Header graphic for print

Cady Bar the Door

Insight & Commentary on SEC Enforcement Actions and White Collar Crime

Insider Trading Recklessness and Kevin Love’s Shoulder

Posted in Insider Trading, SEC Litigation

A couple of weeks ago I expressed skepticism about the ultimate impact of Judge Rakoff’s recent opinion in SEC v. Payton.  In it, he held that for purposes of a motion to dismiss, the SEC had adequately alleged insider trading violations in a remote tippee context, even after the Second Circuit’s decision in United States v. Newman.  Briefly, the issue was this: for insider trading liability, the Second Circuit now requires (1) that the personal benefit coming back to a tipper be “of some consequence” and generally something beyond mere friendship; and (2) that each tippee or remote tippee know what that benefit is.

SEC v. Payton

As for the second requirement, I wondered out loud last November if traders wouldn’t adjust to this new world by making sure they didn’t know what the personal benefit was.  I wouldn’t describe myself as a cynic, but I’ve seen people try to construct walls of plausible deniability before.  They can be hard to knock down.  At least for SEC cases, Judge Rakoff thinks they certainly can be knocked down.  He noted in Payton that the intent required to sustain a violation of Section 10(b) in an SEC case is recklessness, which he described as “heedless disregard of the probable consequences.”  That is a sufficient definition in some legal contexts, but I think it understates what the SEC has to show in the Second Circuit.

To prove violations of Section 10(b), the SEC must demonstrate that the defendant acted either with scienter, defined as “a mental state embracing intent to deceive, manipulate, or defraud.”  SEC v. Obus, 693 F.3d 276, 286 (2d Cir. 2012).  The Second Circuit has held that scienter “may be established through a showing of reckless disregard for the truth, that is, conduct which is highly unreasonable and which represents an extreme departure from the standards of ordinary care.”  Id.  Other circuits describe the same concept as “severe recklessness.”  See, e.g., Ziemba v. Cascade Int’l, Inc., 256 F.3d 1194, 1202 (11th Cir. 2001).  The courts’ point is, if a defendant is going that far down the intent spectrum, it really doesn’t matter.  It’s enough for scienter.

Kevin Love’s Shoulder

Kevin Love will tell you.  I don’t know if you saw this play from the last game in the Cavaliers’ sweep of the Celtics in the NBA playoffs’ first round.  In it, you see perennial All-Star Kevin Love and non-All-Star Kelly Olynyk thrashing Love’s shoulder like he’s trying to start a lawnmower.  According to press reports, the move dislocated Love’s shoulder, required surgery, and has taken Love out of action for the next four-to-six months.  Those months include the rest of the 2015 playoffs, which mean a lot to the Cavaliers if not the Celtics.  After the game, Love accused Olynyk of intentionally hurting his shoulder.  Olynyk naturally said of course he would never have intentionally done such a thing.  And lots of knuckleheads on sports radio the next morning yelled about how Kelly Olynyk didn’t have a history of deliberately assaulting other people so how could he have done so here, etc.

As I listened to them I thought, does it matter?  Let’s assume Olynyk didn’t walk onto the court with malice in his heart and his eyes zeroed in on Love’s shoulder.  Having locked arms with Love, though, he did launch into a move that didn’t help get the basketball but easily could have liberated Love’s shoulder from the rest of Love’s body.  If Game 4 had been a civil securities fraud case, I think the Second Circuit would say Olynyk is just as liable either way.

These levels of intent are important, in SEC cases and NBA playoff games.

The SEC Doesn’t Love Secret Perks for Executives

Posted in Accounting Fraud, Administrative Proceedings, Compliance, Financial Fraud, Non-scienter-based Violations, SEC Litigation

If you find yourself as the CEO of a public company, you’ll probably find pluses and minuses.  You’ll have to work really hard, but it can be lucrative, too.  You can get paid a lot of money.  And your company can pay you whatever it wants.  But there is one catch: your company has to disclose all of your compensation to its investors.  If you take valuable things from the company that aren’t publicly disclosed, the SEC does not love that.

Andrew Miller

So try to avoid doing what the SEC says Andrew Miller did, which is “us[e] nearly $200,000 in corporate funds for personal perks that were not disclosed to investors [of Polycom Inc.]”  Specifically, in a complaint filed in the Northern District of California,

The SEC alleges that Andrew Miller created hundreds of false expense reports with bogus business descriptions for his personal use of company dollars to pay for meals, entertainment, and gifts.  Furthermore, he used Polycom funds to travel with his friends and girlfriend to luxurious international resorts while falsely claiming the trips were business-related site inspections in advance of company sales retreats.  Miller hid the costs by directing a travel agent to bury them in fake budget line items.  In 2012 alone, Miller charged Polycom for more than $115,000 in personal expenses despite publicly reporting that he received less than $35,000 in perks that year.

The SEC says these expenses included more than:

  • $80,000 for personal travel and entertainment that Miller hid in falsified invoices or passed off as legitimate business expenses;
  • $10,000 for clothing and accessories and more than $5,000 worth of spa gift cards that Miller falsely claimed to have given as gifts to customers and employees;
  • $10,000 for tickets to professional baseball and football games that Miller falsely claimed to have attended with clients; and
  • $5,000 for plants and a plant-watering service at Miller’s apartment that he falsely claimed were for the company’s San Francisco office.

The SEC’s complaint against Miller alleges that he violated the antifraud, proxy solicitation, periodic reporting, books and records and internal controls provisions of the federal securities laws, and that he falsely certified the accuracy of Polycom’s annual reports, which incorporated its proxy statements.  In particular, Item 402 of Regulation S-K also requires the disclosure of perks provided to executive officers by type if they amount to $10,000 in a given year.

Polycom

Perhaps more importantly, if you are a public company, do not let your CEO do this sort of (alleged) thing!  In addition to suing Miller, the Commission found in a settled administrative order that Polycom’s

internal controls over Miller’s expenses were inadequate.  For example, Polycom allowed Miller to approve his own expenses that were charged on his assistants’ credit cards, and the company allowed him to book and charge airline flights without providing any descriptions of their purpose.  As a result of Miller’s misconduct, Polycom’s proxy statements contained false compensation information and failed to accurately describe Miller’s perks as required.

The SEC charged Polycom with having inadequate internal controls and failing to report Miller’s perks to investors.  Polycom agreed to pay a $750,000 penalty to settle the matter without admitting or denying the facts alleged in the order.

What to Do (and not do)

Naturally, the SEC’s order didn’t come with an accompanying guide in how to avoid these internal controls problems in the first place.  But with a view toward not letting an executive do this sort of thing, a public company should have a standard process for approving business expenses, and scrutinize expense requests that draw red flags.  Specifically, do these things if nothing else: (1) Require a specific reason for each reimbursement request (see flights above).  My assistant has to remind me of this for mine every time, but it’s not onerous; it’s reasonable and necessary.  (2) Do not allow anyone to approve his own expenses (see P-card nonsense above).  (3) Give extra attention to extra-large expenses.  You needn’t comply yourself into bankruptcy, but if someone is buying over $10,000 in clothes, consider asking what and who they’re for.  It should be an easy answer to get.  If it’s not, you may have stumbled into a problem that needs fixing.

Two Regulatory Crises

Posted in Cybersecurity, Insider Trading

It strikes me that two civil regulators are facing dire attacks on aspects of their enforcement programs – both in different U.S. Courts of Appeals – at the same time.  Both of these attacks arise out of generalized statutes that only sort of address the problems the regulators seek to remedy.  To some degree, how these matters are resolved will determine whether these enforcement portfolios are reinvigorated or whither on the vine.  In both cases a Congressional fix could be in order.

The SEC’s Insider Trading Enforcement Program

The Securities and Exchange Commission has had a mess on its hand since United States v. Newman, a criminal case in the Second Circuit, was handed down last November.  We’ve addressed it here several times already, but the core holding was this:  to be liable for insider trading in a tipper/tippee context, (1) a tippee must know about the personal benefit received by the tipper for the information, and (2) while the personal benefit need not be immediately pecuniary, it must be “of some consequence” and mere friendship is not enough to qualify.

The case is important because many of the SEC’s and Justice Department’s insider trading matters fall into this tipper/tippee category.  And a significant number of those are “remote tippee” cases, where a tipper gives material, nonpublic information to one tippee in exchange for a personal benefit of some kind, who then passes it to another who trades on it.  In those matters, it can sometimes be hard to establish that the third-level (or fourth level or whatever) tippee knew about the personal benefit received by the tipper for the information.  Also, to this point the personal benefit element has been quite lax, and has in many instances amounted to nothing more than the “warm glow” that comes from helping a friend.  Applying more rigor in this area could put a real dent in law enforcement’s efforts to police insider trading.

Recently the Second Circuit declined to rehear Newman en banc, and the U.S. Attorney’s Office has not decided whether to pursue an appeal to the U.S. Supreme Court.  Judge Rakoff, who is not exactly afraid of defying Congress and higher courts, recently denied a motion to dismiss in SEC v. Payton, an insider trading case where the defendants invoked Newman.  Some have suggested that because Rakoff cited the SEC’s lower burden of proof – recklessness as opposed to willfulness that the Justice Department must meet – the SEC could avoid many of the problems associated with Newman’s rationale.

I’m not so sure.  Payton was a case decided on the pleadings, and Judge Rakoff held that the SEC’s complaint was sufficient to survive a motion to dismiss.  And it may have a generally easier time proving a tippee’s knowledge of the personal benefit with its lower standard of proof.  But it’s still going to have to prove those facts.   In Newman itself, the court held that prosecutors hadn’t offered any evidence that the remote tippees knew what the personal benefit to the original tipper was.  With that kind of showing, it won’t matter what the burden of proof is.  I’m also not sure the nature of the personal benefit will be dramatically affected by the burden of proof.  If Newman is in effect, the personal benefit will either be “of some consequence” or it won’t.  I don’t see that call being swayed depending on whether it’s a criminal or civil case.

All of this uncertainty fundamentally derives from the generality in the statute typically used to prohibit insider trading – Section 10(b) of the Exchange Act.  As we’ve discussed, it doesn’t mention insider trading, just securities fraud, and that lack of specificity creates lots of opportunities for doctrinal confusion.  Anyway, a number of proposals to define insider trading once and for all are in the works.  We’ll see if one of them gets through and makes Newman a moot point.

The FTC’s Cybersecurity Enforcement Program  

Meanwhile, the Federal Trade Commission has a similar issue with its cybersecurity enforcement program.  Here’s how the FTC defines its authority in this area:

When companies tell consumers they will safeguard their personal information, the FTC can and does take law enforcement action to make sure that companies live up [to] these promises.  As of May 1, 2011, the FTC has brought 32 legal actions against organizations that have violated consumers’ privacy rights, or misled them by failing to maintain security for sensitive consumer information.  In these cases, the FTC can charge the defendants with violating of Section 5 of the FTC Act, which bars “unfair and deceptive acts and practices in or affecting commerce.”

Um, okay!  It’s not crazy to think that some misconduct in the cybersecurity area would be unfair or deceptive, but Section 5 is a pretty broad statute for the FTC to rely on in all instances.  What if, say, a company implements measures to protect itself against an electronic data breach and suffers a breach anyway?  If the FTC thinks those measures were unreasonable were they also unfair or deceptive?  Is the FTC authorized to use Section 5 to bring a case alleging as much?

That question is currently pending before the Third Circuit in a case that began back in 2012, when the FTC sued Wyndham Worldwide Corp. for alleged data security failures that enabled three data breaches between 2008 and 2009.  The FTC charged Wyndham with violating both the deception and unfairness provisions of Section 5.  Wyndham moved to dismiss in the U.S. District Court in New Jersey, challenging the FTC’s authority to regulate data security.  The court denied the motion, and Wyndham petitioned for an interlocutory appeal, which the Third Circuit granted last August.

The Court of Appeals asked counsel two questions in advance of oral argument, and then asked for supplemental briefing on these questions after oral argument :

  • Has the FTC declared that unreasonable cybersecurity practices are “unfair,” 15 U.S.C. § 45(a), through the procedures in the Federal Trade Commission Act, 15 U.S.C. §§ 41-58?
  • Assuming it has not, is the FTC asking the federal courts to determine that unreasonable cybersecurity practices are “unfair” in the first instance, and if so, can the courts do so in this case brought under 15 U.S.C. § 53(b)?

All of this would likely be unnecessary with a more specific statutory and regulatory scheme in place.  Counsel for the FTC said at oral argument that rulemaking in the cybersecurity area is “a very cumbersome process,” and that “it would never end because the technology changes so fast.”   Perhaps needless to say, Wyndham disagrees.  It argues that the FTC has previously used the rulemaking procedures to clarify unfairness in other contexts, and also points to several statutes – including COPPA, the FCRA, and Gramm-Leach-Bliley – that require the FTC to promulgate cybersecurity rules.  IAPP Westin Fellow Arielle Brown has an excellent summary of the issues here.

I can’t help but think that if the FTC loses this battle a new statute will be forthcoming from Congress.  We’ll see what happens soon enough.

A Non-Insider Trading Case in the District of Massachusetts

Posted in FINRA, Insider Trading

Insider trading prosecutions can be difficult.  Because of the haphazard and tortuous growth of insider trading law itself, the prosecutions involve proving lots of different pesky elements.  Fiduciary duties, materiality, trading . . . . Ugh, the trading.  And the materiality!  So annoying!  If you were a prosecutor, how liberating it would be to bring an insider trading case without worrying about those things.

That thought might have occurred to Carmen Ortiz, the U.S. Attorney for the District of Massachusetts.  Late last month, her office filed a criminal complaint against James Dunham with many of the hallmarks of an insider trading case, but without some of those annoying elements.  The prosecutors didn’t call it an insider trading case, filed under Section 10(b) of the Exchange Act.  Instead, they filed it as a mail and wire fraud case.  What they did could be important for professional traders and research analysts.

The Allegations

Dunham was formerly the President and COO of Wireless Zone, a retailer that has over 400 Verizon Wireless franchise outlets that sell phones from various manufacturers.  The complaint alleges that Dunham had access to confidential information regarding sales, compensation, and product launches at Wireless Zone’s 400 locations.  For more than three years, without his employer’s knowledge, Dunham had a consulting agreement with a Boston financial services firm, Detwiler Fenton & Company, to provide confidential information in exchange for $2,000 each month.  Dunham allegedly spent about an hour a week speaking to a Detwiler analyst using his personal email and cell phone.

The complaint alleges that seven research notes prepared and distributed by Detwiler included information supplied by Dunham, including information regarding the status of certain product launches, the number of new Verizon Wireless subscribers, and sales and return information for specific smartphones.  Dunham was allegedly the source for an April 11, 2013 research note in which Detwiler reported that product returns were exceeding sales for the BlackBerry Z10.  Following publication of that note, the stock price for RIM dropped seven percent in a single day.

Hmmmm . . . .

You know what this looks like, right?  It looks like a channel-check insider trading case!  But what’s a channel check?  It’s not really a technical term, but Bruce Carton at Securities Docket explained it several years ago:

In a channel check, analysts try to glean information about a company’s production via interviews with the company’s suppliers, distributors, contract manufacturers, and sometimes even current company employees.  The goal is to piece together a better picture of the company’s performance.  Apple, always secretive about its products, is an example of a company where channel checking is reportedly common.  Indeed, analyst reports based on channel checks routinely cause Apple stock to dip or surge.

As supply-chain expert Pradheep Sampath of GXS noted on his blog, these interviews typically occur without the target company’s permission or participation.  Sampath added:

Data collected from these sources is seemingly innocuous when viewed separately. When pieced together, however, these data points from a company’s supply chain can deliver startling insights into revenue and future earnings of a company – much in advance of such information becoming publicly available. This practice becomes more pronounced for companies such as Apple that are extremely guarded and secretive about information they make publicly available.

Federal prosecutors and even the SEC, which faces a lower evidentiary standard for its cases, have been pretty circumspect about bringing cases based on channel checks.  I think this is mostly because establishing the information’s materiality for insider trading purposes can be pretty difficult.  Well, is it material?  This is a very fact-specific question.  If you’re talking about two or three stores for a product that sells millions of units, maybe not.  But 400 retail locations could give a statistically significant window into how sales for a product are going.  Fortunately for the prosecutors here, it doesn’t matter.

Where This Case Comes From

This is all speculation, but in the short run, this case almost certainly originated with FINRA.  I’m not a betting man, but I would bet $100 that FINRA staff reviewed the trading in RIM before its stock price dropped 7% in April 2013 to see who might have profited or avoided losses from the drop.  Perhaps finding none who did so illicitly, FINRA then referred the case to the SEC, anyway.  The U.S. Attorney’s Office’s press release notes the “valuable assistance” given by the SEC, so I’m pretty sure the Commission was at least a way station for this matter.  The SEC may have been stuck, too, without any people who traded RIM based on material, nonpublic information.  But it may have led the SEC staff to wonder aloud who could redress this leak of the Detwiler information.  Enter Carmen Ortiz’s office.

Thinking more broadly, the Dunham case is not completely without precedent.  In 2010, the U.S. Attorney’s Office for the Southern District of New York charged three public company employees with substantive wire fraud counts and single counts of wire fraud conspiracy and securities fraud conspiracy, but no substantive securities fraud charges.  The “Shimoon” criminal complaint alleged that each employee revealed corporate financial data to outside analysts and intentionally violated corporate policy prohibiting such disclosure.  An AMD employee allegedly provided “revenue numbers, average sales prices, unit sales for different product lines, gross margin figures, and revenue forecasts for AMD.”  A Flextronics employee allegedly provided quarterly actual and forecast sales for Apple iPhones and iPods.[1]  But the complaint did not accuse the defendants of illicit securities trading.  Sound familiar?  The defendants eventually pled guilty.

Where Are We Now?

So where are we now?  Defcon 3?[2]  The Shimoon case didn’t spawn a long list of imitators.  So maybe this James Dunham case is, statistically speaking, another outlier that won’t have a large effect on analysts seeking to bolster their research with hard numbers from supply chains.  On the other hand, the FBI agent who investigated the Dunham case and signed the affidavit comprising the bulk of the complaint is David Makol, the same agent profiled here by the Wall Street Journal as “The FBI Agent Who ‘Flips’ Insider Trading Witnesses.”  He’s been around this block before (and is now back at the SEC, where he started his career).  And check out this quote from Ortiz:  “Sometimes business secrets are sold for use in insider trading; sometimes they are used for other improper purposes. But the sale of confidential business information by corporate insiders – in violation of their duties to employers, business partners, customers, and shareholders – is always wrong and illegal.”  That sounds like somebody who’s ready to file some more cases.  If you’re in her jurisdiction, watch out.

[1] A good summary and analysis of the complaint can be found at David Siegal, Charging Expert Network Participants With Wire Fraud, New York Law Journal (Apr. 29, 2011).

[2] By the way, have you seen War Games recently?  If not, please watch this clip.  In it, General Beringer assesses the apparent nuclear threat, calmly plugs in some Red Man chewing tobacco, and orders the nation’s defense risk alert to be raised from Defcon 4 to Defcon 3.  Bear in mind, as far as he knew at that point, Soviet nuclear missiles were in the air and 11 minutes from hitting targets in the United States.  What would have gotten him to Defcon 2?  A more serious danger?  Don’t try to bluff General Beringer.

Three Thoughts about the SEC’s First “Pretaliation” Case

Posted in Whistleblowers

I was on a flight last Wednesday when the SEC released the first of what whistleblower chief Sean McKessy has dubbed “pretaliation” cases against KBR, Inc.  When I landed I had several emails from colleagues, asking, “Did you see this?” and “FYI,” etc.  It’s a fairly big deal.  You may know the context, but here it is anyway:  Rule 21F-17, construing the whistleblower provisions of the Dodd-Frank Act, says, “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”

McKessy has been warning for almost a year that the Commission was considering filing cases to enforce this provision.  Specifically, he had in mind companies that use overly restrictive language in confidentiality agreements with current or departing employees to prevent those employees from reporting corporate misconduct to the SEC.  Smart corporate counsel have been thinking about these warnings for a while, but now we have the first tangible statement about what kind of language is too much for the rule.

It might not surprise you to learn I have some thoughts about it!

Concrete Language

As I first read the order, I was happy to see it included the specifically objectionable language in KBR’s agreement.  The SEC can sometimes be vague in its settled cases.  The agreements here arose out of internal investigations at KBR and required witnesses in those investigations to keep quiet about what they learned from them.  Here’s what the witnesses were required to agree to:

I understand that in order to protect the integrity of this review, I am prohibited from discussing any particulars regarding this interview and the subject matter discussed during the interview, without the prior authorization of the Law Department.  I understand that the unauthorized disclosure of information may be grounds for disciplinary action up to and including termination of employment.

I was very glad to see that the order got into specifics so companies would have some guidance on what the SEC considered actionable.

Not Exactly Egregious

This language was written before passage of the Dodd-Frank Act in July 2010.  It apparently never prevented a KBR employee from communicating with the Commission.  And it doesn’t even refer to the SEC as a prohibited destination for the confidential information.  As such, I imagine it was not what McKessy and others had in mind when his office launched this initiative to stamp out agreements that arose in response to the threat of Dodd-Frank whistleblowers.  Tom Gorman wondered if the confidentiality agreement couldn’t have been addressed with a Report of Investigation under Section 21(a) of the Exchange Act instead of an administrative order with a $130,000 penalty.  It’s hard for me not to agree.

But here we are.  In the SEC’s eyes, it is not enough that the agreement doesn’t single out the Commission as an entity that cannot be told about securities violations.  The general language found in KBR’s witness agreement is a sufficient threat to employees, and could be met with a civil penalty if the SEC learns about it.

How to Shape Agreements Going Forward

KBR edited its witness agreements to comply with Rule 21F-17.  They now say:

Nothing in this Confidentiality Statement prohibits me from reporting possible violations of federal law or regulation to any governmental agency or entity, including but not limited to the Department of Justice, the Securities and Exchange Commission, the Congress, and any agency Inspector General, or making other disclosures that are protected under the whistleblower provisions of federal law or regulation.  I do not need the prior authorization of the Law Department to make any such reports or disclosures and I am not required to notify the company that I have made such reports or disclosures.

If companies want guidance about what they can say in confidentiality agreements and still stay on the right side of Rule 21F-17, there it is.  It’s not the only way one could comply with the rule, but it’s probably the safest.  I do think it would be smart to refer expressly to the SEC as a permitted destination for information regarding potential violations of federal law.  Of course, you could possibly be more vague and still comply with the rule, but I’m not sure what you would gain from doing so.

Eugene Scalia thinks the SEC’s order and others like it could lead to widespread leaking of corporate trade secrets.   Keith Paul Bishop has similar concerns.   The order is only four pages.  Give it a read and see what you think.

FINRA Issues Report on Cybersecurity Practices

Posted in Cybersecurity, FINRA

Following up on our post from last week on the SEC’s cybersecurity exam sweep, you should also know about FINRA’s recent report on this area.  Last month, FINRA published a Report on Cybersecurity Practices that really could be useful reading for anyone in a complex business that hopes to keep its electronic data secure.

Where the Report Came From

In 2014, FINRA conducted targeted examinations at a cross-section of member firms, including large investment banks, clearing firms, online brokerages, high-frequency traders, and independent dealers.  FINRA had four objectives: (1) to understand the types of threats firms face; (2) to increase understanding of firms’ risk tolerance, exposure, and major areas of vulnerabilities in their IT systems; (3) to understand firms’ approaches to managing these threats; and (4) to share observations and findings with member firms.  As the report repeatedly recognizes, there is no one-size-fits-all approach to cybersecurity.  But the report does lay out a road map for what brokerages should be doing to protect themselves, no matter where they are on the food chain.

Key Points in the Report

Just because one size doesn’t fit all doesn’t mean some principles are not common to all.  Here are the key points FINRA member firms should consider, followed by our thoughts and quotes from the report:

  • A sound governance framework with strong leadership is essential.

 As used in this report, “governance” and “governance framework” refer broadly to the establishment of “policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements” in a way that informs its management of cybersecurity risk.  Directors need to involve themselves in these issues and should consider the National Association of Corporate Directors publication Cyber-Risk Oversight in doing that.  Another effective practice is to evaluate relevant industry frameworks and standards as reference points in developing their approach.  The ISO 27001/27002 framework is highlighted as one.  The NIST Framework is another.  Commissioner Aguilar would approve. 

  • Risk assessments serve as foundational tools for firms to understand the cybersecurity risks they face across the range of the firm’s activities and assets—no matter the firm’s size or business model.

FINRA views the risk assessment process as a key driver in a firm’s risk management-based cybersecurity program.  It is also a potentially useful starting point for firms embarking on the establishment of a cybersecurity program. The NIST Framework, for example, identifies six sets of risk assessment activities or outcomes:

  1. identify and document asset vulnerabilities;
  2. review threat and vulnerability information from information sharing forums and sources;
  3. identify and document internal and external threats;
  4. identify potential business impacts and likelihoods;
  5. use threats, vulnerabilities, likelihoods and impacts to determine risk; and
  6. identify and prioritize risk responses.
  • Technical controls, a central component in a firm’s cybersecurity program, are highly contingent on firms’ individual situations.

The one-size-doesn’t-fit-all maxim probably holds more sway here than in any other area.  Smaller firms simply aren’t going to be able to afford the technical safeguards that huge investment banks can.  That said, “firms should implement technical controls to protect firm software and hardware that stores and processes data, as well as the data itself.  Effective practices include . . . selecting controls appropriate to the firm’s technology and threat environment, for example: identity and access management; data encryption; and penetration testing.” 

  • Firms should develop, implement and test incident response plans. Key elements of such plans include containment and mitigation, eradication and recovery, investigation, notification and making customers whole.

“A firm’s incident response plan should address different attack scenarios, since incidents can occur along many different attack vectors. While it is not feasible to develop step-by-step instructions for every imaginable incident, firms should at least have prepared response plans for the most common attacks to which the firm may be subjected. Based on information firms provided to FINRA, common events at broker-dealers include DDoS attacks, malware infections, insider threats and cyber-enabled fraudulent wire transfers.”   For smaller firms, contracting with a vendor may be the most effective method to provide incident response capability.

  • Broker-dealers typically use vendors for services that provide the vendor with access to sensitive firm or client information or access to firm systems. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence across the lifecycle of their vendor relationships.

“Risk-based due diligence on a prospective vendor’s cybersecurity practices is a critical first step in selecting third-party service providers. This due diligence provides a basis for the firm to evaluate whether the prospective vendor’s cybersecurity measures meet the firm’s cybersecurity standards. This can include discussions about the controls a vendor would need to implement to remediate a weakness relative to the firm’s cybersecurity standards. As a general principle, firms should avoid using vendors whose security standards do not at least meet those of the firm in the relevant area of activity.”

  • A well-trained staff is an important defense against cyberattacks.

True!  People need to know what to do, and what not to do.  “FINRA found that many of the cybersecurity attacks that firms identified were successful precisely because employees made mistakes, such as inadvertently downloading malware or responding to a phishing attack.”

  • Firms should take advantage of intelligence-sharing opportunities to protect themselves from cyber threats.

“Firms that can take in and analyze cyber intelligence effectively can proactively implement measures to reduce their vulnerability to cybersecurity threats and thereby improve their ability to protect both customer and firm information.  The FS-IAC (discussed here) provides a venue for the financial services industry to share threat intelligence, anonymously if so desired, and the ability to turn threat data into “actionable intelligence.”

Somebody at FINRA did a lot of good work on this report.  You should read it and consider its recommendations.

SEC Releases Results of Cybersecurity Exam Sweep

Posted in Cybersecurity

We’re a bit behind on this, but better (a little bit) late than never.  Last month the SEC’s Office of Compliance, Inspections and Examinations released the first results of its Cybersecurity Examination Initiative, announced in April 2014 (and discussed here).  As part of the initiative, OCIE staff examined 57 broker-dealers and 49 investment advisers to better understand how these entities “address the legal, regulatory, and compliance issues associated with cybersecurity.”

What the Exams Looked For

In the exams, the staff collected and analyzed information from the selected firms relating to their practices for: ♦ identifying risks related to cybersecurity; ♦ establishing cybersecurity governance, including policies, procedures, and oversight processes; ♦ protecting firm networks and information; ♦ identifying and addressing risks associated with remote access to client information and fund transfer requests; ♦ identifying and addressing risks associated with vendors and other third parties; and ♦ detecting other unauthorized activity.

Importantly, the report is based on information as it existed in 2013 and through April 2014, so it’s already somewhat out of date.

The Good News

The report includes some good news about how seriously the SEC’s registered entities are taking cybersecurity.

  • The vast majority of examined broker-dealers (93%) and investment advisers (83%) have adopted written information security policies.
  • The vast majority of examined broker-dealers (93%) and investment advisers (79%) conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences.
  • The vast majority of examined firms report conducting firm-wide inventorying, cataloguing, or mapping of their technology resources.
  • Many firms are utilizing external standards and other resources to model their information security architecture and processes. These include standards published by National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”), and the Federal Financial Institutions Examination Council (“FFIEC”).

Encouraging!  But the report didn’t bring all good tidings.

The Bad News

Here are some of the less auspicious facts:

  • 88% of the broker-dealers and 74% of the advisers reported being the subject of a cyber-related incident.
  • Most of the broker-dealers (88%) require risk assessments of their vendors, but only 32% of the investment advisers do.
  • Related to that, most of the broker-dealers incorporate requirements relating to cybersecurity risk into their contracts with vendors and business partners (72%), but only 24% of the advisers incorporate such requirements. Fewer of each maintain policies and procedures related to information security training for vendors and business partners authorized to access their networks.
  • A slight majority of the broker-dealers maintain insurance for cybersecurity incidents, and only 21% of the investment advisers do.

The Rest

Almost two-thirds of the broker-dealers (65%) that received fraudulent emails seeking to transfer funds filed a Suspicious Activity Report with FinCEN, as they’re likely required to do.  The report then notes that only 7% of those firms reported the incidents to other regulators or law enforcement.  It’s curious to me why the SEC would expect other reports to happen.  With the SAR obligations in place, those firms probably, and reasonably, think all the necessary reporting has been done after the SAR has been filed.  Also, these firms’ written policies and procedures generally don’t address whether they are responsible for client losses associated with cyber incidents.  Along these lines, it might be that requiring multi-factor authentication for clients and customers to access accounts could go a long way toward pushing responsibility for those losses on the users.

But don’t take my word for it.  Read the report yourself, linked above and here.

The SEC Will Be Your Employment Law Agency, Too

Posted in Whistleblowers

The nature of the SEC’s business a regulator of public companies lends a certain expansive aspect to its jurisdiction.  That is, when your job as a government agency is to be sure public companies are making complete and accurate disclosure to the market, there’s almost no limit to what some people will want those companies to disclose.  Before you know it, a securities regulator can find itself also regulating conflict minerals, climate change, political contributions (gone for now, but probably not forever), cybersecurity . . . . I don’t think we’ve reached the outer bounds.

Now the Commission is wading deeper and deeper into the employment law business.  We’ve  known for some time that the SEC was looking for cases in which to enforce the Dodd-Frank anti-retaliation provisions of the whistleblower rules.  It brought such a case against Paradigm Capital Management just last June.  Also last year, SEC whistleblower chief Sean McKessy warned against companies writing severance agreements to buy their former employees’ silence with post-employment benefits.   “And if we find that kind of language, not only are we going to go to the companies, we are going to go after the lawyers who drafted it,” he said.

But thanks to the Wall Street Journal’s Rachel Louise Ensign, that’s not all.  Oh, no; that’s not all.  In an article from last week, she reports that the Commission is actively looking for that kind of language.  It has sent a request letter asking a number of companies “to turn over every nondisclosure agreement, confidentiality agreement, severance agreement and settlement agreement they entered into with employees since Dodd-Frank went into effect, as well as documents related to corporate training on confidentiality.”  The letter also asks for “all documents that refer or relate to whistleblowing” and lists of terminated employees.

I think this is a relatively big deal.  It’s not like McKessy hasn’t warned companies about this sort of thing.  But it seems like his office is partially developing into an employment law force.  It may not be what people expected when he started that job, but here we are.

SIFMA Gets Its Cybersecurity-Antitrust Wish

Posted in Cybersecurity

I’m sure you remember SIFMA’s Principles for Effective Cybersecurity Regulatory Guidance, issued last October.  I mean, you read about them right here.

One of the principles was this: Principle 9: Information Sharing is Foundational to Protection, Must Be Limited to Cybersecurity Purposes, and Must Respect Firms’ Confidences.  Granted, that language is hard to understand, but what SIFMA was getting at was this: Wall Street firms did not want to share information about how to ward off computer hackers and then turn around and be accused of committing antitrust violations by the Justice Department and the FTC.  While the agencies had issued a statement giving financial firms some comfort in this statement, the firms wanted more assurance.

Just last month they got it.  President Obama’s executive order on February 13th specifically encourages private companies in the same industries to form organizations to better share information about online security and attacks.  The executive order may give enough antitrust assurance for large banks and law firms to set up a legal group that would be affiliated with the banking industry’s main forum for cybersecurity information sharing – the Financial Services Information Sharing and Analysis Center.  Which they are trying to do.  As the New York Times reports:

Law enforcement agencies have long been concerned about the vulnerability of United States law firms to online attacks because they are seen by hackers and nations bent on corporate espionage as a rich repository of company secrets, business strategies and intellectual property. But attacks on law firms often go unreported because the firms are private and not subject to the same kind of data-breach reporting requirements as public companies that handle sensitive consumer information.

The Times is right.  Large law firms could be vulnerable to cyberattacks.  And in the United States, they’re not publicly held, so they aren’t necessarily obligated to tell anyone in particular about them.  The Times article goes on: “The law firm group under consideration would be set up as an organization to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group.”

I think this cooperation is a good development for cybersecurity in the U.S.  The issue is too complex for organizations to go it alone and figure the problems out in silos.

Two-Factor Authentication May Be Coming to a Bank Near You

Posted in Cybersecurity

When I was at the SEC and online broker-dealers’ customers were the victims of hacking incidents, I used to wonder, why don’t the broker-dealers require multi-factor authentication to gain access to accounts?  It was a silly question.  I knew the answer.  Multi-factor authentication is a pain and nobody likes it.

Do you know what it is?  Here’s what Wikipedia says, so it must be true:

Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories: knowledge factors (“things only the user knows”), such as password; possession factors (“things only the user has”), such as ATM card; inherence factors (“things only the user is”), such as biometrics.

The idea is, hackers might figure out your password, but they won’t be able to figure out a number that changes every 30 seconds on a card you carry or on your cell phone.  They won’t be able to replicate your fingerprint.  That’s the idea, anyway.  Brokers and banks have been loathe to require multi-factor authentication because it’s inconvenient and customers often hate it.

But here comes Ben Lawsky, the Superintendent of New York’s Department of Financial Services, who just unveiled a number of proposals to increase cybersecurity at banks under his jurisdiction.  One of these is to require that banks use multi-factor authentication.  This move could take a lot of the economic pressure off banks that would otherwise like to implement this control for its customers, but have been unwilling to do so for fear of losing those customers to rivals.  If everybody has to do it, there’s not a lot of fear from imposing it unilaterally.

That’s not all Lawsky has in mind.  His proposal also includes:

  • requiring senior bank executives to personally attest to the adequacy of their systems guarding against money laundering;
  • ensuring that banks receive warranties from third-party vendors that those providers have cybersecurity protections in place;
  • random audits of regulated firms’ transaction monitoring systems, meant to catch money laundering; and
  • incorporating targeted assessments of those institutions’ cybersecurity preparedness in its regular bank examinations.

Lawsky’s proposals could be a big deal.  Stay tuned.