More On Legal & Compliancefrom The Advisor's Professional Library
- Preventing and Dealing with Client Complaints Although the SEC has not provided specific guidance on how client complaints should be handled, a firms policies and procedures should provide clear direction how to do so, as neglecting complaints can exacerbate a bad situation.
- Client Commission Practices and Soft Dollars RIAs should always evaluate whether the products and services they receive from broker-dealers are appropriate. The SEC suggested that an RIAs failure to stay within the scope of the Section 28(e) safe harbor may violate the advisors fiduciary duty to clients, so RIAs must evaluate their soft dollar relationships on a regular basis to ensure they are disclosed properly and that they do not negatively impact the best execution of clients transactions.
The top risks broker-dealers face in dealing with cybersecurity threats are operational risk, “insider” risks posed by rogue employees and hackers penetrating BD systems, Daniel Sibears of FINRA said at the Securities and Exchange Commission's cybersecurity roundtable.
Sibears, executive vice president of regulatory operations and shared services at FINRA, said those key threats were found in FINRA's recently launched cybersecurity exam sweep of BDs. “We have just started to get the results in of the sweep,” Sibears said, stressing that only a cross section of BDs had been analyzed and results were preliminary.
Sibears noted that beyond the top three threats mentioned above, BDs are also concerned about “phishing attacks” where customer information is misappropriated, trades are made and money is transferred out of a client's account.
John Denning, senior vice president of operational policy integration, development and strategy at Bank of America Merrill Lynch, who sat on the panel with Sibears, said that “firms must have robust information sharing systems” with law enforcement and regulators. “It's the only way we’re going to be able to reduce risk to the sector, to start the information sharing.”
Craig Thomas, chief information security officer at Computershare, said that firms must “believe that you are going to get attacked. You have to be thinking ahead of the game; security is always trying to catch up with technology.”
What Should the SEC Do?
The “SEC should provide principles-based guidance due to the constantly changing landscape,” said Marcus Prendergast, director and corporate information security officer of ITG.
Sibears added that it was likely FINRA would “push out some effective practices,” but whether guidance would be rules-based or principles-based, he “can't say.”
However, he said, “we recognize this is a rapidly changing environment, so there has to be a component that allows the industry to adapt.”
Indeed, Cyrus Amir-Mokri, assistant secretary for financial institutions at the Treasury Department, noted during the first panel at the roundtable that while the financial services industry is likely the “most advanced in terms of thinking about cybersecurity” as they have “become technology firms,” they should exert a constant effort “to stay ahead” of potential threats.
“You can never say you are completely prepared,” he said.
Larry Zelvin, director of the National Cybersecurity and Communications Integration Center at the U.S. Department of Homeland Security, added that “finance wins the cybersecurity threat award.” The sector is a “massive target” and those who want to attack the sector are “looking for an opening every day,” are “getting creative” and are multiplying quickly, he said.
SEC Commissioner Luis Aguilar said that the commission should establish a cybersecurity task force with members from each division.
Both the SEC and FINRA listed cybersecurity as one of their top exam issues for this year. FINRA issued in early February its targeted exam letter to firms stating that the self-regulator was assessing how firms manage cybersecurity threats.
The House Committee on Homeland Security unanimously approved in early February H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013.
The bill was sent to the full House for consideration.
The committee said in a statement that the Act “addresses the cyberthreat by giving the Department of Homeland Security (DHS) the tools to secure our nation in cyberspace, while protecting privacy and civil liberties and prohibiting any new regulations at DHS.”
The bill codifies several cybersecurity efforts already in progress; beefs up others, like the National Cybersecurity and Communications Integration Center; and focuses on partnerships with the private sector. It is intended to be budget neutral.
As for the SEC, Jane Jarcho, national associate director of OCIE's National Exam Program, told chief compliance officers in late January that OCIE's exams will include assessing firms’ cybersecurity policies—and noted in early March that small firms won't get a “pass” on being required to have such policies.
The SEC announced in mid-April that is has started cybersecurity-related exams of more than 50 registered BDs and RIAs.