On January 12, 2017 the SEC announced its Office of Compliance Inspections and Examinations (OCIE) priorities for the year, including areas of focus for Retail Investors, Senior Investors and Retirement Investments, Market-wide risks, FINRA oversight, and cybersecurity. These priorities reflect an extension of previous years’ commitments, in particular with regard to focus on the retirement industry and cybersecurity. The “Regulation Systems Compliance and Integrity” (Regulation SCI) adopted by the SEC in November 2014 will also be a continued focus.
Once again, protection of retail investors is of primary concern for the OCIE. Among the detailed areas of focus are examining risks related to electronic investment advice, “wrap fee” programs where investors are charged a single fee for bundled advisory and brokerage services, and “Never-before examined” Investment advisers, an initiative that was started in 2014 to engage with newly-registered advisers that had never-before been examined. Examination of Exchange-Traded funds (ETFs) and continuation of the ReTIRE initiative are two carryovers from 2016 priorities . The OCIE previously identified ETFs, which are sometimes seen as alternatives to mutual funds, for examination related to compliance with the Securities Exchange Act of 1934 and the Investment Company Act of 1940. ReTIRE, launched in June 2015, places particular focus on those SEC-registered investment advisers and broker dealers who offer retirement-oriented investment services to retail investors, including examining whether there is a reasonable basis for the recommendations made. This year, the SEC will expand ReTIRE to include “assessing controls surrounding cross-transactions, particularly with respect to fixed income securities.”
Last week, several securities industry groups filed critical responses to the SEC’s plan for an audit trail. While most groups that commented on the SEC’s proposed regulation supported implementing the proposal, several had concerns regarding the cost for investors and firms, and the protection of private data.
On July 7, 2016, Judge Paul A. Magnuson of the United States District Court for the District of Minnesota granted Defendants’ Motions to Dismiss a shareholder class action that had been initiated following a 2013 holiday season data breach involving customers of Target Corporation (“Target,” or “the Company”). The data breach, which resulted in the release of information of approximately 70 million consumer credit and debit cards, made headlines as one of the biggest privacy hacks at the time. Initially disclosed to the public in December 2013, with an estimated 40 million credit and debit cards affected, Target subsequently revealed a little less than a month later that additional consumer data, including customers’ names, mailing addresses, phone numbers and email addresses, were also stolen, and increased its initial estimate to 110 million.
For the last few years, the SEC has been issuing guidance as to appropriate cybersecurity policies and procedures for financial firms. In a move that signal’s the regulator’s willingness to put muscle into its cybersecurity guidance, the SEC announced an agreement with St. Louis-based investment company, R.T. Jones Capital Equities Management (“R.T. Jones” or “the company”), to settle charges that the company failed to adequately safeguard the personal information (“PI”) of approximately 100,000 individuals. Consistent with this trend, the SEC has announced that its Office of Compliance Inspections and Examinations (“OCIE”) would be conducting a second round of investigations into the cybersecurity practices of brokerage and advisory firms (the “Cybersecurity Examination Initiative”). These moves signal the SEC’s increasing scrutiny of investment firms’ information security practices and indicate the regulator’s willingness to enforce the guidance that it has issued.
On August 11, 2015, the SEC announced that it was bringing fraud charges against 32 defendants for their alleged participation in a five-year, international hacking and insider trading scheme. According to the SEC, two Ukrainian men hacked into at least two major newswire services, stole non-public copies of embargoed corporate announcements containing quarterly and annual earnings data, and provided the announcements to 30 other defendants, who traded off the information. In parallel actions, the U.S. Attorney’s Offices for the District of New Jersey and the Eastern District of New York also announced criminal charges against some defendants named in the SEC’s action. The SEC’s enforcement action may be a harbinger of events to come. As we have written, cybersecurity is emerging as the SEC’s newest area of focus for enforcement actions.
Companies should take notice of a new fraud scheme that has been making the rounds, targeting businesses that regularly make wire transfers. Known as the “Business E-mail Compromise,” or BEC, this scam targets employees responsible for wiring money, instructing them under false pretenses to wire large sums to fraudulent accounts. The Federal Bureau of Investigation estimates that the scam has claimed over 2,000 victims and resulted in losses totaling nearly $215 million since October 2013. In one version of the BEC fraud, the e-mail accounts of high-level business executives (CEO, CFO, CTO, etc.) are compromised by the creation of spoof e-mail addresses. The imposters then use the compromised executive’s e-mail account to send a request for a wire transfer to a second employee within the company who is responsible for processing such requests. This version of the scheme has been referred to as “CEO Fraud” or the “Business Executive Scam.” In another variation of the scam, businesses which have a long-standing relationship with a particular supplier or vendor (i.e. a landlord) receive a spoofed e-mail purportedly from that vendor directing the business to wire funds for invoice payment to an alternate, fraudulent account. This version of the scheme has been referred to as “The Bogus Invoice Scheme” or “The Supplier Swindle.”
On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts. FINRA issued a similar, more extensive “Report on Cybersecurity Practices” on the same day.
The National Exam Program Risk Alert, “Cybersecurity Examination Sweep Summary” summarizes cybersecurity practices and policies of 57 registered broker-dealers, and 49 registered investment advisers based on examinations conducted by the SEC’s Office of Compliance Inspections and Examinations (“OCIE”). These findings should be reviewed by CISOs and CIOs who have responsibility for cybersecurity protection because they highlight best practices and areas ripe for improvement. It is reasonable to assume that both the SEC and FINRA will expect firms to review the findings and tailor their own internal assessments and practices to improve their cybersecurity posture, accordingly. They also underscore that the simplest cyber-related scams (phishing, fraudulent e-mail scams, etc.) are still remarkably successful.
Cloud computing may be the next shoe to drop. On the heels of Mary Jo White’s recent appointment as Chairman of the SEC and predictions that it may refocus enforcement on accounting fraud came word last week that the Commission is investigating IBM’s cloud-computing accounting. In an SEC filing, IBM defended its revenue accounting for cloud-based services, stating “[w]e are confident that the information we have provided has been consistently accurate.”
This may just be the tip of the iceberg for an industry estimated by some analysts to generate global revenues of $131 billion this year, 60% of which originate in the United States.
Cloud computing has no single definition but one basic expression would be the practice of storing and accessing information on servers accessed through the Internet. There are many cloud-computing business models, including Infrastructure as a Service (“IaaS”), in which customers access computing power, such as servers, through physical equipment owned by the provider; Platform as a Service (“PaaS”), in which customers use a provider’s computing environment—including operating systems, programming languages, and databases—to create applications remotely; and Software as a Service (“SaaS”), services that allows users to operate software remotely. Google Documents and the e-Discovery platform Relativity are just two cloud-based services that readers may be familiar with. READ MORE
Hackers aren’t the only ones after company information. Earlier this week, Wills Fortune 500, a unit of Wills Group Holdings, a global insurance broker providing insurance and risk management services, made available its own report tracking the response by Fortune 500 companies to the SEC’s October 2011 guidelines for cybersecurity disclosures. The report’s key findings include that, as of April 2013, 85% of Fortune 500 companies were following the SEC guidelines and providing some level of disclosure of cyber exposures. However, close to 40% of the companies failed to provide details on the size of their exposure, stating only that the risk would have an impact on the company without further discussing the extent of the impact. As such, the report concluded that the question whether company disclosures rise to the level mandated by the SEC is debatable, given the paucity of information regarding the probability of incidents and their quantitative and qualitative magnitude.
In light of the findings of the Willis Fortune 500 report, it’s not surprising that SEC Chairman Mary Jo White had previously asked the Commission to evaluate compliance with current guidelines for cybersecurity disclosures, assemble a report on the general practice and compliance with the existing guidelines, and make recommendations for further guidance.
Following up on clues earlier this year that the SEC may increase its scrutiny of cybersecurity disclosures, SEC Chairman Mary Jo White has asked the Commission to evaluate current guidance for cybersecurity disclosures and to consider whether more stringent requirements are necessary. White asked the Commission to assemble a report on general practice and compliance with existing guidelines, and to make recommendations for future guidance. White did not yet commit to changes to the current guidelines, issued in October 2011, pending issuance of the report.
Senator Jay Rockefeller, who disclosed the Chairman’s directive, has recently encouraged the SEC to provide further guidance on cybersecurity disclosures. He has already sponsored legislation in this arena, including the Cybersecurity Act of 2012, which would have pushed the private sector to share internal information within the industry and with government agencies. The proposed legislation in 2012 would have also encouraged the enactment of protective measures for computer networks. Senator Rockefeller has expressed concern about the lack of information regarding cybersecurity risks, and appears poised to push for additional disclosures. READ MORE