It’s no secret that cybersecurity threats have become increasingly prevalent in our society. The recent Equifax data breach exposed sensitive personal information of 143 million American consumers—approximately 44% of the U.S. population. Even the SEC is vulnerable, as it demonstrated when revealing hackers accessed its EDGAR database in 2016 to conduct illegal trades. As more personal data is released through the Internet and more sophisticated hacking tools are developed, it seems inevitable that businesses holding such data will eventually experience an attack. Financial services firms are prime targets.
In recent years, securities regulators have steadily increased the volume on their message that broker dealers and investment advisers must be proactive about addressing cybersecurity. Soon after government officials revealed the SEC had been hacked, SEC Chairman Jay Clayton issued a statement containing a dire warning about cybersecurity attacks, along with an outline of the SEC’s own efforts to protect its data. FINRA, in every Examination Priorities Letter it has issued since 2013, has named cybersecurity and protection of private customer data as a top priority. The North American Securities Administrators Association (NASAA), of which every state securities regulator is a member, has also repeatedly emphasized the importance of cybersecurity. In September 2017, NASAA’s newly elected president, Joe Borg—who has a long-standing reputation as being tough on enforcement—highlighted cybersecurity as a top priority, noting that NASAA intends to consider a model cybersecurity rule for investment advisers in the coming year. NASAA also recently released a report detailing nearly 700 cybersecurity-related deficiencies uncovered in examinations of state-registered investment advisers in 2017.
What does this mean for investment advisers and broker dealers?
As cybersecurity attacks increase, so too will regulators’ efforts to crack down on firms that fail to take proactive steps to prevent cybersecurity attacks and adequately address breaches if/when they occur. It means broker dealers and investment advisers, regardless of size or assets under management, should have a cybersecurity program in place as of yesterday– and one that does more than vaguely declare, statically in the back of a file cabinet somewhere, “we shall be cybersecure.”
Thankfully, there are existing frameworks out there to assist firms in developing and implementing an effective cybersecurity program. At Avisen, we can help you navigate these frameworks, and the securities regulations surrounding cybersecurity and privacy, so that you can meet these evolving challenges head on.
Brian Edstrom is a Shareholder and Attorney at Avisen
Legal, P.A. He brings to Avisen clients the ability to “speak regulator,” having
spent several years working for federal and state regulators in Washington D.C.
and Saint Paul, MN before entering private practice. Brian assists
clients in all aspects of working with securities regulators, whether it be to
obtain a license or registration, prepare for an audit, or respond to an
enforcement investigation. Brian also regularly advises clients on their
general business needs, particularly surrounding raising money through