On January 11, 2016, the Securities and Exchange Commission announced the 2016 examination priorities list. For the third year in a row, cybersecurity is a top concern, especially with regard to internal security program assessment and evaluation. This year the Office of Compliance Inspections and Examinations (OCIE) will focus on cybersecurity protocols implemented by financial
FAST Act Drives Long-Awaited Gramm-Leach-Bliley Amendment
In late 2015, Congress passed the Fixing America’s Surface Transportation Act − a vehicle for an amendment to the Gramm-Leach-Bliley Act (GLBA) meant to eliminate the need for certain companies to provide annual privacy disclosures to consumers.
The amendment, which took effect immediately, eliminates the annual notice requirement for financial institutions that:
- do not share
…
Quantum Dawn 3: SIFMA’s Cybergames
It reads like a movie script: First, the financial services industry experiences a bout of firm-specific attacks in the form of distributed denial of service (DDoS), domain name system (DNS) poisoning, or breach of personally identifiable information (PII). One day later, trade order processing at major exchanges and alternative trading systems (ATS) is disrupted. On…
SEC Freezes Hacker’s Assets
Federal oversight related to hacking recently made headlines when a federal court in New Jersey granted the Securities and Exchange Commission’s (SEC’s) motion to freeze assets connected to a hedge fund manager accused of hacking unpublished news releases pertaining to publicly traded companies.
The scheme involved David Amaryan, of Russian descent, who allegedly hacked into…
Through the Wire: SEC Turns its Sights on Insider Trading, Hacking and Data Thievery
There once existed a time when a crew of skydiving surfers could throw on surprisingly well crafted ex-president masks, stroll into a cash-heavy bank and rob the institution blind. There was a time when the weapon of choice for a bank robbery was a sawn off shotgun and an ingenious disguise. There was a time when a handwritten note riddled with grammatical errors was handed over to a shaking bank teller or power tools and explosives were used to bust open vault doors as a get-away driver idled at the curb waiting for the right moment to disappear in a fog of tire smoke. But that time has faded. That time is over. The ex-presidents are finished, and new, invisible and far more effective crews are moving in and taking over the very old and familiar business model of robbery.
Organized gangs of international hackers have replaced the old tools and techniques of the trade with skills and technology that yield results and efficiencies unimaginable to even the most prolific robbers and thieves of the past era. And by some experts’ accounts, these organizations are just getting started. This is not news though. It is well-known that hackers are so adept at navigating code and circumventing security systems that, with the assistance of only a laptop, an internet connection and likely some Red Bull, Adderall and a few late nights, they are able to access the most sensitive data on the most sensitive servers. Amongst many other companies, Adobe, Zappos and AshleyMadison.com have all been hacked. Even the United States Office of Personnel Management suffered the largest breach of government data in history this year. And now, increasingly, the financial securities industry needs to be worried.
This week, the Securities and Exchange Commission (SEC) announced in a press release that Ukrainian-based Jaspen Capital Partners Limited and CEO Andriy Supranonok have agreed to pay $30 million to settle allegations that they made massive financial gains from trading on non-public corporate news releases that were hacked and stolen from newswire services. It appears now that the glory days of receiving stock tips while enjoying a 25-year-old scotch at a roof-top party in Manhattan have diminished in favor of those traders obtaining their tips from the murky labyrinth of the hacking world.
Continue Reading Through the Wire: SEC Turns its Sights on Insider Trading, Hacking and Data Thievery
SEC’s OCIE Issues a Second Cybersecurity Risk Alert
On Sept. 15, 2015, the Securities Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) published its second cybersecurity risk alert (the “2015 Risk Alert”). The 2015 Risk Alert is a follow up to the OCIE’s April 2014 cybersecurity initiative risk alert (the “2014 Risk Alert”) announcing a series of examinations to identify cybersecurity risks and assess cybersecurity preparedness in the securities industry. The 2015 Risk Alert puts broker-dealers (BDs) and investment advisors (IAs) on notice that OCIE will seek additional information and expand its area of focus in this second round of cybersecurity examinations.
Continue Reading SEC’s OCIE Issues a Second Cybersecurity Risk Alert
SEC Division of Investment Management Issues Cybersecurity Guidance for Investment Funds and Advisers
The U.S. Securities and Exchange Commission’s (“SEC”) Division of Investment Management (“Division”) recently released a Guidance Update (“Guidance”) highlighting the importance of cybersecurity for registered investment companies (“funds”) and registered investment advisers (“advisers”). This Guidance is similar to the Department of Justice’s recently issued Best Practices regarding preparation for and response to cybersecurity breaches. (See our post on the DOJ’s Best Practices here). In the Guidance, the Division identified a number of measures for funds and advisers to consider in addressing cybersecurity risk and rapid response capability.
Continue Reading SEC Division of Investment Management Issues Cybersecurity Guidance for Investment Funds and Advisers
How Does Your Firm Compare? Results from the SEC’s Cybersecurity Examinations
On Feb. 3, 2015, the Securities and Exchange Commission (SEC) published a Risk Alert summarizing observations gleaned from a cybersecurity examination sweep of 57 registered broker-dealers (BDs) and 49 registered investment advisers (IAs). The examination sweep followed an April 2014 announcement that the SEC’s Office of Compliance Inspections and Examinations (OCIE) 2014 Examination Priorities included…
SIFMA Sets Forth Principles for Effective Cybersecurity Regulatory Guidance
On October 20, 2014, the Securities Industry and Financial Markets Association (SIFMA) issued guidance intended to protect the financial sector’s data security and infrastructure. SIFMA noted that the SEC, CFTC and other regulatory agencies are conducting a review of their cybersecurity policies, regulations, and guidance with the goal of strengthening the financial sector’s defense and response to cyber attacks, and harmonizing regulations and guidance for greater effectiveness. To facilitate the effort between SIFMA’s members and the regulatory agencies, SIFMA proposed ten cybersecurity principles for effective cybersecurity:
Continue Reading SIFMA Sets Forth Principles for Effective Cybersecurity Regulatory Guidance