FINRA’s examination program has undergone its most significant reorganization in decades. As stated in a press release, Oct. 1, 2018, FINRA’s goal for the reorganization was to “consolidate its Examination and Risk Monitoring Programs, integrating three separate programs into a single, unified program to drive more effective oversight and greater consistency, eliminate duplication and

On January 7, 2020, the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) released its 2020 examination priorities.  OCIE is prioritizing practices, products, and services that it believes present heightened risks to investors or market integrity.  The examination priorities are organized around seven themes, many of which build on OCIE’s priorities

For years, we have waited with bated breath the arrival of the “Internet of Things” (IoT) to transform garages into smart factories, cars into autonomous vehicles and ordinary homes into smart homes completely controllable by cellphones. Two technologies underpinning this world of the future (inexpensive sensors and 5G networking) will catalyze this vision in 2020. Gartner predicts that connected devices will rise from 8.4B in 2017 to 20.4B in 2020. While the hurdles for this vision are many (increased regulation, privacy concerns, and the trade war, which may bifurcate the IoT due to geopolitical disputes regarding 5G), the McKinsey Global Institute estimates that IoT technologies will create between $3.9T and $11.1T in economic value globally by 2025. Those interested in capitalizing on this world of the future should be mindful of the legal framework of the future (and near present).

Continue Reading

While customer data breaches are garnering a lot of media attention, a subtler but equally problematic cybercrime is slowly on the rise — domain spoofing.

In this context, cybercriminals register domain names that are virtually identical to an entity’s legitimate domain name and/or brand, often with subtle misspellings or the addition of business designations or generic words describing the entity’s business. The false domain names are so similar to a company’s actual domain and/or brand that they appear legitimate.

The cybercriminals then use the deceptively similar domain name to create email addresses and send emails impersonating a company or its employees, sometimes using the names of the entity’s actual employees — a tactic commonly called “email spoofing.” Those emails typically contain malware in links or attachments, which are triggered by clicking the link or opening the attachment. Other email spoofing schemes attempt to trick recipients into providing login credentials, providing payment card information, or routing wire transfers to the cybercriminal’s bank account.


Continue Reading

For years, corporate boards have hired third-party companies to conduct financial audits to assure that there is no fraud or other breaches of fiduciary responsibility by management. Cyber risks should be managed similarly. Who can thoroughly evaluate whether management is prepared to protect the company when its systems are attacked or when a data breach occurs? Is management prepared to execute the company’s incident response plan, or is it just sitting on the shelf untested?

Continue Reading

In one of this year’s largest HIPAA settlements, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) is set to collect $3 million from the University of Rochester Medical Center (URMC). This settlement over potential violations of the Privacy and Security Rules under HIPAA also requires URMC to follow a corrective action plan that includes two years of HIPAA compliance monitoring by OCR.
Continue Reading

National Cybersecurity Awareness Month (NCSAM) is coming to a close, but diligent cybersecurity efforts must continue. In honor of another successful NCSAM, below we have gathered some of our most popular cybersecurity content you can use as a quick reference for all of your cyber-related interests.

Recent headlines have detailed foreign-state actors targeting utilities and independent power producers in the United States to gain access to critical infrastructure at the nation’s utilities and military installations.[1]  Cybersecurity practices within the independent power industry vary widely depending on the asset type and the operator’s sophistication.  Despite this risk, purchase agreements and credit agreements for renewable energy facilities do not typically address compliance with cybersecurity standards.  Generic representations and covenants relating to compliance with law or maintenance of project assets in compliance with prudent industry practices inadequately protect acquirers and lenders from cybersecurity risks.  The overwhelming majority of renewable power projects are considered low impact under NERC’s Critical Infrastructure Protection standards and, thus, not subject to significant regulation.[2]

Continue Reading

FINRA issued their 2019 Report on Examination Findings and Observations ahead of prior years’ reports.

FINRA Changes Approach in Communicating Exam Results 

This most recent report, issued on October 16, 2019, starts by highlighting a recently implemented distinction on their part as to how they communicate exam results to firms. That is, FINRA stated that they now report “findings,” which are violations of the rules, and “observations” (f/k/a “recommendations”), which are “suggestions to [the] … firm about how it could improve its control environment in order to address perceived weaknesses that elevate risk, but do not typically rise to the level of a rule violation or cannot be tied to an existing rule.”
Continue Reading