Tag Archives: SEC

SEC Cybersecurity Actions Against Registered Firms for Business Email Compromises Emphasize Importance of MFA

On August 30, 2021, the Securities and Exchange Commission (“SEC”) announced three settled orders against several investment advisers, broker-dealers, and dual registrants for violations of Regulation S-P allegedly resulting from business email compromises that each exposed or potentially exposed the personal information of thousands of customers.[1] These enforcement actions underscore the following lessons for broker-dealers and … Continue Reading

SEC Scrutinizes Use of Fintech by Broker-Dealers and Investment Advisers

By Teresa Goody Guillén, Jonathan A. Forman and Madison Gaudreau on September 2, 2021 Posted in FinTech, FTC, SEC

The Securities and Exchange Commission (“SEC”) recently issued a request for information and public comment on the use of new and emerging technologies by investment advisers and broker-dealers that suggests potential regulatory action to come.[1] According to its release, the SEC is seeking to understand how registrants — whether online brokerages, robo-advisers, internet investment advisers, … Continue Reading

Cybersecurity Remains a Top SEC Examination Priority in the New Decade

By Jonathan A. Forman on January 10, 2020 Posted in Cybersecurity

It may be a new decade, but the focus of the Securities and Exchange Commission (SEC) on cybersecurity has not shifted. In particular, the SEC noted in its 2020 Examination Priorities that the Office of Compliance Inspections and Examinations (OCIE) “will continue to prioritize cyber and information security risks across the entire examination program.” This … Continue Reading

Congress: Public Companies Need to Get Serious About Cybersecurity

By Chris Jones on December 23, 2019 Posted in Cybersecurity

As businesses of all sizes increase spending on cybersecurity – projected to top $124 billion this year – a bipartisan group of lawmakers in Congress wants public companies to go one step further: Install a cyber expert on their boards of directors. The Cybersecurity Disclosure Act has been introduced several times in recent years, but … Continue Reading

Broker-Dealer and Investment Adviser Agrees to Settle SEC Enforcement Action Arising From a Data Security Incident

By Will R. Daugherty and John Busch on October 18, 2018 Posted in Enforcement, Incident Response

The U.S. Securities and Exchange Commission (SEC) recently announced a consent order settling an enforcement action brought by the SEC against Voya Financial Advisors Inc. (VFA) in connection with a data security incident that occurred in 2016. VFA is a registered broker-dealer and investment adviser with the SEC. The order memorializes the SEC’s agreement to … Continue Reading

SEC Investigation Highlights BEC Risk and Need for Comprehensive Risk Assessments by Public Companies

By Andreas Kaltsounis on October 17, 2018 Posted in Cybersecurity, Data Breaches

The Securities and Exchange Commission issued a press release and an investigative report on Oct. 16 cautioning public companies to consider cyber threats when implementing internal accounting controls. The report stems from the SEC’s investigation of nine companies that lost between $1 million and $100 million each in so-called business email compromise (BEC) frauds, in … Continue Reading

SEC Clarifies Existing Cybersecurity Disclosure Guidance

By Craig A. Hoffman, Jonathan A. Forman and John Busch on February 28, 2018 Posted in Cybersecurity, Data Breach Notification Laws

On February 21, 2018, the U.S. Securities and Exchange Commission (“SEC”) issued cybersecurity disclosure guidance for public companies (“SEC Guidance”) that, according to SEC Chair Jay Clayton, “reinforces and expands” on the SEC Division of Corporation Finance’s prior guidance from 2011 (“Corp Fin Guidance” as we previously covered) regarding disclosure requirements under the federal securities … Continue Reading

Former SEC Commissioner Louis A. Aguilar Describes Corporate Directors’ Cybersecurity Duties

By Randal L. Gainer on September 26, 2016 Posted in Cybersecurity, Data Breaches

When Louis A. Aguilar was a commissioner at the Securities and Exchange Commission, he helped organize the SEC’s March 2014 roundtable to discuss the cyber risks facing public companies. The numerous data breaches that have occurred at public companies, from Target to Yahoo and many more, show that public companies have not yet succeeded in … Continue Reading

Data Security in the Financial Industry: Five Key Developments to Keep An Eye on in 2016

By Jenna N. Felz on January 27, 2016 Posted in Financial Privacy

According to a 2015 report on threats to the financial services sector, 41% of financial services organizations polled had experienced a data breach or failed a compliance audit in the previous year, and 57% listed preventing a data breach as their top IT priority. Reflecting the ever-increasing awareness of threats to financial data security, 2015 … Continue Reading

The SEC OCIE Announces Increased Scrutiny of Broker-Dealers’ and Investment Advisers’ Cybersecurity Programs

By Will R. Daugherty on September 28, 2015 Posted in Cybersecurity

On September 15, 2015, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert (2015 Risk Alert) to provide broker-dealers and investment advisers with information on the focus areas of its upcoming round of cybersecurity examinations. OCIE is building on its previous cybersecurity examinations to increase … Continue Reading

Lost, Unencrypted Laptop Leads FINRA to Fine a Broker-Dealer $225,000 for Violating Reg S-P

By Andrew W. Reich on June 3, 2015 Posted in Cybersecurity

With the recent focus by the SEC and FINRA on cybersecurity for broker-dealers and investment advisers as a backdrop, FINRA recently brought and settled an enforcement action under SEC Regulation S-P against broker-dealer Sterne, Agee & Leach, Inc. The case arose from a May 2014 incident in which a Sterne information technology employee inadvertently left … Continue Reading

SEC Adopts Rules to Improve Systems Compliance and Integrity

By Patrick H. Haggerty on December 2, 2014 Posted in Information Security

On November 19, 2014, the Securities and Exchange Commission (SEC) unanimously voted to adopt Regulation Systems Compliance and Integrity (Reg SCI), which will govern the technology infrastructure of the U.S.’s securities exchanges and certain other trading platforms and market participants.[1] Reg SCI will supersede and replace the SEC’s current Automation Review Policy (ARP). The new … Continue Reading

How to Respond to SEC Inquiries Concerning Data Breach and Data Security Policies

By Marc Powers on October 28, 2014 Posted in Cybersecurity, Data Breaches, Enforcement

Every company, whether public or private, has exposure to potential data breach or theft of confidential information. When this occurs, various state and federal regulatory organizations have jurisdiction over ensuring that there is prompt, corrective, and remedial action taken by the company whose systems have been compromised. Much of the focus of articles and commentary … Continue Reading

Broker-Dealers and Investment Advisers Now Targeted by Both Cyber Intruders and SEC Cybersecurity Examiners

By BakerHostetler on May 6, 2014 Posted in Cybersecurity

The following BakerHostetler Executive Alert was authored by: Andrew W. Reich and Jonathan A. Forman Cybersecurity has increasingly become a critical issue for all types of businesses, few more so than broker-dealers, investment advisers and others in the financial sector. The cyber threat is much broader than customer data privacy as addressed by the Securities … Continue Reading

SEC To Issue Stronger Cybersecurity Guidance?

By Robert Oestreicher on August 15, 2013 Posted in Cybersecurity, Data Breach Notification Laws

In February we wrote about whether Facebook’s IPO would set the tone under the SEC’s then-relatively new cybersecurity disclosure guidance. In subsequent months, it has become apparent that this guidance is still not yielding the level of disclosure on cybersecurity matters that regulators want. This is especially true with respect to the disclosure of past … Continue Reading

SEC and CFTC Propose Identity Theft Prevention Rules

By Craig A. Hoffman on March 14, 2012 Posted in Financial Privacy, Identity Theft

Reflective of an increased interest in data privacy concerns, on February 28, 2012, the Securities and Exchange and Commodity Futures Trading commissions jointly released proposed rules designed to protect investors from identity theft by mandating the creation of programs to detect potential security threats. The proposed rules are meant to implement Title X of the … Continue Reading

Will Facebook’s IPO Cybersecurity Disclosures Set the Tone Under SEC’s New Guidance?

By Craig A. Hoffman on February 10, 2012 Posted in Cybersecurity, Data Breach Notification Laws, Information Security

Facebook filed its long-awaited Form S-1 with the SEC on February 1. Given the nature of its business, concerns regarding data privacy were peppered throughout the filing. While other business risk factors may be paramount (e.g., reliance on Zynga, slowing growth, etc.), data privacy has been and will continue to be an important issue for … Continue Reading

SEC Provides Guidance on Cybersecurity Disclosure Obligations

By Craig A. Hoffman on October 15, 2011 Posted in Cybersecurity, Data Breaches, Information Security

The SEC released a guidance document on October 13, 2011, which set forth the views of the Division of Corporation Finance regarding disclosure obligations relating to cybersecurity risks and incidents. Even though there is no disclosure requirement specific to cybersecurity risks and incidents, information about such incidents and their effects may need to be disclosed … Continue Reading