In its April 27 Weekly Update, the Financial Industry Regulatory Authority’s (“FINRA”) National Cause and Financial Crimes Detection program urged FINRA member firms to review a cyber-threat alert arising from Russia’s invasion of Ukraine.
The Cybersecurity and Infrastructure Security Administration (“CISA”) issued an April 20, 2022, Advisory warning of increased Russian state-sponsored and criminal cyber threats in retaliation for Western support for resistance to Russia’s invasion of Ukraine. The cybersecurity authorities of Australia, Canada, New ...
On March 31, 2022, the Securities Industry and Financial Markets Association (“SIFMA”) released its after-action report on Quantum Dawn VI – a global financial-markets cybersecurity exercise.
Quantum Dawn VI was conducted on November 18, 2021, with over 1,000 participants from 240 financial institutions and regulatory bodies representing 20 countries. The exercise simulated a large-scale ransomware attack by a state-actor against major global financial institutions and regulators. The scenario was chosen, in part, based upon an observed 93% increase in ransomware ...
Continuing its active regulatory agenda, the Securities and Exchange Commission on March 9, 2022, proposed new cybersecurity regulations for reporting public companies. Although couched as a series of “disclosure” requirements, the proposed list of required disclosures can be viewed as a de facto prescription of what public companies must do and say on cybersecurity; that prompted Commissioner Peirce to dissent.
The Proposed Rule would require reporting public companies to promptly disclose “material cybersecurity incidents” and their response, updating those ...
The regular “Weekly Update” email from the Financial Industry Regulatory Authority (“FINRA”) had an eye-catching warning February 16, urging broker-dealer member firms to heed the “Shields Up” cyber threat warning from the Cybersecurity and Infrastructure Security Agency (“CISA”) and the FBI.
That warning urged heightened cybersecurity vigilance “related to Russia’s potential destabilizing activities against Ukraine.” The CISA alert said, “While there are not currently any specific credible threats to the U.S. homeland, we are mindful of the ...
On February 9, the SEC proposed new cybersecurity risk management regulations for investment advisers, registered investment companies (funds), and business development companies.
Relying on the Commission’s mission to protect investors and ensure orderly markets, the Release cites increasing cybersecurity threats and emphasized the disruptive consequences and costs (to advisers, funds and investors) of unpreparedness. The Release grounds the Proposal in advisers’ fiduciary duty to clients and the anti-fraud “compliance rule” requiring written policies ...
Over the last couple of decades, the securities self-regulatory organization FINRA (f/k/a NASD) informs its membership each year of what compliance risks are noted by its examination program. Those are risks firms should address and also might be harbingers of enforcement focus for the coming year. Years ago, it was the “Errico Letter” - a friendly reminder from NASD’s Head of Member Regulation. Then it became the Examination Priorities Letter. Now it’s a Report, but with a more useful assemblage of the Rules and Resources applicable to each risk called out.
Some risks have ...
FINRA held its bi-annual Cybersecurity Conference in January and recently published five take-away real-world experiences from the conference:
- A firm’s social media posts about a charity golf tournament, tipped the scammers when to send an urgent email changing wire instructions, while most of the firm’s management was out on the course;
- A thumb-drive planted in a parking lot labeled “bonuses,” “payroll,” or “commissions” proved bait too tasty for a firm’s personnel to resist;
- Even the best vendor-based data systems have hidden vulnerabilities lurking ...
Implemented in September, the Securities Exchange Commission's ("SEC") Cyber Unit has brought its first enforcement action against an "Initial Coin Offering" ("ICO") called PlexCoin. ICOs, which are listed on digital exchanges, are designed to raise money through the issuance of digital tokens. Generally, coins or tokens entitle investors certain rights related to a venture underlying the ICO, such as a right to profits, shares of assets, rights to use certain services provided by the issuer, and/or voting rights. The SEC recently hinted that an ICO's digital coins are ...
The Securities Exchange Commission ("SEC") has been busy the last couple months on the cyber front. On September 20, the SEC announced a renewed focus on cybersecurity efforts and disclosed that it had been a victim of a cyber-attack, which may have allowed hackers to use nonpublic information to make illicit gains. The press release revealed that the breach was induced by software vulnerability in the SEC's EDGAR system. In a more detailed statement on the matter, SEC Chairman Jay Clayton opened the door for cyber-attack related enforcement actions directed at public companies. He ...