaches of healthcare plans, which are more certain, Employee Retirement Income Security Act of 1974 (ERISA) liability standards are not clear. In many instances, ERISA fiduciary duty can extend to cybersecurity or data protection. And liability for violations of ERISA fiduciary duties is personal to the individual fiduciary. This article summarizes insights presented by Poyner Spruill, LLP attorneys at a recent Strafford program on the relationship between cybersecurity and ERISA. The panelists looked at recent breaches and litigation involving ERISA plans; evaluated when cybersecurity is a fiduciary duty under ERISA; analyzed whether ERISA preempts state cybersecurity and data-protection laws; and explored how plan sponsors can implement effective cybersecurity measures. See also “Navigating Data Breaches and Regulatory Compliance for Employee Benefit Plans” (Jun. 3, 2015).

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    How Financial Service Providers Can Use Blockchain to Improve Operations and Compliance (Part Two of Three)

    Blockchain technology – a distributed database used to immutably timestamp and record transactions – is most commonly thought of in the single context of digital currencies, yet its applications are varied and limited only by the objectives of the adopting users. There are many more practical applications of the technology that could greatly enhance the efficacy of the financial sector while also dramatically reducing its overhead expenses. In particular, the technology could help private funds streamline their operations in various ways while simultaneously improving their compliance protocols. This second article in our three-part series about blockchain in the financial sector discusses various potential uses of blockchain technology, such as reconciling trades and onboarding investors, to improve private fund operational efficiencies and compliance efforts. The first article explained how blockchain functions and provided examples of how major elements of the financial industry (e.g., derivatives trading and repurchase agreements) are already incorporating the technology. The third article will explore how and when the private funds industry will adopt the technology, while presenting issues related to that implementation. See also “Are New York’s Cyber Regulations a “Game Changer” for Hedge Fund Managers?” (Jun. 14, 2017). 

    Read Full Article …
  • From Vol. 3 No.13 (Jun. 28, 2017)

    Surveys Show Cyber Risk Remains High for Financial Services Despite Preventative Steps

    While financial services firms are spending more on key cybersecurity measures, the risk and the financial consequences of a breach remain high. Studies show that the average breach cost continues to rise in the U.S. and, for smaller financial firms especially, critical security gaps remain. This article highlights parts of three recent surveys conducted by Ponemon, TD Bank, and ACA Aponix with the National Society of Compliance Professionals that provide insight into the current state of vulnerabilities and benchmarking for financial firms. See “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.12 (Jun. 14, 2017)

    Basics of the Blockchain Technology and How the Financial Sector Is Currently Employing It (Part One of Three)

    “Blockchain” is frequently mentioned at financial services industry conferences as a transformative technology with the potential to “disrupt” the private funds industry, but uncertainty about it persists. This three-part series serves as a primer about the technology and its interplay with the financial services industry going forward. This first article provides an overview of how blockchain functions and examines how the finance industry is already using it. The second article will describe potential ways private funds and service providers can adopt blockchain technology to enhance fund operations and compliance practices. The third article will explore some of the risks impeding the growth of blockchain and address the most plausible timing and manner for it to be eventually adopted in the industry. See “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 3 No.12 (Jun. 14, 2017)

    Are New York’s Cyber Regulations a “Game Changer” for Hedge Fund Managers?

    Experts caution that the New York State Department of Financial Services’ cybersecurity regulations are relevant beyond the covered entities to hedge fund managers, for example, because compliance with the regulations may become the “gold standard.” Some state organizations, such as the Colorado Division of Securities, have already proposed similar rules following New York’s lead. Panelists at the recent Alternative Asset Management Symposium sponsored by Crystal & Company highlighted the key provisions and discussed how they may affect alternative asset managers and their service providers. The experts from Crystal, Brown Rudnick, Mullen Coughlin, Charles River Associates and Prosek Partners addressed the impact of the regulations, including the CISO’s role, third-party vetting and potential enforcement. See “What Covered Financial Entities Need to Know About New York’s New Cybersecurity Regulations” (Mar. 8, 2017).

    Read Full Article …
  • From Vol. 3 No.8 (Apr. 19, 2017)

    How to Ensure Cyber Risks Do Not Derail an IPO

    In preparation for a public offering, companies should expect scrutiny of their cybersecurity risks and the measures they take to address them, just as they do with other aspects of their business. Cyber risks and incidents can derail an IPO if they are not handled correctly. Gibson Dunn partners Andrew L. Fabens, Stewart L. McDowell and Peter W. Wardle spoke with The Cybersecurity Law Report about steps companies should take in preparing for an IPO, as well as the potential impact cybersecurity can have on the IPO process and stock price. See also “Tackling Cybersecurity and Data Privacy Issues in Mergers and Acquisitions (Part One of Two)” (Sep. 16, 2015); Part Two (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 3 No.7 (Apr. 5, 2017)

    Best Practices for Mitigating Compliance Risks When Investment Advisers Use Social Media 

    The advent of Twitter, Facebook, LinkedIn and other social media forums has had a dramatic impact on society at large, including the investment funds industry. Yet, investment advisers and firms may not fully grasp the compliance and operational risks that new technologies and sites can pose. Questions abound as to whether social media can be used to provide material information to certain investors at the expense of others, when the line is crossed from informational content to marketing a fund and whether the social media accounts of individual employees and representatives need to be monitored for compliance purposes. In-house compliance officers, outside counsel and an SEC branch chief in the Chief Counsel’s Office of the SEC’s Division of Investment Management discussed and offered insights on these issues at a recent Regulatory Compliance Association PracticEdge session. See also “What It Takes to Establish Compliant Social Media Policies for the Workplace” (Mar. 22, 2017).

    Read Full Article …
  • From Vol. 3 No.5 (Mar. 8, 2017)

    What Covered Financial Entities Need to Know About New York’s New Cybersecurity Regulations

    Cybersecurity regulations from the New York State Department of Financial Services took effect on March 1, 2017. The scope of the regulations, which apply to financial institutions, insurance companies, and other financial services firms licensed by the State of New York, was narrowed to a degree following numerous industry comments on the proposed draft. This guest article by James Kaplan and Moein Khawaja, partner and associate at Quarles & Brady, explains the new requirements and changes from previous versions, and provides guidance regarding the implementation of the regulations and best cybersecurity practices related to the current regulatory environment. They also predict what future regulation might look like in this area. See also “Preparing to Meet the Deadlines of DFS’ Revised New York Cybersecurity Regulation” (Jan. 25, 2017).

    Read Full Article …
  • From Vol. 3 No.3 (Feb. 8, 2017)

    How Fund Managers Can Prepare for Investor Cybersecurity Due Diligence 

    Cybersecurity remains a top-of-mind issue for regulators, investors and investment advisers. As part of operational due diligence, investors often evaluate whether an adviser has robust cybersecurity defenses. Similarly, advisers must ensure that their administrators, brokers and other third parties have appropriate defenses. A recent program hosted by the Investment Management Due Diligence Association gave specifics on what investors may be looking for, including due diligence questions they may ask and how they may evaluate a firm’s cybersecurity program, including its cyber insurance. See also our two-part series on vendor risk management “Nine Due Diligence Questions” (May 25, 2016), and “14 Key Contract Terms” (June 8, 2016). 

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    Preparing to Meet the Deadlines of DFS’ Revised New York Cybersecurity Regulation

    The New York State Department of Financial Services proposed a cybersecurity regulation that raised many eyebrows when it was first introduced in September 2016. Taking into account the over 150 comments it received, the DFS published an updated version of the regulation at the end of 2016 and delayed the effective date by two months – until March 1, 2017. In this interview, Patterson Belknap Webb & Tyler LLP partner Craig A. Newman offers insight on what the new regulation means to covered institutions and the actions companies will need to take to be in compliance. See also “Steps Financial Institutions Should Take to Meet New York’s Proposed Cybersecurity Regulation” (Sep. 21, 2016).  

    Read Full Article …
  • From Vol. 3 No.2 (Jan. 25, 2017)

    FINRA Emphasizes the Importance of Proper Electronic Record Storage in Enforcement Actions

    Accurate recordkeeping is one of the core duties of broker-dealers and investment advisers. As the number of electronic records has exploded in recent years, so have the risks of hacks or other malicious acts. FINRA recently settled enforcement actions against 12 of its members, imposing a total of $14.4 million in fines, for their failures to store electronic records in “write once, read many” (commonly referred to as “WORM”) format, as well as other violations of SEC recordkeeping rules. In its press release, FINRA emphasized that the deficiencies affected hundreds of millions of records, and the need to maintain records in the WORM format because “the volume of sensitive financial data stored electronically has risen exponentially and there have been increasingly aggressive attempts to hack into electronic data repositories, posing a threat to inadequately protected records.” This article explores the violations and key terms of the eight separate FINRA Letters of Acceptance, Waiver and Consent (AWCs). See also “FINRA Lays Out Cyber Expectations in Action Against Broker-Dealer” (Dec. 14, 2016).

    Read Full Article …
  • From Vol. 2 No.25 (Dec. 14, 2016)

    FINRA Lays Out Cyber Expectations in Action Against Broker-Dealer

    A recent FINRA action against Lincoln Financial Securities Corporation, a general securities business, involving the firm’s alleged failure to safeguard customer data, preserve customer records and implement an appropriate supervisory system sheds light on regulatory expectations for a range of sectors. This article explains the alleged misconduct, the terms of the settlement, the remedial measures the firm is implementing, and the cybersecurity measures FINRA expects firms to take. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.21 (Oct. 19, 2016)

    How the Financial Services Industry Can Handle Cybersecurity Threats, Acquisition Diligence and Breach Response

    The financial services sector is often praised as having some of the most mature cybersecurity practices, but it also holds especially sensitive data and is one of the most common targets for malicious hackers. Asset managers in particular are confronted with general cybersecurity risks while navigating industry nuances. At a recent panel hosted by Major, Lindsey & Africa, Debevoise partners Luke Dembosky and Jim Pastore, both former federal prosecutors, addressed emerging cybersecurity threats, risks from vendors, potential breaches in a pre-acquisition and post-acquisition context, breach response and special considerations for breaches of investor or consumer data. Much of the advice is relevant to all companies grappling with data security risks and breach consequences. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.20 (Oct. 5, 2016)

    FCA Director Lays Out Cybersecurity Expectations for Financial Services Firms

    To safeguard sensitive personal and financial data and assets, and to protect the stability of the financial markets, an industry-wide “security culture” is necessary in the financial services sector. Firms of all sizes and profiles must actively and continually refine their governance, detection and prevention methods in response to the ever-evolving threat. This was the theme of a speech delivered by Nausicaa Delfas, Director of Specialist Supervision for the U.K. Financial Conduct Authority (FCA), at the recent FT Cyber Security Summit.  The key points of the speech are directed at financial firms, but offer useful insight into the U.K. regulator’s priorities and advice for any company looking to improve its “security culture.” For a comparison of the FCA and SEC stances on cybersecurity, see our two-part series “Navigating FCA and SEC Cybersecurity Expectations (Part One of Two)” (Jan. 6, 2016); Part Two (Jan. 20, 2016). 

    Read Full Article …
  • From Vol. 2 No.19 (Sep. 21, 2016)

    Steps Financial Institutions Should Take to Meet New York’s Proposed Cybersecurity Regulation

    With the ever-growing threat posed to the financial services industry by nation-states, terrorist organizations and independent criminal actors, earlier this month New York Governor Andrew Cuomo announced a proposed regulation that would require financial institutions to develop and implement cybersecurity programs to prevent and mitigate cyber attacks. After a 45-day comment period, following the upcoming publication in the New York State Register on September 28, the regulation is set to become effective January 1, 2017. “Even though the rules are not final, regulated financial institutions should begin considering how to comply today,” Orrick partner and cybersecurity & data privacy team co-chair Aravind Swaminathan told The Cybersecurity Law Report. In this article, we outline what companies need to do to be compliant with the new proposed regulation. See also “How the Financial Services Industry Can Manage Cyber Risk” (Jul. 20, 2016). 

    Read Full Article …
  • From Vol. 2 No.16 (Aug. 3, 2016)

    Procedures for Hedge Fund Managers to Safeguard Trade Secrets From Rogue Employees 

    In an era when high-profile data theft cases have shaken some people’s faith in the security of personal information entrusted to fund managers, it is critically important for firms to take steps to detect, prevent and address such thefts by rogue employees. This is of particular urgency for hedge fund managers now that the SEC has stepped up its focus on cybersecurity. Data security and the measures that can help safeguard trade secrets and sensitive information were the focus of a recent Hedge Fund Association panel discussion featuring participants from the law firm Gibbons, the litigation consulting firm DOAR and the hedge fund Litespeed Partners. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.15 (Jul. 20, 2016)

    How the Financial Services Industry Can Manage Cyber Risk

    Financial services providers and financial institutions are prime targets for hackers, and have also been targets of SEC scrutiny – the agency has recently brought actions against Morgan Stanley, Craig Scott Capital, and RT Jones for cybersecurity violations, even in the absence of a breach. How can firms in those industries ensure their cybersecurity programs are robust and mitigate risk? At a recent symposium held by the Hedge Fund Association, panelists with various cybersecurity perspectives and expertise shared their insight on preparedness, incident response plans, vendor management, cyber insurance (including recommendations for carriers) and whether to use cloud services. See also our two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.13 (Jun. 22, 2016)

    Morgan Stanley Action Signals SEC’s Continued Enforcement of Safeguards Rule

    Morgan Stanley Smith Barney may have escaped charges under Section 5 of the Federal Trade Commission Act, but it has agreed to pay $1 million to settle charges that it violated the Safeguards Rule. The settlement stems from allegations that employee Galen Marsh transferred data containing the PII of 730,000 customers to his personal server. That data later appeared on multiple internet sites. There was no harm alleged, and this settlement, coupled with the R.T. Jones and Craig Scott Capital actions, may show that the SEC is picking up enforcement of the Safeguards Rule. “Here, the SEC clearly is trying to make a statement to the broker-dealer and investment adviser community about how seriously it takes cyber. This also seems like a message to the FTC that the SEC intends to be the key cop on this part of the cyber beat,” Jeremy Feigelson, a partner at Debevoise, told The Cybersecurity Law Report. We analyze the settlement and its implications. See also “How Financial Service Providers Can Address Common Cybersecurity Threats” (Mar. 16, 2016).

    Read Full Article …
  • From Vol. 2 No.10 (May 11, 2016)

    SEC Teaches Broker-Dealer a Lesson About Keeping Business Emails Secure

    In its continued enforcement of appropriate cybersecurity controls, the SEC initiated administrative proceedings against Craig Scott Capital, LLC (CSC), a broker-dealer based in Uniondale, New York, and its two principals for failing to protect confidential consumer information by using personal email addresses for business matters. “The enforcement action, including the fines imposed, reflects how seriously SEC takes the adoption of and compliance with proper policies and procedures,” Anastasia Rockas, a partner at Skadden, told The Cybersecurity Law Report. The SEC, alleging no harm to consumers, fined CSC $100,000 and its two principals $25,000 each. See also “Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert” (Sep. 30, 2015).

    Read Full Article …
  • From Vol. 2 No.6 (Mar. 16, 2016)

    How Financial Service Providers Can Address Common Cybersecurity Threats

    The National Futures Association’s Interpretive Notice on cybersecurity, which became effective on March 1, 2016, calls for NFA members to adopt an Information Systems Security Program robust enough to guard against increasingly sophisticated cybersecurity threats. Senior NFA personnel and industry experts recently gathered at a workshop to give advice on complying with the Notice and how to strengthen a firm’s ability to prevent, detect and remediate cybersecurity incidents. This article covers the panelists’ discussion of critical cybersecurity threats; cybersecurity response plans; training; and other practical cybersecurity measures. For previous coverage of the NFA workshop, see “Expert Advice on Newly Effective NFA Cybersecurity Requirements for Market” (Mar. 2, 2016). See also CSLR’s two-part series on how the financial services sector can meet the cybersecurity challenge: “A Snapshot of the Regulatory Landscape (Part One of Two)” (Dec. 9, 2015); “A Plan for Building a Cyber-Compliance Program (Part Two)” (Jan. 6, 2016).

    Read Full Article …
  • From Vol. 2 No.5 (Mar. 2, 2016)

    Expert Advice on Newly Effective NFA Cybersecurity Requirements for Market Participants

    How will the National Futures Association’s new Interpretive Notice on cybersecurity (effective March 1, 2016) change data and electronic system security requirements for NFA members? The NFA recently held a Cybersecurity Workshop featuring a number of senior NFA personnel and industry experts to discuss the particulars of the Notice and provide insight into what NFA examiners will be looking for when they conduct member examinations. The program, which was moderated by NFA director Amy McCormick, included NFA directors Shuna Awong, Patricia Cushing and Dale Spoljaric, as well as industry participants Patricia Donahue, senior vice president and chief compliance officer at Rosenthal Collins Group LLC; Buddy Doyle, founder and CEO of Oyster Consulting; and Peter Salmon, a senior director at the Investment Company Institute. See also “New NFA Notice Provides Cybersecurity Guidance to Futures and Derivatives Market” (Nov. 11, 2015).

    Read Full Article …
  • From Vol. 2 No.2 (Jan. 20, 2016)

    Navigating FCA and SEC Cybersecurity Expectations (Part Two of Two)

    When designing cyber-compliance programs, financial firms operating in multiple jurisdictions must adopt a coordinated approach to cybersecurity that meets the divergent regulatory requirements of all jurisdictions in which they are doing business. This two-part series examines the operations of the U.K. Financial Conduct Authority (FCA) and the SEC, both of which have increased their focus on cybersecurity, albeit with differing approaches. Part One discussed the FCA and SEC as regulators of financial services in their respective jurisdictions and outlined the guidance issued, and the methods adopted, by the two regulators. This article explores how asset managers and others in the financial sector can navigate the current regulatory environments, including existing guidance, in the U.S. and U.K., and simultaneously satisfy the requirements of each regulator. See also Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part One of Two)” (Jun. 17, 2015); Part Two (Jul. 1, 2015) and “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two) (May 6, 2015); Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Navigating FCA and SEC Cybersecurity Expectations (Part One of Two)

    Given the increased scrutiny of cybersecurity by governments around the globe, regulated entities operating in more than one jurisdiction must be aware of the relevant regulatory cybersecurity expectations.  This two-part series looks at the operations of the U.K. Financial Conduct Authority (FCA) and the SEC, both of which have increased their focus on cybersecurity, but with differing approaches.  Part One discusses the FCA and SEC as regulators of financial services in their respective jurisdictions and outlines the guidance issued, and the methods adopted, by the two regulators.  Part Two will explore how the financial sector is navigating the current regulatory environments, including existing guidance, in the U.S. and abroad and how the industry can simultaneously satisfy the requirements of each regulator.  See also “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One)” (Aug. 12, 2015) and Part Two (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    Cybersecurity and Whistleblowing Converge in a New Wave of SEC Activity

    The SEC has long-prioritized incentivizing corporate whistleblowers to report violations of the securities laws, and protecting them when they do.  Increasingly, the federal agency also has vigorously enforced certain key aspects of cybersecurity, as its importance has permeated every facet of the way registered entities operate.  In a recent webinar, Orrick attorneys Mark Mermelstein, Jill Rosenberg and Renee Phillips examined how these two formerly disassociated areas of regulatory enforcement are converging in a new wave of SEC guidance and enforcement.  This article discusses the practitioners’ insights on the SEC’s recent initiatives and enforcement actions both in cybersecurity and whistleblowing contexts; the applicable regulations; and how companies can address and mitigate the risks of cybersecurity whistleblower actions.  See also “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments” (May 6, 2015).

    Read Full Article …
  • From Vol. 2 No.1 (Jan. 6, 2016)

    How the Financial Services Sector Can Meet the Cybersecurity Challenge: A Plan for Building a Cyber-Compliance Program (Part Two of Two)

    Despite the abundance of principles-based cybersecurity guidance provided by regulators, interpreting those principles and turning them into actionable items remains a formidable task.  Nevertheless, financial services professionals have a fiduciary duty to devote best efforts to mitigating cyber risk by building an appropriate risk management solution.  In a guest article, the second in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, provides a practical blueprint to build a cyber-compliance program.  Many aspects of the blueprint are not only applicable to those in the financial industry but to other sectors as well.  The first article explored current regulatory expectations applicable to the financial services sector.  See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two)” (May 6, 2015) and Part Two (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.18 (Dec. 9, 2015)

    How the Financial Services Sector Can Meet the Cybersecurity Challenge:  A Snapshot of the Regulatory Landscape (Part One of Two)

    The cyber focus has become increasingly intense for the financial services sector.  Industry compliance personnel are challenged to keep up with cybersecurity requirements in this area, with new major regulatory developments occurring on a regular basis.  In a guest article, the first in a two-part series, Moshe Luchins, the deputy general counsel and compliance officer of Zweig-DiMenna Associates LLC, explores the current cybersecurity regulatory expectations applicable to the financial services sector.  The second article will provide a practical blueprint for building a cyber compliance program.  See also “Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.16 (Nov. 11, 2015)

    New NFA Notice Provides Cybersecurity Guidance to Futures and Derivatives Market

    Cybersecurity in the futures and derivatives market is “perhaps the single most important new risk to market integrity and financial stability,” according to Commodity Futures Trading Commission Chairman Timothy Massad.  The National Futures Association (NFA), a self-regulatory organization responsible for the registration of certain market participants, recently received approval from the CFTC of its Interpretive Notice to several existing NFA compliance rules.  The new guidance will provide more specific standards for supervisory procedures and will require NFA members to adopt and enforce written policies and procedures to secure customer data and electronic systems.  “The approach of the Interpretive Notice is to tie cybersecurity best practices to a firm’s supervisory obligations,” Stephen Humenik, a Covington & Burling partner, told The Cybersecurity Law Report.  See also “Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.15 (Oct. 28, 2015)

    MasterCard and U.S. Bancorp Execs Share Tips for Awareness and Prevention of Mushrooming Cyber Risk (Part Two of Two)

    With threat vectors increasing at least as rapidly as new technology, companies need to be well-versed in how to recognize and prevent cyber attacks.  In the second installment of our coverage of PLI’s recent Cybersecurity 2015: Managing the Risk program, two top-level executives and leaders in cybersecurity, Jenny Menna, U.S. Bank’s cybersecurity partnership executive, and Greg Temm, vice president for information security and cyber intelligence at MasterCard, tackle mitigating cyber risk.  They discuss, among other things: information sharing efforts; eight important components of an information technology ecosystem; and how to prevent cyber attacks at home and in the office.  In the first article in the series, they addressed the current cyber landscape, prevalent threats, and responses to those threats that are being implemented by the government, regulators and private companies.  See also “Weil Gotshal Attorneys Advise on Key Ways to Anticipate and Counter Cyber Threats,” The Cybersecurity Law Report, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.14 (Oct. 14, 2015)

    MasterCard and U.S. Bancorp Execs Share Tips for Awareness and Prevention of Mushrooming Cyber Risk (Part One of Two)

    Two senior-level executives in the financial industry, leading cybersecurity experts, recently offered their views on how they are balancing the lure of new technology with the associated risks.  In this article, the first in a two-part series covering the PLI program “Cybersecurity 2015: Managing the Risk,” Jenny Menna, the cybersecurity partnership executive at U.S. Bancorp and Greg Temm, vice president for information security at MasterCard, and responsible for MasterCard’s cyber intelligence program, address: the current cyber landscape; the most pressing threats across industries; and how the government, regulators and private companies are responding to those threats.  In the second article, they tackle mitigating cybersecurity risk, including industry projects geared toward improving the overall cybersecurity ecosystem; and tips for avoiding cyber threats at work and home.  See “The SEC’s Updated Cybersecurity Guidance Urges Program Assessments,” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    What the OCIE Cybersecurity Risk Alert Means for Investment Advisers and Broker-Dealers

    Continuing its emphasis on the cyber-preparedness of broker dealers, the SEC Office of Compliance Inspections and Examinations (OCIE) announced a second round of examinations “to assess implementation of firm procedures and controls.”  On September 15, 2015, OCIE issued a Risk Alert detailing its concerns, as well as sample requests for information in six focus areas: governance and risk assessments, access controls, data security, vendor management, training and incident response.  We analyze the alert and explore the cybersecurity implications for investment advisers and broker-dealers.  See also “Meeting Expectations for SEC Disclosures of Cybersecurity Risks and Incidents (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 10 (Aug. 12, 2015); Part Two, Vol. 1, No. 11 (Aug. 26, 2015).

    Read Full Article …
  • From Vol. 1 No.13 (Sep. 30, 2015)

    Investment Adviser Penalized for Weak Cyber Polices; OCIE Issues Investor Alert

    So far, the SEC’s focus on cybersecurity has largely been relegated to providing guidance to registrants and learning about the state of cybersecurity preparedness through focused examinations.  One sign that the SEC will go further and take action against firms that fail to follow that guidance, regardless of whether harm is alleged, is the recent settlement with investment adviser R.T. Jones Capital Equities Management, Inc.  The firm suffered a cybersecurity breach that compromised information of over 100,000 retirement plan participants and has agreed to pay a $75,000 fine to settle the charges that it violated the Safeguards Rule.  The SEC released a related Investor Alert that offers guidance to individual investors who believe that their personally identifiable information has been compromised.  We provide the highlights.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.11 (Aug. 26, 2015)

    The Development of E-Currency and Its Potential Impact on the Future

    The rapid evolution of decentralized digital currency, like Bitcoin, has been tumultuous.  Without any central authority such as a government, company or bank in charge, it has been riddled with criminal activity, public skepticism and fluctuation in value.  Yet, this revolutionary technology has been recognized by some for the tremendous benefits it can provide in many different environments around the world.  During a recent panel at PLI’s TechLaw Institute 2015: The Digital Evolution, panelists gave an overview of the Bitcoin technology and how it works, and explored the related events of the last several years from a development and a legal enforcement standpoint.  They also shared their view of the future of digital currency.

    Read Full Article …
  • From Vol. 1 No.10 (Aug. 12, 2015)

    Can an Employee Be Liable for Inadvertently Providing Security Details to a Fraudulent Caller?

    An investment management firm’s CFO allowed a fraudulent caller to obtain security details leading to the illegitimate transfer of nearly $1.16 million from the firm’s accounts and is liable for the damages, a new claim filed in the U.K. High Court of Justice alleges.  The firm says that its CFO acted negligently and in breach of his contractual, tortious and fiduciary duties in failing to protect assets in corporate bank accounts.  The CFO – who believed he was providing security details to a member of the anti-fraud team of the firm’s’ private bank – denies these allegations, asserting that he was acting honestly, in what he reasonably and genuinely believed to be the best interests of his employer.  We examine the claim, the defense, and six issues the case raises relating to cybersecurity and employees.  See also “Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two),” The Cybersecurity Law Report, Vol. 1, No. 3 (May 6, 2015); Part Two of Two, Vol. 1, No. 4 (May 20, 2015).

    Read Full Article …
  • From Vol. 1 No.7 (Jul. 1, 2015)

    Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part Two of Two)

    Cybersecurity is one important element of an investment manager’s overall regulatory compliance responsibilities.  Although not explicitly required by SEC regulations, it is clear that the SEC and other regulators expect fund managers to test for cybersecurity vulnerabilities and preparedness.  A recent program sponsored by K&L Gates and the Investment Advisors’ Association featuring experts from those entities as well as BNY Mellon and Nth Generation explored the most effective and efficient testing methods   This article, the second in a two-part series, discusses testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters.  The first article summarized the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing.  See also “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.6 (Jun. 17, 2015)

    Regulatory Compliance and Practical Elements of Cybersecurity Testing for Fund Managers (Part One of Two)

    Cybersecurity is one important element of a fund manager’s overall regulatory compliance responsibilities.  Although not explicitly required by SEC regulations, it is clear that managers are expected to test for cybersecurity vulnerabilities and preparedness.  Such testing was recently considered in depth at a program sponsored by K&L Gates and the Investment Adviser Association (IAA).  The program was moderated by Mark C. Amorosi, a partner at K&L Gates.  The other speakers were Laura L. Grossman, assistant general counsel at IAA; Jason Harrell, corporate senior information risk officer at BNY Mellon; Jeromie Jackson, director of security & analytics at Nth Generation; and K&L Gates partners Jeffrey B. Maletta and Andras P. Teleki.  This article, the first in a two-part series, details the panelists’ discussion of the legal and compliance framework for cybersecurity testing; testing considerations; and how to leverage OCIE’s recent cybersecurity examination initiative to improve cybersecurity compliance and testing.  The second article will discuss testing approaches; vulnerability assessments; penetration testing; and recent SEC and private litigation on cybersecurity matters.  See “The SEC’s Two Primary Theories in Cybersecurity Enforcement Actions,” The Cybersecurity Law Report, Vol. 1, No. 1 (Apr. 8, 2015).

    Read Full Article …
  • From Vol. 1 No.5 (Jun. 3, 2015)

    Navigating Data Breaches and Regulatory Compliance for Employee Benefit Plans

    Employee benefit plans, including health and pension plans, are prime targets of hackers, as evident from the most recent Anthem and Premera crises, and the proper proactive and reactive steps are key to mitigating breach risk and breach fallout.  In a recent Strafford webinar, Ogletree Deakins attorneys Vance E. Drawdy, Timothy G. Verrall and Stephen A. Riga shared their insights on best practices for fiduciaries and sponsors to navigate the complex state and federal regulations on data breaches that are applicable to ERISA benefit plans.  This article details some of their advice on preventing, assessing and responding to a plan data breach.  See also “Steps to Take Following a Healthcare Data Breach,” The Cybersecurity Law Report, Vol. 1, No. 2 (Apr. 22, 2015).

    Read Full Article …
  • From Vol. 1 No.4 (May 20, 2015)

    Analyzing and Mitigating Cybersecurity Risks to Investment Managers (Part Two of Two)

    The financial services industry, a favorite target of hackers, is especially vulnerable to cybersecurity threats.  A recent program sponsored by K&L Gates and the Investment Adviser Association addressed the difficult and high-stakes cybersecurity issues investment managers are facing.  This article, the second in a two-part series, discusses the panel’s views on mitigating cybersecurity risks.  The first article summarized the key points raised by the panel relating to the costs of cyber breaches; applicable laws and regulations; and cyber threats.  The program was moderated by Mark C. Amorosi, a partner at K&L Gates, and featured a panel consisting of Jeffrey Bedser, CEO of iThreat Cyber Group; Laura L. Grossman, assistant general counsel of the IAA; Andras P. Teleki, a partner at K&L Gates; and E.J. Yerzak, vice president at Ascendant Compliance Management.

    Read Full Article …
  • From Vol. 1 No.3 (May 6, 2015)

    Analyzing and Mitigating Cybersecurity Threats to Investment Managers (Part One of Two)

    Financial services firms are a key target of hackers and responding to the breaches they may cause does not come cheap – the average response cost in the financial services sector is more than double the overall average of $5.84 million, according to data from the Ponemon Institute LLC.  As incidents increase, regulators are paying closer attention and firms are spending more on cyber preparedness.  A recent program sponsored by K&L Gates and the Investment Adviser Association surveyed the current cybersecurity threat environment and SEC cybersecurity initiatives for the financial services sector; summarized the applicable laws and regulations that bear on cybersecurity; considered the multitude of cybersecurity risks faced by investment managers; and offered a number of strategies for mitigating those risks. 

    Read Full Article …
  • From Vol. 1 No.2 (Apr. 22, 2015)

    Debunking Cybersecurity Myths and Setting Program Goals for the Financial Services Industry

    The financial sector has been an obvious target of hackers for a long time.  Increased scrutiny of firms’ security from regulators, including the SEC, and customers has raised the stakes even further as firms try to stay ahead of risks.  ACA Compliance Group recently presented a program to help those regulated industries navigate the current cybersecurity landscape.  The panelists, Raj Bakhru and Marc Lotti, both partners at ACA Aponix (the cybersecurity and risk arm of ACA Compliance Group), offered insights into what advisers and fund managers may expect from regulators going forward; discussed common misperceptions about cybersecurity; and explored goals of cybersecurity and technology risk programs. 

    Read Full Article …