Broker-Dealers and Investment Advisors Under the Regulatory Microscope

Posted by on April 28, 2015 | Be the First to Comment

I don’t think I’m overstating the status quo by much when I say that regulators are focused on the cyber security practices of every regulated business. This is particularly true for securities broker-dealers and investment advisors.

Last year, the U.S. Securities and Exchange Commission (SEC) Office of Compliance Inspections and Examinations (OCIE) announced that it would be auditing broker-dealers and investment advisors to assess their cyber risks and preparedness. The audits focused on practices relating to:

  • Identification of cyber risks;
  • Cyber security governance;
  • Protection of networks and information;
  • Remote access to client information and funds transfer requests;
  • Vendor risks; and
  • Detection of unauthorized activity

In February 2015, the OCIE released a risk alert summarizing the results of its audits of 57 registered broker-dealers and 49 registered investment advisors. The alert contains a breakdown of the sizes and types of firms examined. A few of the highlights are:

1. The vast majority of broker-dealers and investment advisors have written information security policies.
Although fewer firms audit compliance, 93 percent of broker-dealers and 83 percent of investment advisors now have written policies.

I expect the lack of audits to be a focus of the SEC and other regulators going forward. Regulators frequently stress the need for companies to have a “culture of compliance” with applicable information security rules and best practices. Companies that don’t audit for compliance are likely to have a lot of trouble satisfying their regulators.

2. Cyber risk assessments are common, but vendor assessments are less so.
Significant majorities of broker-dealers and advisors assess their cyber risks. Smaller numbers assess their vendors, with only 32 percent of advisors doing so. The OCIE also found that even smaller percentages of firms incorporate cyber security requirements into vendor contracts. Cyber security training of vendors is performed by only 51 percent of broker-dealers and just 13 percent of advisors have policies requiring it.

3. Most companies have experienced cyber attacks.
Cyber attacks appear to be common. Eighty-eight percent of broker-dealers and 74 percent of investment advisors have been attacked directly or through a vendor. The most frequent attack vectors are malware and fraudulent emails.

A typical fraudulent email is one directing the transfer of client funds. Twenty-five percent of the fraudulent email losses could have been prevented because they were caused by employee failures to follow identity authentication procedures.

I suspect regulators will focus on the relatively high incidence of employee failures going forward. I believe regulators are likely to examine a company’s ongoing training and testing of employees to assure that they are following required procedures. This would be consistent with the growing realization that cyber security is a human issue more than a technological one.

4. Cyber insurance is not as common as it should be.
A slim majority of broker-dealers (58 percent) have cyber policies. Only 21 percent of investment advisors have coverage. The existence of cyber insurance is one of the factors the SEC noted in its 2011 disclosure guidance relating to cyber security. That emphasis could lead the SEC to view the absence of coverage negatively.

The SEC isn’t the only regulator to have spoken recently about broker-dealer cyber risks. In February 2015, the Financial Industry Regulatory Authority (FINRA) issued its Report on Cybersecurity Practices. The report advocates a risk-based approach to cyber security, and identifies principles and effective practices for firms to follow. Some of the key points the report makes are:

  • A strong information governance framework, actively backed by the company’s senior leadership, is essential
  • Cyber risk assessments are vital
  • Necessary technical controls will vary depending on the company’s business
  • Incident response plans are essential and should be tested regularly
  • Companies must use due diligence to assure that vendors provide necessary cyber security
  • Employee training is extremely important
  • Companies should actively engage in information sharing activities with other broker-dealers
  • Cyber insurance should be considered

None of these points are surprising. They are consistent with the best practices followed by most companies. FINRA does state that it expects companies to consider the matters raised in the report, and that it will assess companies in that regard.

Broker-dealers should carefully review and consider the FINRA report.​


Lockton Presents Replay of Data Breach Webcast

Posted by on February 18, 2015 | Be the First to Comment

Data Breach

On Tuesday, Feb. 17, Lockton Companies hosted a webcast to address the Anthem Data Breach. For those that could not attend, or would like to review again, a replay and copy of the presentation handouts have been made available, by simply clicking on the links below:

Attendees can learn about the attack, the response, and the responsibilities of a plan sponsor and employer. In addition, while Benefit clients may be at the forefront of concern, given the far-reaching implications of this data breach, the webcast is advantageous for P&C clients as well. Both types of clients will receive:

  • An understanding of the contractual and legal relationship between their company and its third-party partners
  • “Takeaways” and “lessons learned” from a large event such as this to help protect their company in the future
  • Renewed insight into the vital role that cyber risk coverage plays in event response

The Cyber Pendulum: Is There a Balance Between Security and Privacy?

Posted by on January 28, 2015 | Be the First to Comment

Internet Security System

Following a year of high-profile cyber breaches, it’s no surprise President Obama included proposals for increased cyber security in his State of the Union address last week.

The President proposed a measure that would establish a federal data breach notification law to replace the existing patchwork that currently exists at the state level. He also hopes to improve law enforcement’s ability to investigate and prosecute cyber criminals, as well as incentivize information sharing about threats from industry with the federal government. He also noted the importance of protecting student data and the need to pare down domestic surveillance:

“As promised, our intelligence agencies have worked hard, with the recommendations of privacy advocates, to increase transparency and build more safeguards against potential abuse. And next month, we’ll issue a report on how we’re keeping our promise to keep our country safe while strengthening privacy.”

Recently, I had the opportunity to discuss this very topic – the balance of security versus privacy – with other cyber risk experts on the Huffington Post Live. While the President aspires to achieve both simultaneously, I see many challenges ahead.

After the Snowden leaks, the pendulum swung more toward privacy, as the extent of surveillance programs became clearer. Now that we’ve seen high-profile cyber hacks like Sony, the pendulum swings back toward security. Each country is going to have to decide for itself how much privacy it’s willing to give up for the sake of increased security.

Watch the full discussion below:

Getting Schooled: Schools Face Host of Risk Management Challenges

Posted by on December 29, 2014 | Be the First to Comment


There are many risk exposures school administrators need to mindful of, including things such as traumatic brain injury, sexual harassment, discrimination, and security.

In a recent article in Property Casualty 360°, I reveal how only 25 percent to 30 percent of schools currently purchase cyber security coverage, resulting in schools being a treasure trove of information for hackers. Schools have a lot of personal information on students, faculty and employees, not to mention colleges that accept credit cards for payment.

Brokers who understand the need for Cyber have a real opportunity to educate schools on the risk as well as the extent of coverage in today’s Cyber forms, which provide third-party liability and first-party coverage including business interruption, reputational risk, forensic analysis, damage control, and more.

Overall, schools and colleges are considered desirable risks. For clients with average to favorable loss ratios, we’ve seen rates stable as a general rule.

The FCC Jumps into Cyber-Regulation with Millions in Fines

Posted by on November 18, 2014 | Be the First to Comment

Recently, the Federal Communications Commission entered into the cyber regulatory field in a big way: proposing to fine two companies $10 million for alleged data security breaches.

The FCC is taking action against two telecommunications companies who provided prepaid phone services to low-income residential customers. According to the agency, the companies “collected names, addresses, Social Security numbers, driver’s licenses, and other proprietary information (PI) belonging to low-income Americans and stored them on unprotected Internet servers that anyone in the world could access with a search engine and basic manipulation.”

The FCC justified imposing such large fines in part because “the companies stored such consumer PI in two publicly accessible folders on the Internet without password protection or encryption. By not employing appropriate or even reasonable security measures, the companies exposed their customers to an unacceptable risk of identity theft and other serious consumer harms.” The FCC gave the companies 30 days to seek a reduction in the fine.

The FCC’s $10 million fine followed a $7.4 million settlement with Verizon in September over its use of customer information for marketing, and a $7.5 million settlement with Sprint back in May over “do not call” violations. These multimillion dollar fines are coming from a federal regulator not thought of as a data security and privacy watchdog. The Federal Trade Commission has mainly filled that role.


The FCC appears to be a new aggressive player on the cyber regulatory field that may have the power to move quicker in issuing fines than the FTC. When faced with a data security situation, the FTC typically issues a complaint setting forth its charges. If the respondent elects to settle the charges, it may sign a consent agreement (without admitting liability), agreeing to the entry of a final order and waiving all right to judicial review.

If contested, the matter is adjudicated, starting with an administrative trial working its way through the Federal courts and ending, potentially with the U.S. Supreme Court. Fines and penalties may be imposed on a respondent for violations of the FTC Act. The FCC, however, can move much more quickly in connection with companies it regulates and may impose a fine once it determines the company failed to protect the “confidentiality of proprietary information of its customers.”

From a risk standpoint, the recent FCC actions represent yet another exposure for telecommunications companies in connection with data security. A cyber insurance product is designed to protect against this risk and should offer coverage for regulatory claims such as those brought by the FTC, FCC or any other governmental agency, federal, state or local.

For those who already purchase a cyber policy to address this risk, it would be prudent to review the policy wordings to assure that regulatory claims are defined as broadly as possible to address new entrants in the privacy regulatory arena.

Additionally, cyber coverage purchasers should look to see whether their policy provides full policy limits for regulatory claims. In some cases, insurers hedge their bets by offering reduced sub-limits of liability for regulatory claims. Given the ramped up efforts by regulators such as the FCC, it is important to make sure adequate limits are in place.