Month: August 2017

Compliance Bricks and Mortar – Harvey Edition

My thoughts go out to readers of Compliance Building in Texas who live in the path of Hurricane/Tropical Storm Harvey. I hope you were able to stay on high ground. It looks like this will be the first natural disaster of the Trump administration.

These are some of the compliance-related stories that recently caught my attention.

How the SEC Neglects to Enforce Control Person Liability by Marc I. Steinberg and Forrest Colby Roberts in the CLS Blue Sky Blog

Scholars and politicians alike have spoken and written at great length about the importance of gatekeepers in our current corporate governance system. However, relatively little has been done to discipline  gatekeepers who seem to have lost the keys to the gate.  Meanwhile, the country’s primary securities regulator, the Securities and Exchange Commission, refuses to employ one of its most powerful tools to keep gatekeepers in check.  Our recent article, Laxity at the Gates:  The SEC’s Neglect to Enforce Control Person Liability, examines the SEC’s reluctance to bring claims against corporate insiders under Section 20(a) of the Securities Exchange Act, known as the control person provision. [More…]

Audit Report Choice Looms for SEC by Matt Kelly in Radical Compliance

If Clayton wants to cast his lot with the critics who say the PCAOB’s demands upon audit firms (and by extension, upon the companies they audit) are out of control, repudiating its new audit report standard would send that message loud and clear. Or Clayton could toe the historical line, and approve that which the PCAOB has recommended. Or he could finesse some third way, approving the standard while adding caveats and clauses a-plenty to keep all constituencies at least quiet, if not content. [More…]

Improving the SEC’s Enforcement Program: A Ten-Point Blueprint for Reform by Bradley J. Bondi

The SEC should prioritize seeking out and penalizing those individuals, such as Bernie Madoff and Allen Stanford, who commit intentional wrongdoing through schemes designed to defraud investors. The “broken windows” approach, promoted by then-SEC Chair Mary Jo White, disproportionately emphasizes small and sometimes unintentional securities law violations in the hope that doing so will deter more significant violations. But a practical consequence of this is the disproportionate expenditure of the SEC’s limited resources on small and unintentional violations, often against well-intentioned executives and chief compliance officers for negligence-based violations or honest mistakes. As a result, more significant and intentional violations, such as Ponzi schemes, boiler rooms, and bucket shops, may go undetected, unpunished, and undeterred. [More…]

FinCEN expands beneficial owner reporting rules for real estate by Richard L. Cassin in the FCPA Blog

The Treasury Department’s Financial Crimes Enforcement Network added Honolulu Tuesday to a reporting program for real estate deals involving cash transactions. FinCEN also extended reporting requirements for six other metropolitan areas under a data collection program that started in March 2016. The new Geographic Targeting Order (pdf) runs through March 20, 2018.

[More…]

In a Boon to Prosecutors, Insider Trading Ruling Is Reshaped by Peter J. Henning in DealBook

Another problem is that the Second Circuit decision also upheld Mr. Martoma’s conviction on the ground that the payments Dr. Gilman received from SAC through the expert networking firm meant there was a quid pro quo relationship. Although he was not paid for the actual information provided to Mr. Martoma about the negative drug trial results, the majority opinion concluded there was enough evidence for the jury to a find a tangible benefit that would have met the requirement of the Newman case even before it was rejected in Salman. [More…]

More Changes to Insider Trading Law

With the ground-shaking decision in Newman, insider trading law became a bit murky. Cases have been filling in the gaps left in its wake. The Mathew appellate Martoma decision helped fill in some more.

From a compliance perspective, this is all chasing butterflies and tilting at windmills. It was clear that Mr. Martoma was involved in insider trading. It was just a question of whether it was illegal. He knew the information he was getting was not supposed to be disclosed to the public. He should not have pushed for its disclosure and he should not have traded on it. At least not according to any self-respecting compliance professional at a trading firm.

But I’m sure enforcement professionals are very interested to see if they can find a way to keep their insider trading clients from going to jail.

For me, the current status of the law is that the Newman decision said the government needed to prove the tipper gained a tangible reward, or “personal benefit,” for providing insider information. The 2016 Supreme Court ruling in Salman v. U.S., said proving a tipper and trader were relatives was enough to meet the “personal benefit” standard.

In the Martoma case, the Second Circuit describes the the “misappropriation theory” of insider trading:

“that a person . . . violates § 10(b) and Rule 10b‐5[] when he misappropriates confidential information for securities trading purposes, in breach of a duty owed to the source of the information.” Id. at 652. It is thus the breach of a fiduciary duty or other “duty of loyalty and confidentiality” that is a necessary predicate to insider trading liability.

It then goes on to the seminal insider trading case of Dirks v. S.E.C., 463 U.S. 646 (1983)

the Supreme Court held that a “tippee”—someone who is not a corporate insider but who nevertheless receives material nonpublic information from a corporate insider, or “tipper,” and then trades on the information—can also be held liable under § 10(b) and Rule 10b‐5 but “only when the insider has breached his fiduciary duty to the shareholders by disclosing the information to the tippee and the tippee knows or should know that there has been a breach.” Id. at 660.2 “[T]he test” for whether there has been a breach of a fiduciary duty or other duty of loyalty and confidentiality “is whether the [tipper] personally will benefit, directly or indirectly, from his disclosure” to the tippee. Dirks, 463 U.S. at 662.

It goes on to cite its own United States v. Newman, 773 F.3d 438 (2d Cir. 2014)

To the extent Dirks suggests that a personal benefit may be inferred from a personal relationship between the tipper and tippee, where the tippee’s trades ‘resemble trading by the insider himself followed by a gift of the profits to the recipient,’ we hold that such an inference is impermissible in the absence of proof of a meaningfully close personal relationship that generates an exchange that is objective, consequential, and represents at least a potential gain of a pecuniary or similarly valuable nature.

The Second Circuit comes out with this standard:

Thus, we hold that an insider or tipper personally benefits from a disclosure of inside information whenever the information was disclosed “with the expectation that [the recipient] would trade on it,” … and the disclosure “resemble[s] trading by the insider followed by a gift of the profits to the recipient,” … whether or not there was a “meaningfully close personal relationship” between the tipper and tippee.

For my simplistic compliance perspective, this means that if the tippee pays money or gives something valuable to the tipper in exchange for money, the tippee risks going to jail.

Martoma gave his tipper money through an expert network agency. As a result, his conviction stands.

I think this leaves golf buddies possibly able to trade on insider knowledge, unless they are relatives or betting on the results.

I should point out that there was a blistering dissent in the case and I’m not sure if Mr. Martoma still has enough cash to appeal to the Supreme Court. We may see more in the Martoma case.

I’m sure that you will be reading many more nuanced discussions about this case and its implications from those much more versed in insider trading than me. But, I think this case does little to change the compliance view on insider trading.

If you want more information on the Martoma case or the SAC Capital attack, read Black Edge. It’s well worth the time if you have any interest in the area.

Sources:

The One with The Fake Ron Stenson

Some of the things that catches my attention with frauds and Ponzi schemes are the steps that the fraudsters will take to cover up the fraud and how they think they will escape from the fraud unscathed. The recent charges against Jeremy Drake caught my attention because of the steps he took.

The Securities and Exchange Commission has filed the charges, but Mr. Drake has not yet had a chance to refute them. I’m just using the allegations as a way to help me (and maybe you) better understand how frauds evolve.

According to the complaint, Mr. Drake worked as a registered investment adviser representative. He managed to convince a professional athlete and his wife to become his clients. (I poked around, but couldn’t find out who.) The relationship started off with a standard 1% fee.

In 2012 Mr. Drake told them they were entitled to a VIP discount on the fee. I assume (1) his clients pressed him on fees, (2) his firm did not agree to the discount, and (3) Drake lied to keep them as clients. He fed them some gobbledygook about how they were getting credits in their account from the brokerage. I can only assume that he thought he could eventually convince his firm to give the discount.

But there was no discount. The client met with Mr. Drake a year later and he once again spewed out the discounted rate. He documented the fraud by sending fake account statements stating that the clients had paid “net” rates of 0.177% and 0.15%, resulting in “net” fees of $44,994 and $34,737. They had in fact paid a 1.0% rate in both accounts, resulting in actual fees paid of $280,349 and $231,889.

At this point, you may expect that the firm could have spotted Mr. Drake’s fraud. The rep is sending the account statements instead of them coming from the custodian.

A year later, the same discussion over fees happened again and more fake documents were sent. The client’s wife first language was not English, so perhaps Mr. Drake thought he could use the language barrier to keep the fraud going. The client’s wife’s assistant was the translator.

In 2016 with a new assistant and a new accountant, the client pressed Drake again. Drake continued with the lies and fake documents. The fraud was not holding together and they pressed Drake on the fee discount. To bolster the fraud, Drake created a false persona named “Ron Stenson” whom he held out as an employee of “Charles Schwab Advisor Services” who could help explain the fee credit. He pressed a colleague into the role of Ron Stenson to answer phone call inquiries.

At this point Mr. Drake realized he couldn’t keep the fraud going. The accounts were short almost a million dollars in the fees the firm was taking compared to what he was telling the clients. I scratch my head wondering how Mr. Drake was going to get out of this. I have to assume that he hoped the firm was going to grant the discount at some point.

Should Mr. Drake’s firm caught some of this activity through email monitoring? Maybe. I’m skeptical of the effectiveness of email monitoring. It’s full of false positives, causing compliance to stare at a lot of stuff instead of spending time looking at other areas.

Theoretically, Mr. Drake’s clients should have been getting account statements directly from the  third-party custodian. That should have shown actual fees deducted and the actual positions held by the client. That is one of the key pillars of the custody rule. The client should be able to verify an advisor’s work by getting the account statement directly from the custodian or getting statements that have been vetted through a third-party auditor.

Sources:

CCO Sanctioned for Incorrect Form ADV Filings

According to the Securities and Exchange Commission, David I. Osunkwo failed as a CCO for incorrectly stating the amount of AUM and the number of clients for two affiliated investment advisers. Mr. Osunkwo relied on estimates provided to him by the Chief Investment Officer. For that, he was fined $30,000 and suspended for a year from certain jobs related the investment adviser and securities industry. Unfortunately, this is another instance of the SEC publishing a case that increases the potential liability for CCOs.

Osunkwo served in 2010 and 2011 as the chief compliance officer at Aegis Capital LLC and Circle One Wealth Management LLC. The firms had outsourced CCO duties to a third-party provider called Strategic Consulting Advisors LLC, where Osunkwo was a principal. As part of the outsourcing, Osunkwo was designated CCO of both firms. Osunkwo was tasked with preparing a consolidated 2010 year-end Form ADV for Circle One that would reflect its merger with Aegis under the same parent company, Capital L Group LLC.

According to the SEC, Osunkwo reviewed information of Aegis Capital’s and Circle One’s investment management business and client accounts including 2009 year’s ADV. For 2010 AUM and account information, Osunkwo relied on estimates provided to him by the CIO.

The SEC said the CIO sent Osunkwo an email that stated:

David – . . . I believe AUM was as follows on 12/31 Funds: $36,800,000 Schwab/Fidelity: $96,092,701 (1,179 accounts) (not sure how many customers) Circle One: probably higher than $50m, but hopefully [another employee] told you a number today Total is in the $182.89m range . . . .

I assume that Osunkwo could not show that he relied on anything other than this email.

The problem is that the actual combined AUM of Aegis Capital and Circle One was only $62,862,270.28. The Form ADV overstated the AUM by 190%  The Form ADV also overstated the total client accounts by at least 1,000 accounts, which was off by 340%.

The SEC does not lay out any facts in the order that shows Osunkwo knew the statements were incorrect. On its face, the SEC is imposing liability on a CCO solely related to the compliance operations of a CCO, with no evidence of fraud.

The SEC did not point out that any investors were harmed. This is in contrast to the Diamond CCO liability case where her firm was involved in fraud and her actions effectively covered up that fraud.

The parallel case against Aegis Capital and Circle One Wealth is all about recordkeeping and filing violations. There is no indication of harm to the clients.

At one point the SEC had expressed an unwillingness to prosecute CCOs except in three extreme circumstances:

  1. Participating in the wrongdoing
  2. Hindering the SEC examination or investigation
  3. Wholesale failure

In the case against Mr. Osunkwo, I don’t see any of these three circumstances. Nor does the SEC state or imply that any of these circumstances had occurred. Nor is there any allegation of fraud or harm to clients.

On the face of the order, Mr. Osunkwo relied on the CIO for information included on the Form ADV and as a result he was sanctioned. That leaves all CCOs having to wonder how far they must go to verify information on Form ADV filings. This case tells me that I can’t rely on information from senior firm employees when preparing a Form ADV. Add in the Diamond case, I have to be concerned about what information the SEC thinks I should have known when filling out the Form ADV.

Sources:

Eclipse Watching

In case you unaware, the sun is being blotting out by the moon across all of the United States today. I happen to have traveled to my in-laws who live right in the path of totality.

I think this astronomical phenomenon is far more interesting than any compliance story I could read or write about.

My one compliance tip is to not look directly at the sun, except during the brief total phase of a solar eclipse if you are in the path of totality.

The only safe way to look directly at the uneclipsed or partially eclipsed sun is through special-purpose solar filters or eclipse glasses. These eclipse glasses or handheld solar viewers should be labeled as being compliant with the ISO 12312-2 international safety standard.

Compliance Bricks and Mortar for August 18

Sorry for the lack of posts this week. I was attending and speaking at the Boston Investment Adviser Compliance Symposium. I needed to earn some continuing education credits for the my IACCP designation.

While I was sitting it conferences, here are some of the compliance-related stories that caught my attention.

Accredited Investors vs. Qualified Clients vs. Qualified Purchasers: Understanding Investor Qualifications by Alexander Davie in Strictly Business

The three most common types of investors referenced in these laws and the regulations adopted by the Securities and Exchange Commission (SEC) are 1) accredited investors, 2) qualified clients, and 3) qualified purchasers. While the terms may sound familiar, there are crucial distinctions between each category that have a significant impact on issues like whether a fund qualifies for the private placement exemption, whether a fund’s manager will be entitled to receive performance-based compensation, and whether the fund will be required to register as an investment company. [More…]

Dentist, Claiming Tip Was a Rumor, Wins Insider Trading Case by T. Gorman in SEC Actions

The defense claimed that Mr. Roberts relied on his research but not a rumor of a transaction he received from his brother-in-law, according to a report by Law 360 (Aug. 15, 2017). While Mr. Roberts chose not to testify, his version of the trading transactions was put in evidence by the FBI to whom he had given statements.

Mr. Robert’s claim about rumors regarding the transaction appears to draw support from the other insider trading cases that swirled around the Shaw transaction. For example, SEC v. Trahan, Civil Action No. 17-cv-731 (W.D. LA. Filed June 6, 2017), is another action based on the deal. It named as defendants Michael Trahan, the owner of engineering consulting company Petra Consultants, Inc. Mr. Trahan was a consultant to Shaw. During his engagement, and before the July 30, 2012 announcement date, an employee of the firm told him about the merger. Mr. Trahan purchased 5,600 shares of Shaw common stock which he sold after the deal announcement for a profit of $69,735.00. The complaint alleged violations of Exchange Act Section 10(b). To resolve the case Mr. Trahan consented to the entry of a permanent injunction prohibiting future violations of Section 10(b). In addition, he agreed to pay disgorgement of $69,735.00, prejudgment interest and a penalty equal to his trading profits.

[More…]

Selfie Time: What Could Go Wrong? by By Margaret Scavotto, Director of Compliance Services at Management Performance Associates

A nurse aide, lab tech, medical assistant – or any other healthcare employee  – is new on the job. They are excited about their new position and decide to take a selfie to memorialize the occasion, then send it off to Facebook, Instagram, Twitter and Snapchat, with the click of a button, in under 20 seconds. What could go wrong? [More…]

Federal Spoofing Conviction by Lewis J. Liman, Jonathan S. Kolodner and Matthew Solomon in the CLS Blue Sky Blog

Coscia was the first trader to be convicted under the anti-spoofing provision of the Commodity Exchange Act (“CEA”), 7 U.S.C. § 6c(a)(5).  The Seventh Circuit’s decision upholding Coscia’s conviction marks the first time a federal appellate court has provided guidance on the scope of the anti-spoofing prohibition, and the Circuit’s comprehensive rejection of Coscia’s constitutional challenge fortifies the government’s ability to conduct additional investigations and prosecutions in an environment of increasingly aggressive regulation of the listed futures and derivatives markets. [More…]

SEC Views on Valuation

The Securities and Exchange Commission regulations for investment advisers does not contain any specific requirements on how valuations should be conducted. That means operating under the general anti-fraud provisions. That is, valuations should not be misleading, deceptive or fraudulent. Although there are no specific regulations, there are enforcement actions from the SEC against advisers that the SEC found to have failed in their valuations. Here are four recent cases.

In the Matter of Pacific Investment Management Company LLC (December 1, 2016)
www.sec.gov/litigation/admin/2016/ia-4577.pdf

PIMCO Total Return-Exchange-Traded Fund (“BOND”) was one of PIMCO’s first actively managed exchange-traded funds. PIMCO employed an “odd lot” strategy
using non-agency mortgage-backed securities. This strategy involved (1) purchasing odd lot positions that traded at a discount to the round lot prices; (2) valuing those positions in BOND at the higher pricing for institutional round lots; and (3) as a result, obtaining immediate positive returns for BOND.

The securities as a pool should all have the same value. But on exit, PIMCO would have to sell at a discount because part of the sale would be odd lots. I find this a tough call. The problem is that the SEC discovered an email that said “[We] can find you several odd lot positions in the coming days that trade well below round lot levels and therefore pricing marks which will help with performance out of the gate.” I assume the SEC found this statement to indicate an intent to be manipulative.

In the Matter of Equinox Fund Management LLC (January 19, 2016)
www.sec.gov/litigation/admin/2016/ia-4315.pdf

An SEC investigation found that Equinox Fund Management LLC calculated management fees contrary to the method described in registration statements for a managed futures fund called The Frontier Fund (TFF), and the firm also deviated from its disclosed valuation methodology for some TFF holdings.

TFF’s registration statements disclosed that Equinox charged management fees based upon the net asset value of each series.  But Equinox actually used the notional trading value of the assets, which is the total amount invested including leverage.  Equinox consequently overcharged the fund $5.4 million in fees from 2004 to 2011.

SEC v. Summit Asset Strategies Investment Management, and LLC Chris Yoo (September 2015)
https://www.sec.gov/litigation/complaints/2015/comp-pr2015-178.pdf

Summit and its owner Yoo were entitled to a share of profits from an investment fund that Summit advised. Yoo falsely claimed that the fund had purchased 500,000 shares of an entity called Prime Pacific Bank in December 2012 when in reality, the fund did not own this security. Because the Prime Pacific Bank security was purportedly illiquid, Yoo developed a financial model to value this asset. This model showed that the fund’s interest in Prime Pacific Bank had more than tripled in value from the shares’ purchase price of $1.00 per share on December 28, 2012, to $3.81 per share on December 31, 2012. Yoo revised the model to reflect that Prime Pacific Bank had slightly decreased, but still generated a gain from its initial purchase price. Yoo relied on these cumulative gains to justify taking over $2.5 million in fees from the fund.

In the Matter of Alpha Bridge Capital Management (July 1, 2015)
https://www.sec.gov/litigation/admin/2015/ia-4135.pdf

When the Alpha Bridge fund was started in 2001, the adviser told the funds’ investors, administrator, and auditor that the adviser obtained independent, market-grounded price quotes for the securities at issue from registered representatives of two reputable broker-dealers. AlphaBridge’s written valuation policy, stated that AlphaBridge obtained monthly price quotes for certain types of less liquid securities from two independent and reputable broker-dealers and used the arithmetic average of these quotes as AlphaBridge’s price for these securities. However, by 2010, AlphaBridge was providing its valuations to those registered
representatives of the broker-dealers who in turn provided those valuation to the fund’s administrator.

Compliance Bricks and Mortar for August 11

These are some of the compliance-related stories that recently caught my attention.

Fiduciary Duty Claims of Start-up Co-Founder Denied by Francis Pileggi in Delaware Corporate & Commercial Litigation Blog

A recent Delaware Court of Chancery opinion analyzed claims that are not uncommon: one of two founders of a start-up, that failed to launch, claimed that the other co-founder breached fiduciary duties by launching another start-up venture with a third-party who then pursued the business plan of the original start-up, but without the original co-founder.  In McKenna v. Singer, C.A. No. 11371-VCMR (Del. Ch. July 31, 2017), the court disagreed that the original co-founder of the original start-up entity had any right to an interest in the separate start-up venture later launched with a different third-party. [More…]

First U.S. Trader Prosecuted for ‘Spoofing’ Sees Conviction Upheld by Dave Michaels in the Wall Street Journal

The decision by the U.S. Court of Appeals for the Seventh Circuit in Chicago also buttressed the seven-year-old provision in the Dodd-Frank Act that criminalized spoofing. The court rejected Michael Coscia’s claim that his conviction should be overturned because the law is too vague to be enforced. The three-judge panel found that Mr. Coscia “engaged in 10 weeks of trading” during which his conduct clearly crossed the line drawn by Dodd-Frank.[More…]

Delaware entices corporations with blockchain law by Anne Sherry, J.D. in Jim Hamilton’s World of Securities Regulation

In an effort to continue to attract corporations to the state and curb costly recordkeeping errors, Delaware governor John Carney signed a law to allow corporations in the state to keep records, including the stock ledger, in distributed ledgers, or blockchain. Supporters of the amendments to the Delaware General Corporation Law believe the technology could avert issues like those faced in the Dell appraisal and Dole Food class action. [More…]

Secretary Mattis’ Insights on Ethics by Matt Kelly in Radical Compliance

The message isn’t long: five staccato paragraphs squeezed onto one typewritten page. I haven’t found a copy of the memo posted on the Defense Department website, but it seems authentic, and credible military news organizations such as the U.S. Naval Institute have posted the full text online. [More…]

Should we stop the ‘revolving door’? by Brian Wallheimer in the Chicao Booth Business Review

In a study of SEC lawyers, University of Washington’s Ed deHaan, Rutgers University’s Simi Kedia, Nanyang Technological University’s Kevin Koh, and Columbia University’s Shivaram Rajgopal find that lawyers who left the agency for private law firms were more aggressive than their peers, as evidenced by settlements. DeHaan says that instead of a quid pro quo, those lawyers fall under the human-capital hypothesis. [More…]

And congratulations to Tom Fox on publishing his 2,000th blog post this week.

All Things (Compliance) Considered – Reflections on 2000 Blogs

I began my own blogsite, the FCPA Compliance and Ethics Blog, while continuing to contribute to the FCPA Blog. I also began blogging for Compliance Week and the SCCE Blog. Last month I made it through my 2000th blog posting. To say that I ever thought I would see this day or this many blog posts, would portend a level of clairvoyance that even Carnac the Great could not conceive of pontificating upon. [More…]

 

 

Report on Access to Capital and Market Liquidity

Many people seem to think that the new commissioner of the Securities and Exchange Commission, Jay Clayton, is likely to focus more on capital formation issues than the previous commissioner. The recent report on Access to Capital and Market Liquidity from the SEC’s Division of Economic and Risk Analysis caught my attention.

From the signing of Dodd-Frank in 2010 through the end of 2016, the DERA notes $20.20 trillion in capital formation, of which $8.8 trillion was raised through registered offerings, and $11.38 trillion was raised through unregistered offerings. More money is being raised through private placements, than through public offerings. From 2012 to 2016 the amount raised was 26% greater. From 2009 through 2011 it was only 21.6% greater.

That data should be a caution to regulators who want to make changes to Regulation D and the “accredited investor” standard.

“When combined, the capital raised through Regulation D and Rule 144A offerings in a year is consistently larger than the total capital raised via registered equity and debt offerings. Most Regulation D offerings (over 66%) include equity securities; by contrast, in the Rule 144A market, the vast majority of issuers are financial institutions and over 99% of securities are debt securities.”

The report also looks at the new public private-placement offerings under 506(c). Only 3% of the capital raised under Regulation D since rule 506(c) went into effect has been through issuances claiming the 506(c) exemption. The report also noted that the average amount raised in a 506(c) offering is only half of that raised in Rule 506(b) offering, $13 million to $26 million. “Overall, it is not clear whether offerings under Rule 506(c) are indicative of new capital formation or a reallocation from other offering types.”

What is one of the reasons for a private placement over a public offering? It seems cheaper.

“Nonfinancial issuers paid on average about 6% in total fees for Regulation D offerings in 2009-2016. In comparison, a company going public pays an average gross spread of 7% to its IPO underwriters, while a reporting company raising equity through a follow-on (seasoned) equity offering pays an average gross spread of about 5.4%.”

There is a lot more detail in the report. More than I’m ready to digest (or want to digest).

Sources:

Cybersecurity Wrap Up – Take Two

The  Securities and Exchange Commission’s Office of Compliance Inspections and Examinations issued a new Risk Alert this week on cybersecurity. The risk alert summaries observations from their phase 2 cybersecurity examinations conducted in 2015 and 2016. In phase 2, OCIE examined 75 firms, including broker-dealers, investment advisers, and registered funds.

The examinations focused on written policies and procedures regarding cybersecurity and testing the implementation of those procedures. The exams also sought to better understand how firms managed their cybersecurity preparedness by
focusing on

  1. governance and risk assessment;
  2. access rights and controls;
  3. data loss prevention;
  4. vendor management;
  5.  training; and
  6. incident response.

What are firms doing right?

  • Conducting periodic risk assessments of critical systems to identify cybersecurity threats, vulnerabilities, and the potential business consequences of a cyber incident.
  • Conducting penetration tests and vulnerability scans on systems that the firms considered to be critical
  • Using some form of system, utility, or tool to prevent, detect, and monitor data loss as it relates to personally identifiable information.
  • Ensuring regular system maintenance, including the installation of software patches to address security
    vulnerabilities.
  • Having business continuity plans and response plans.
  • Identifying cybersecurity roles and responsibilities for the firms’ workforce.
  • Verifying customer identification before transferring funds
  • Conducting vendor risk assessments

What are firms doing wrong?

  • Policies and procedures were not reasonably tailored to the organization.
  • Not conducting annual reviews
  • Not reviewing security protocols at least annually
  • Inconsistent instructions on remote access
  • Not making sure that all employees received cybersecurity training
  • Not fixing problems found in penetration tests

The risk alert finishes with the elements the OCIE sees as indicative of a firm implementing robust cybersecurity controls. I think most CCOs should grab a copy of the risk alert and sit down with their policies and CTOs to see how they stack up against those elements.

Sources: