Posts in Cyber Security.

In its April 27 Weekly Update, the Financial Industry Regulatory Authority’s (“FINRA”) National Cause and Financial Crimes Detection program urged FINRA member firms to review a cyber-threat alert arising from Russia’s invasion of Ukraine.

The Cybersecurity and Infrastructure Security Administration (“CISA”) issued an April 20, 2022, Advisory warning of increased Russian state-sponsored and criminal cyber threats in retaliation for Western support for resistance to Russia’s invasion of Ukraine. The cybersecurity authorities of Australia, Canada, New ...

On March 31, 2022, the Securities Industry and Financial Markets Association (“SIFMA”) released its after-action report on Quantum Dawn VI – a global financial-markets cybersecurity exercise.

Quantum Dawn VI was conducted on November 18, 2021, with over 1,000 participants from 240 financial institutions and regulatory bodies representing 20 countries. The exercise simulated a large-scale ransomware attack by a state-actor against major global financial institutions and regulators. The scenario was chosen, in part, based upon an observed 93% increase in ransomware ...

Continuing its active regulatory agenda, the Securities and Exchange Commission on March 9, 2022, proposed new cybersecurity regulations for reporting public companies. Although couched as a series of “disclosure” requirements, the proposed list of required disclosures can be viewed as a de facto prescription of what public companies must do and say on cybersecurity; that prompted Commissioner Peirce to dissent.

The Proposed Rule would require reporting public companies to promptly disclose “material cybersecurity incidents” and their response, updating those ...

Posted in: Cyber Security, SEC

The regular “Weekly Update” email from the Financial Industry Regulatory Authority (“FINRA”) had an eye-catching warning February 16, urging broker-dealer member firms to heed the “Shields Up” cyber threat warning from the Cybersecurity and Infrastructure Security Agency (“CISA”) and the FBI.

That warning urged heightened cybersecurity vigilance “related to Russia’s potential destabilizing activities against Ukraine.” The CISA alert said, “While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the ...

On February 9, the SEC proposed new cybersecurity risk management regulations for investment advisers, registered investment companies (funds), and business development companies.

Relying on the Commission’s mission to protect investors and ensure orderly markets, the Release cites increasing cybersecurity threats and emphasized the disruptive consequences and costs (to advisers, funds and investors) of unpreparedness. The Release grounds the Proposal in advisers’ fiduciary duty to clients and the anti-fraud “compliance rule” requiring written policies ...

Posted in: Cyber Security, SEC

Over the last couple of decades, the securities self-regulatory organization FINRA (f/k/a NASD) informs its membership each year of what compliance risks are noted by its examination program. Those are risks firms should address and also might be harbingers of enforcement focus for the coming year. Years ago, it was the “Errico Letter” - a friendly reminder from NASD’s Head of Member Regulation. Then it became the Examination Priorities Letter. Now it’s a Report, but with a more useful assemblage of the Rules and Resources applicable to each risk called out.

Some risks have ...

Posted in: Cyber Security, FINRA

FINRA held its bi-annual Cybersecurity Conference in January and recently published five take-away real-world experiences from the conference:

  • A firm’s social media posts about a charity golf tournament, tipped the scammers when to send an urgent email changing wire instructions, while most of the firm’s management was out on the course;
  • A thumb-drive planted in a parking lot labeled “bonuses,” “payroll,” or “commissions” proved bait too tasty for a firm’s personnel to resist;
  • Even the best vendor-based data systems have hidden vulnerabilities lurking ...
Posted in: Cyber Security, FINRA

Implemented in September, the Securities Exchange Commission's ("SEC") Cyber Unit has brought its first enforcement action against an "Initial Coin Offering" ("ICO") called PlexCoin. ICOs, which are listed on digital exchanges, are designed to raise money through the issuance of digital tokens. Generally, coins or tokens entitle investors certain rights related to a venture underlying the ICO, such as a right to profits, shares of assets, rights to use certain services provided by the issuer, and/or voting rights. The SEC recently hinted that an ICO's digital coins are ...

Posted in: Cyber Security

The Securities Exchange Commission ("SEC") has been busy the last couple months on the cyber front. On September 20, the SEC announced a renewed focus on cybersecurity efforts and disclosed that it had been a victim of a cyber-attack, which may have allowed hackers to use nonpublic information to make illicit gains. The press release revealed that the breach was induced by software vulnerability in the SEC's EDGAR system. In a more detailed statement on the matter, SEC Chairman Jay Clayton opened the door for cyber-attack related enforcement actions directed at public companies. He ...

Posted in: Cyber Security
To avoid potential personal liability for cybersecurity breaches, bank directors should take proactive steps to make sure their institution complies with all applicable regulations. In the wake of recent well-publicized breaches of cybersecurity, regulations and new legislation has proliferated, putting bank directors in the cross-hairs of scrutiny for potential liability. A board of directors may find that trying to defend its inaction regarding cybersecurity on claims of delegation to information technology and risk management teams no longer suffices. As SEC ...
Posted in: Cyber Security
A week after OCIE announced it would conduct a second round of cyber-security exams, the Commission emphasized the issue by bringing an enforcement action against a non-custodial investment-adviser over a remediated data breach that caused no customer harm. The adviser used a third-party-hosted web server, on which was stored the personally-identifiable information ("PII") of about 100,000 people, including the firm's 8,400 customers. The server suffered a cyber-attack and data breach in July 2013. The firm responded by retaining multiple consultants, investigating the ...
Burr
Jump to Page
Arrow icon Top

Contact Us

We use cookies to improve your website experience, provide additional security, and remember you when you return to the website. This website does not respond to "Do Not Track" signals. By clicking "Accept," you agree to our use of cookies. To learn more about how we use cookies, please see our Privacy Policy.

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.


Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.