Header graphic for print

Cady Bar the Door

Insight & Commentary on SEC Enforcement Actions and White Collar Crime

FINRA Issues Report on Cybersecurity Practices

Posted in Cybersecurity, FINRA

Following up on our post from last week on the SEC’s cybersecurity exam sweep, you should also know about FINRA’s recent report on this area.  Last month, FINRA published a Report on Cybersecurity Practices that really could be useful reading for anyone in a complex business that hopes to keep its electronic data secure.

Where the Report Came From

In 2014, FINRA conducted targeted examinations at a cross-section of member firms, including large investment banks, clearing firms, online brokerages, high-frequency traders, and independent dealers.  FINRA had four objectives: (1) to understand the types of threats firms face; (2) to increase understanding of firms’ risk tolerance, exposure, and major areas of vulnerabilities in their IT systems; (3) to understand firms’ approaches to managing these threats; and (4) to share observations and findings with member firms.  As the report repeatedly recognizes, there is no one-size-fits-all approach to cybersecurity.  But the report does lay out a road map for what brokerages should be doing to protect themselves, no matter where they are on the food chain.

Key Points in the Report

Just because one size doesn’t fit all doesn’t mean some principles are not common to all.  Here are the key points FINRA member firms should consider, followed by our thoughts and quotes from the report:

  • A sound governance framework with strong leadership is essential.

 As used in this report, “governance” and “governance framework” refer broadly to the establishment of “policies, procedures, and processes to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements” in a way that informs its management of cybersecurity risk.  Directors need to involve themselves in these issues and should consider the National Association of Corporate Directors publication Cyber-Risk Oversight in doing that.  Another effective practice is to evaluate relevant industry frameworks and standards as reference points in developing their approach.  The ISO 27001/27002 framework is highlighted as one.  The NIST Framework is another.  Commissioner Aguilar would approve. 

  • Risk assessments serve as foundational tools for firms to understand the cybersecurity risks they face across the range of the firm’s activities and assets—no matter the firm’s size or business model.

FINRA views the risk assessment process as a key driver in a firm’s risk management-based cybersecurity program.  It is also a potentially useful starting point for firms embarking on the establishment of a cybersecurity program. The NIST Framework, for example, identifies six sets of risk assessment activities or outcomes:

  1. identify and document asset vulnerabilities;
  2. review threat and vulnerability information from information sharing forums and sources;
  3. identify and document internal and external threats;
  4. identify potential business impacts and likelihoods;
  5. use threats, vulnerabilities, likelihoods and impacts to determine risk; and
  6. identify and prioritize risk responses.
  • Technical controls, a central component in a firm’s cybersecurity program, are highly contingent on firms’ individual situations.

The one-size-doesn’t-fit-all maxim probably holds more sway here than in any other area.  Smaller firms simply aren’t going to be able to afford the technical safeguards that huge investment banks can.  That said, “firms should implement technical controls to protect firm software and hardware that stores and processes data, as well as the data itself.  Effective practices include . . . selecting controls appropriate to the firm’s technology and threat environment, for example: identity and access management; data encryption; and penetration testing.” 

  • Firms should develop, implement and test incident response plans. Key elements of such plans include containment and mitigation, eradication and recovery, investigation, notification and making customers whole.

“A firm’s incident response plan should address different attack scenarios, since incidents can occur along many different attack vectors. While it is not feasible to develop step-by-step instructions for every imaginable incident, firms should at least have prepared response plans for the most common attacks to which the firm may be subjected. Based on information firms provided to FINRA, common events at broker-dealers include DDoS attacks, malware infections, insider threats and cyber-enabled fraudulent wire transfers.”   For smaller firms, contracting with a vendor may be the most effective method to provide incident response capability.

  • Broker-dealers typically use vendors for services that provide the vendor with access to sensitive firm or client information or access to firm systems. Firms should manage cybersecurity risk exposures that arise from these relationships by exercising strong due diligence across the lifecycle of their vendor relationships.

“Risk-based due diligence on a prospective vendor’s cybersecurity practices is a critical first step in selecting third-party service providers. This due diligence provides a basis for the firm to evaluate whether the prospective vendor’s cybersecurity measures meet the firm’s cybersecurity standards. This can include discussions about the controls a vendor would need to implement to remediate a weakness relative to the firm’s cybersecurity standards. As a general principle, firms should avoid using vendors whose security standards do not at least meet those of the firm in the relevant area of activity.”

  • A well-trained staff is an important defense against cyberattacks.

True!  People need to know what to do, and what not to do.  “FINRA found that many of the cybersecurity attacks that firms identified were successful precisely because employees made mistakes, such as inadvertently downloading malware or responding to a phishing attack.”

  • Firms should take advantage of intelligence-sharing opportunities to protect themselves from cyber threats.

“Firms that can take in and analyze cyber intelligence effectively can proactively implement measures to reduce their vulnerability to cybersecurity threats and thereby improve their ability to protect both customer and firm information.  The FS-IAC (discussed here) provides a venue for the financial services industry to share threat intelligence, anonymously if so desired, and the ability to turn threat data into “actionable intelligence.”

Somebody at FINRA did a lot of good work on this report.  You should read it and consider its recommendations.

SEC Releases Results of Cybersecurity Exam Sweep

Posted in Cybersecurity

We’re a bit behind on this, but better (a little bit) late than never.  Last month the SEC’s Office of Compliance, Inspections and Examinations released the first results of its Cybersecurity Examination Initiative, announced in April 2014 (and discussed here).  As part of the initiative, OCIE staff examined 57 broker-dealers and 49 investment advisers to better understand how these entities “address the legal, regulatory, and compliance issues associated with cybersecurity.”

What the Exams Looked For

In the exams, the staff collected and analyzed information from the selected firms relating to their practices for: ♦ identifying risks related to cybersecurity; ♦ establishing cybersecurity governance, including policies, procedures, and oversight processes; ♦ protecting firm networks and information; ♦ identifying and addressing risks associated with remote access to client information and fund transfer requests; ♦ identifying and addressing risks associated with vendors and other third parties; and ♦ detecting other unauthorized activity.

Importantly, the report is based on information as it existed in 2013 and through April 2014, so it’s already somewhat out of date.

The Good News

The report includes some good news about how seriously the SEC’s registered entities are taking cybersecurity.

  • The vast majority of examined broker-dealers (93%) and investment advisers (83%) have adopted written information security policies.
  • The vast majority of examined broker-dealers (93%) and investment advisers (79%) conduct periodic risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences.
  • The vast majority of examined firms report conducting firm-wide inventorying, cataloguing, or mapping of their technology resources.
  • Many firms are utilizing external standards and other resources to model their information security architecture and processes. These include standards published by National Institute of Standards and Technology (“NIST”), the International Organization for Standardization (“ISO”), and the Federal Financial Institutions Examination Council (“FFIEC”).

Encouraging!  But the report didn’t bring all good tidings.

The Bad News

Here are some of the less auspicious facts:

  • 88% of the broker-dealers and 74% of the advisers reported being the subject of a cyber-related incident.
  • Most of the broker-dealers (88%) require risk assessments of their vendors, but only 32% of the investment advisers do.
  • Related to that, most of the broker-dealers incorporate requirements relating to cybersecurity risk into their contracts with vendors and business partners (72%), but only 24% of the advisers incorporate such requirements. Fewer of each maintain policies and procedures related to information security training for vendors and business partners authorized to access their networks.
  • A slight majority of the broker-dealers maintain insurance for cybersecurity incidents, and only 21% of the investment advisers do.

The Rest

Almost two-thirds of the broker-dealers (65%) that received fraudulent emails seeking to transfer funds filed a Suspicious Activity Report with FinCEN, as they’re likely required to do.  The report then notes that only 7% of those firms reported the incidents to other regulators or law enforcement.  It’s curious to me why the SEC would expect other reports to happen.  With the SAR obligations in place, those firms probably, and reasonably, think all the necessary reporting has been done after the SAR has been filed.  Also, these firms’ written policies and procedures generally don’t address whether they are responsible for client losses associated with cyber incidents.  Along these lines, it might be that requiring multi-factor authentication for clients and customers to access accounts could go a long way toward pushing responsibility for those losses on the users.

But don’t take my word for it.  Read the report yourself, linked above and here.

The SEC Will Be Your Employment Law Agency, Too

Posted in Whistleblowers

The nature of the SEC’s business a regulator of public companies lends a certain expansive aspect to its jurisdiction.  That is, when your job as a government agency is to be sure public companies are making complete and accurate disclosure to the market, there’s almost no limit to what some people will want those companies to disclose.  Before you know it, a securities regulator can find itself also regulating conflict minerals, climate change, political contributions (gone for now, but probably not forever), cybersecurity . . . . I don’t think we’ve reached the outer bounds.

Now the Commission is wading deeper and deeper into the employment law business.  We’ve  known for some time that the SEC was looking for cases in which to enforce the Dodd-Frank anti-retaliation provisions of the whistleblower rules.  It brought such a case against Paradigm Capital Management just last June.  Also last year, SEC whistleblower chief Sean McKessy warned against companies writing severance agreements to buy their former employees’ silence with post-employment benefits.   “And if we find that kind of language, not only are we going to go to the companies, we are going to go after the lawyers who drafted it,” he said.

But thanks to the Wall Street Journal’s Rachel Louise Ensign, that’s not all.  Oh, no; that’s not all.  In an article from last week, she reports that the Commission is actively looking for that kind of language.  It has sent a request letter asking a number of companies “to turn over every nondisclosure agreement, confidentiality agreement, severance agreement and settlement agreement they entered into with employees since Dodd-Frank went into effect, as well as documents related to corporate training on confidentiality.”  The letter also asks for “all documents that refer or relate to whistleblowing” and lists of terminated employees.

I think this is a relatively big deal.  It’s not like McKessy hasn’t warned companies about this sort of thing.  But it seems like his office is partially developing into an employment law force.  It may not be what people expected when he started that job, but here we are.

SIFMA Gets Its Cybersecurity-Antitrust Wish

Posted in Cybersecurity

I’m sure you remember SIFMA’s Principles for Effective Cybersecurity Regulatory Guidance, issued last October.  I mean, you read about them right here.

One of the principles was this: Principle 9: Information Sharing is Foundational to Protection, Must Be Limited to Cybersecurity Purposes, and Must Respect Firms’ Confidences.  Granted, that language is hard to understand, but what SIFMA was getting at was this: Wall Street firms did not want to share information about how to ward off computer hackers and then turn around and be accused of committing antitrust violations by the Justice Department and the FTC.  While the agencies had issued a statement giving financial firms some comfort in this statement, the firms wanted more assurance.

Just last month they got it.  President Obama’s executive order on February 13th specifically encourages private companies in the same industries to form organizations to better share information about online security and attacks.  The executive order may give enough antitrust assurance for large banks and law firms to set up a legal group that would be affiliated with the banking industry’s main forum for cybersecurity information sharing – the Financial Services Information Sharing and Analysis Center.  Which they are trying to do.  As the New York Times reports:

Law enforcement agencies have long been concerned about the vulnerability of United States law firms to online attacks because they are seen by hackers and nations bent on corporate espionage as a rich repository of company secrets, business strategies and intellectual property. But attacks on law firms often go unreported because the firms are private and not subject to the same kind of data-breach reporting requirements as public companies that handle sensitive consumer information.

The Times is right.  Large law firms could be vulnerable to cyberattacks.  And in the United States, they’re not publicly held, so they aren’t necessarily obligated to tell anyone in particular about them.  The Times article goes on: “The law firm group under consideration would be set up as an organization to share and analyze information and would permit firms to share anonymously information about hackings and threats on computer networks in much the same way that bank and brokerage firms share similar information with the financial services group.”

I think this cooperation is a good development for cybersecurity in the U.S.  The issue is too complex for organizations to go it alone and figure the problems out in silos.

Two-Factor Authentication May Be Coming to a Bank Near You

Posted in Cybersecurity

When I was at the SEC and online broker-dealers’ customers were the victims of hacking incidents, I used to wonder, why don’t the broker-dealers require multi-factor authentication to gain access to accounts?  It was a silly question.  I knew the answer.  Multi-factor authentication is a pain and nobody likes it.

Do you know what it is?  Here’s what Wikipedia says, so it must be true:

Multi-factor authentication (MFA) is a method of computer access control which a user can pass by successfully presenting authentication factors from at least two of the three categories: knowledge factors (“things only the user knows”), such as password; possession factors (“things only the user has”), such as ATM card; inherence factors (“things only the user is”), such as biometrics.

The idea is, hackers might figure out your password, but they won’t be able to figure out a number that changes every 30 seconds on a card you carry or on your cell phone.  They won’t be able to replicate your fingerprint.  That’s the idea, anyway.  Brokers and banks have been loathe to require multi-factor authentication because it’s inconvenient and customers often hate it.

But here comes Ben Lawsky, the Superintendent of New York’s Department of Financial Services, who just unveiled a number of proposals to increase cybersecurity at banks under his jurisdiction.  One of these is to require that banks use multi-factor authentication.  This move could take a lot of the economic pressure off banks that would otherwise like to implement this control for its customers, but have been unwilling to do so for fear of losing those customers to rivals.  If everybody has to do it, there’s not a lot of fear from imposing it unilaterally.

That’s not all Lawsky has in mind.  His proposal also includes:

  • requiring senior bank executives to personally attest to the adequacy of their systems guarding against money laundering;
  • ensuring that banks receive warranties from third-party vendors that those providers have cybersecurity protections in place;
  • random audits of regulated firms’ transaction monitoring systems, meant to catch money laundering; and
  • incorporating targeted assessments of those institutions’ cybersecurity preparedness in its regular bank examinations.

Lawsky’s proposals could be a big deal.  Stay tuned.

In Ordering Disgorgement in SEC Cases, Courts Have Discretion, but Not That Much Discretion

Posted in SEC Litigation

When defendants argue in federal court against the SEC’s calculation of a disgorgement figure, they hear a lot of this:

  • “A district court has broad discretion to order disgorgement of profits obtained through violation of federal securities laws and, if ordered, in calculating the disgorgement amount. SEC v. First Jersey Sec., Inc., 101 F.3d 1450, 1474-75 (2d Cir. 1996).
  • “[B]ecause of the difficulty of determining with certainty the extent to which a defendant’s gains resulted from his frauds . . . the court need not determine the amount of such gains with exactitude.” SEC v. Razmilovic, 738 F.3d 14, 31 (2d Cir. 2013).
  • “The amount of disgorgement ordered need only be a reasonable approximation of profits causally connected to the violation. . . . [A]ny risk of uncertainty in calculating disgorgement should fall upon the wrongdoer whose illegal conduct created that uncertainty.” SEC v. Contorinis, 743 F.3d 296, 305 (2d Cir. 2014).

No fun for the defendants, right?  With the playing field tilted that way, it almost seems like the SEC should never lose on the disgorgement calculation analysis.  Put another way, if the SEC throws up almost anything rational, it should be able to convince the court to accept its calculation and impose that figure on a litigating defendant.

But not always.  Just last week in SEC v. McGinn, Smith & Co., 1:10-cv-457-GLS (N.D.N.Y.), the SEC had asked for $124 million in disgorgement, but the court found the SEC’s submission on this point to be wholly lacking.  Here’s what the court said:

In support of its assertion that $124 million is a reasonable approximation of “all proceeds of the offering fraud remaining unpaid to investors,” the SEC cites one paragraph of the Receiver’s declaration, which in turn cites no additional evidence supporting that calculation. The court cannot and will not rely on one sentence from the Receiver’s declaration and, willy-nilly, order $124 million to be disgorged; more explanation is necessary.

The court noted its disappointment with the SEC’s “haphazard filing” and its “utter failure to provide any specificity with respect to its requests for an order granting $124 million in disgorgement and $124 million in civil penalties.”  But it also cited examples from when the Commission had done a much better job and carefully documented bank records, issuer records, and investor checks to establish the amounts properly at issue.

To me, the lesson for defendants is pretty clear: if you want to overcome the presumption in favor of the SEC’s disgorgement calculation, get your ducks in a row.  If the case is appropriate, go through the tedious process of documenting where the money did and did not go.  Advocate for your client at every stage and force the SEC to do the same.  The presumption in favor of the SEC’s calculation is only that, a presumption.  Though the defendants didn’t do so effectively here, that calculation can be rebutted and you can prevent an unsupported disgorgement figure from being imposed.

The FCPA on Prezi

Posted in FCPA

I spoke at the UNC Festival of Legal Learning last week about recent developments in the law surrounding the FCPA.  It’s always a little tricky speaking to novices in any area, because you have to lay a lot of groundwork for the recent developments to make sense.  Anyway, PowerPoint has become tiresome to me, and I wanted to use something else for the talk.  I tried Prezi, and here’s what I did.  I’m plainly a novice.  Here are some much cooler ones.  I did this one mostly as an experiment and to see what I could get done with a modest amount of effort on the technical side.

What I like about Prezi is its ability to keep the audience visually engaged and reminded about where they are in the overall structure off the talk.  That is, even if the audience zones out for a bit, it’s easy to see, okay we were talking about the anti-bribery provisions and now we’re onto the accounting provisions.  The zooming in and out could be distracting if misused, but it can also be very effective in keeping the audience on track.  You can sort of do that in PowerPoint with footers and other things, but I think that program can be much less helpful in that way.  Anyway, if people have thoughts I’d be very interested in hearing them.

One Good Thing and One Bad Thing about SEC Administrative Proceedings

Posted in Administrative Proceedings

One of my favorite lines from my kids’ books involves a cat named Pickles who’s having something of an identity crisis.  Pickles doesn’t really have an owner, but does have a temporary caretaker, who tells him, “Pickles, you’re not a bad cat.  You’re not a good cat. . . . You’re a mixed up cat.”  So it is with many of us, I guess, and so it is with SEC administrative proceedings.

Granted, I tend to agree with many of the SEC’s critics who have decried the Commission’s use – since Dodd-Frank was passed – of administrative proceedings to seek penalties against non-registered respondents.  It used to be that those penalties could be gotten only in federal court.  Not anymore.  Now the SEC can go into its own administrative forum and put respondents on an extremely fast track to an adjudication without the discovery provided in the Federal Rules of Civil Procedure.  It’s not all bad, though.

One Good Thing   

One thing the SEC does that I think is actually useful for those interested in the administrative proceedings is it makes all of the pleadings available online for free.  It’s true, and you can find them here.  It would be better if the archives went further back in time, but what is available is pretty good.  But it’s better than PACER, for the federal courts, which require an account and charge $.10 per page.  And it’s way better than the U.S. Tax Court, whose online docket is embarrassingly limited.  (Check it out.  It’s ridiculous.)

One Bad Thing

Here’s one more bad thing about the new age of the SEC’s administrative proceedings.   Until recently, I thought that in a settled case, it didn’t really matter.  Settle it in federal court or administrative court – six of one, half dozen of the other.  But that’s not really true.  Judge Rakoff got a lot of attention for disrupting the SEC’s process for settled matters, mostly because he thought the Commission was going too easy on Citigroup in 2011.  A number of other judges followed suit in refusing to rubber stamp other proposed SEC settlements for the same reason.  But it could go the other way, too.  Sometimes the SEC will take an extremely aggressive position against a financially weaker defendant who has little choice but to settle to onerous terms, even when the legal authority for the case is tenuous.  In that situation, it could be useful to have a federal court scrutinize the settlement to be sure the facts match up with existing law.  But if the settlement takes the form of an administrative order, it will never get that scrutiny.  Oh, well.  Only their lawyers are crying for those defendants.  But others should, because it could be them next.

S.D.N.Y. Vacates Insider Trading Guilty Pleas, Shows How It’s Done

Posted in Insider Trading

As you probably know if you’re reading this, in December the Second Circuit upended insider trading law for “tipping” cases by (1) giving some structure to the definition of the personal benefit that must come to the original tipper, and (2) requiring that tippees farther down the chain know exactly what the original tipper’s personal benefit was.  The ripple effects from the decision in United States v. Newman have come quickly and have already been dramatic.

On January 22nd, Judge Carter in the Southern District of New York looked at an insider trading case before him, hung it up next to Newman, and decided the four guilty pleas it contained couldn’t hold together.  But how do you even do that?  After you’ve pled guilty isn’t it pretty much over?  Not quite.  Here’s how Judge Carter put it:

Under Rule 11(b)(3) of the Federal Rules of Criminal Procedure, a district court judge has an obligation up through the entry of judgment to vacate a previously-accepted guilty plea and enter a plea of not guilty on behalf of a defendant if it becomes clear that there is no longer a sufficient factual basis for the plea.  See, e.g., United States v. Culbertson, 670 F.3d 183, 191 n.4 (2d Cir. 2012) (citing United States v. Smith, 160 F.3d 117, 121 (2d Cir. 1998)).  The Second Circuit has said that, in determining whether such a factual basis exists, judges should “match[] the facts in the record with the legal elements of the crime.”  United States v. Calderon, 243 F.3d 587, 589-90 (2001) (citing United States v. Smith, 160 F.3d 117, 121 (2d Cir. 1998)).  Facts considered to be in the record can include not only the defendant’s allocution, but also any representations made by counsel for the defense and the government on the record and the allegations in the indictment.  Smith, 160 F.3d at 121.

Here, Newman has changed the law for tipper/tippee cases so drastically, it’s not surprising that the facts in at least some open cases do not “match . . . with the legal elements of the crime.”  For most criminal cases, those elements are not going to be in great flux.  With insider trading law, though, so much has been left up to the courts, it’s not shocking that an appellate court made a left turn that wasn’t anticipated when the indictments were issued (these in late 2012).

Incidentally, last Thursday the government dismissed the charges entirely.  They could be refiled if the Second Circuit or the Supreme Court pares back Newman, but it is a happy day for these defendants.

The SEC Totally Cares about Its Injunctions

Posted in SEC Litigation

Last week I wrote a post discussing the injunctions the SEC typically obtains against defendants in federal court.  I noted the oddity of these obey-the-law injunctions and wondered aloud why the Commission never pursues findings of contempt when those defendants disobey the very provisions they were ordered never to disobey again.

In a comment to the post, Robert Knuts noted “[t]wo simple reasons. 1. A permanent injunction triggers potential collateral consequences under various provisions of the Federal securities laws. 2. If such a recidivist went to trial, the violation of the prior injunction would likely lead to maximum civil penalties.”

These are both probably true.  The first certainly is.  Especially for large financial institutions, limiting and avoiding the collateral consequences of SEC injunctions and other regulatory sanctions can be almost its own practice area.  I had meant to mention this in the original post and forgot in the late night fog of composition.  As for the second, I don’t have supporting data, but violation of prior injunctions certainly wouldn’t be helpful to a defendant in a second go-round with the SEC in federal court.  So the original injunction would have value to the Commission in that respect.

But one thing that should be mentioned: this isn’t the only way a federal agency might handle the injunctions it seeks.  The Federal Trade Commission, for one, routinely pursues  and wins civil contempt orders against defendants who have violated injunctions issued by federal courts.  Those injunctions, though, do not merely order defendants to obey specific provisions of the law.  They order defendants not to do specific things, such as “using infomercials to sell any product, service, or program.”  When the people subject to those orders go off-track, occasionally the FTC steps in and asks a court to hold them in contempt for doing so.

If anyone knows the history of how these two agencies’ practices regarding injunctions developed, I’d be happy to hear that.