On March 31, 2022, the Securities Industry and Financial Markets Association (“SIFMA”) released its after-action report on Quantum Dawn VI – a global financial-markets cybersecurity exercise.
Quantum Dawn VI was conducted on November 18, 2021, with over 1,000 participants from 240 financial institutions and regulatory bodies representing 20 countries. The exercise simulated a large-scale ransomware attack by a state-actor against major global financial institutions and regulators. The scenario was chosen, in part, based upon an observed 93% increase in ransomware ...
On February 9, the SEC proposed new cybersecurity risk management regulations for investment advisers, registered investment companies (funds), and business development companies.
Relying on the Commission’s mission to protect investors and ensure orderly markets, the Release cites increasing cybersecurity threats and emphasized the disruptive consequences and costs (to advisers, funds and investors) of unpreparedness. The Release grounds the Proposal in advisers’ fiduciary duty to clients and the anti-fraud “compliance rule” requiring written policies ...
Over the last couple of decades, the securities self-regulatory organization FINRA (f/k/a NASD) informs its membership each year of what compliance risks are noted by its examination program. Those are risks firms should address and also might be harbingers of enforcement focus for the coming year. Years ago, it was the “Errico Letter” - a friendly reminder from NASD’s Head of Member Regulation. Then it became the Examination Priorities Letter. Now it’s a Report, but with a more useful assemblage of the Rules and Resources applicable to each risk called out.
Some risks have ...
FINRA held its bi-annual Cybersecurity Conference in January and recently published five take-away real-world experiences from the conference:
- A firm’s social media posts about a charity golf tournament, tipped the scammers when to send an urgent email changing wire instructions, while most of the firm’s management was out on the course;
- A thumb-drive planted in a parking lot labeled “bonuses,” “payroll,” or “commissions” proved bait too tasty for a firm’s personnel to resist;
- Even the best vendor-based data systems have hidden vulnerabilities lurking ...
Last Friday, November 16, the SEC issued a pair of settled actions setting a de facto standard of compliance for unregistered ICOs wanting to "come in from the cold." In each of them, the ICO offeror paid a $250,000 monetary penalty, registered its ICO as a security, and entered a rescission undertaking respecting all tokens issued to date.
The first was a settled action by Paragon Coin - a digital token ("PRG") unregistered offeror in the cannabis industry. Paragon agreed to cease and desist, file a registration statement, and publicly offer rescission of the ICO. The Commission cited ...
In August 2017, the SEC's Office of Compliance Inspections and Examinations issued a Cybersecurity risk alert directed at financial advisory firms. As part of the SEC's 2014 Cybersecurity Initiative, seventy-five firms, including broker-dealers, financial advisors, and funds, were audited between September 2015 and June 2016 in order to assess their Cybersecurity preparedness.
The assessment focused on six pillars of Cybersecurity: (1) company policies and procedures; (2) access rights and controls; (3) data loss prevention; (4) vendor / third party management; (5 ...