Investment Management

Posted on Wednesday, July 26 2017 at 8:58 am by

Six Ways to Improve Cybersecurity Policies and Procedures

By Paul Foley and John I. Sanders

The SEC has declared cybersecurity to be an examination priority for financial institutions (i.e., broker-dealers, investment advisers, and registered investment companies) in each of the past four years.[1]  While the SEC’s comments in these examination priority releases are helpful for financial institutions, we believe that the SEC may have provided more useful guidance concerning cybersecurity practices through investor bulletins designed to help investors avoid online fraud.[2]  This guidance reveals helpful insights into the SEC’s evolving approach to cybersecurity.  Accordingly, based on the SEC’s most recently issued guidance to investors, we identify six ways financial institutions could improve their cybersecurity policies and procedures below.[3]

1. Passwords. The SEC has recommended that investors choose a strong password (e., one that includes symbols, numbers, and both capital and lowercase letters) for online access, keep their password secure, and change it regularly.[4]  Consistent with this recommendation, financial institutions may want to consider requiring clients to choose strong passwords and change them regularly.

2.  Biometric Safeguards. The SEC has recommended that investors contact their financial institutions to determine whether they offer biometric safeguards (g., fingerprinting, facial and voice recognition, and retina scans) for mobile device access.[5]  Although biometric safeguards are not currently a standard security feature, financial institutions may want to consider ways they can add biometric safeguards as a feature of mobile device access for their clients.

3.  Public Computers. The SEC has recommended that investors avoid using public computers to access investment accounts.[6]  When an investor does use a public computer, the SEC recommends investors take the following precautions:  disable password saving; delete files, caches, and cookies; and log out of accounts completely when finished.[7]  Financial institutions could help investors follow the SEC’s helpful, but often forgotten, advice by, for example, requiring them to proactively check a box to enable password saving on each new device and automatically logging users out of their online accounts after relatively short periods of inactivity.

4.  Secure Websites. The SEC has recommended that investors not log in to an account unless the relevant financial institution’s website has a secure “https” address.[8]  Many financial institutions have a secure website already, but those that do not may want to consider implementing one.

5.  Links. The SEC has recommended that clients never click on links sent to them by financial institutions with which they do not have a relationship, and to confirm the legitimacy of links sent to them by their financial institutions by calling or emailing the purported sender.[9]  In response to this advice, financial institutions may want to use links judiciously, and ensure that those who will receive calls and emails from clients know what links have been sent to which clients and under what circumstances.  Without such knowledge, financial institution employees may be unable to confirm or deny the legitimacy of the link, undermining client confidence in the financial institution’s cybersecurity policies and procedures.

6.  Review Account Statements. The SEC has recommended that investors regularly review statements and trade confirmations for suspicious activity and contact their financial institution with a written complaint if there is suspicious activity.[10]  In response, financial institutions may want to evaluate their security procedures with respect to redemptions and distributions.  Adopting reliable technological innovations can help prevent suspicious activity and create a business advantage (g., using biometric safeguards or two-factor authentication may be more reliable and less time-consuming than requiring signature guarantees).

Please contact us if you have any questions about this article or the SEC’s cybersecurity guidance.

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s Winston-Salem and New York offices.  John I. Sanders is an associate based in the firm’s Winston-Salem office.

[1] SEC, Examination Priorities for 2014 (Jan. 9, 2014), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf; SEC, Examination Priorities for 2015 (Jan. 13, 2015), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf; SEC, Examination Priorities for 2016 (Jan. 11, 2016), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf;  SEC, Examination Priorities for 2017 (Jan. 12, 2017), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf.

[2] SEC, Cybersecurity, the SEC and You (last visited July 25, 2017), available at https://www.sec.gov/spotlight/cybersecurity (containing a library of resources of both investors and securities industry professionals related to cybersecurity).

[3] SEC, Updated Investor Bulletin:  Protecting Your Online Investment Accounts from Fraud (April 26, 2017), available at https://investor.gov/additional-resources/news-alerts/alerts-bulletins/updated-investor-bulletin-protecting-your-online.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

Posted on Thursday, May 25 2017 at 9:32 pm by

DOL Puts Advisers on Notice:  Fiduciary Rule Will Be Effective June 9th

By Paul Foley and John I. Sanders

On March 2, 2017, the DOL extended the applicability date of the Conflict of Interest Rule (the “Fiduciary Rule”) from April 10, 2017 to June 9, 2017.[1]  This week, with the extension drawing to a close, Secretary of Labor Alexander Acosta has reported that the DOL “found no principled legal basis” to delay the applicability date beyond June 9.[2]  It is now a near-certainty that the Fiduciary Rule will “go live” on that date.

Despite DOL statements about a “transition period” and a “phased approach to implementation,” the heart of the Fiduciary Rule will be effective in just two weeks.[3]  Most importantly, “investment advice providers to retirement savers will become fiduciaries.”[4]  As fiduciaries, they must provide impartial advice in the customer’s best interest and cannot accept payments creating conflicts of interest (i.e., commissions and 12b-1 fees) unless they qualify for an exemption.[5]  Among exemptions, the Best Interest Contract Exemption is especially enticing before more stringent requirements for its use go into effect on January 1, 2018.[6]  Until January 1, 2018, the only conditions for the BIC Exemption are:  (i) investment advice is in the “best interest” of the retirement investor, meaning that it is both prudent and the advice is based on the interest of the investor rather than the adviser; (ii) no more than reasonable compensation is charged; and (iii) no misleading statements are made about the transaction, compensation or conflicts of interest.[7]  After January 1, 2018, an actual contract with particular terms will be required.[8]

For many investment advisers (as opposed to broker-dealers and their registered representatives), the impending applicability of the Fiduciary Rule is not a significant concern.  The DOL has stated that a fee based on assets under management (i.e., flat asset based fees or traditional wrap fee arrangements)  typically would not raise any issues under the Fiduciary Rule.[9]  However, for investment advisers not currently employing such fee arrangements, the Fiduciary Rule likely will require changes.[10]

In an effort to calm would-be fiduciaries that will not be able to meet the June 9th deadline for compliance with the Fiduciary Rule, the DOL issued a temporary enforcement policy on May 22nd stating that it would not take any enforcement action against “fiduciaries who are working diligently and in good faith to comply with the new rule and exemptions” until January 1, 2018.[11]  The DOL also promised an enforcement approach prior to January 1, 2018 “marked by an emphasis on compliance assistance (rather than citing violations and imposing penalties).”[12]  This policy only applies to DOL enforcement actions.  Investors may still bring private actions (i.e., fraud or breach of contract claims) against those who breach their fiduciary duties, and the IRS may still impose excise taxes or seek civil penalties.[13]

With applicability of the Fiduciary Rule just two weeks away, all investment advisers should assess its applicability to them and prepare accordingly.  At a minimum, this means working with compliance staff and legal counsel to determine whether all advice given to retirement investors is:  (i) in the client’s best interest (which investment advisers, as fiduciaries should already be doing), (ii) is impartial, and (iii) does not generate payments to the investment adviser giving rise to a conflict of interest.

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s New York and Winston-Salem offices.  John I. Sanders is an associate based in the firm’s Winston-Salem office.

[1] Department of Labor,  Conflict of Interest Rule – Retirement Investment Advice; Proposed Rule; Extension of Applicability Date (March 1, 2017), available at https://www.dol.gov/agencies/ebsa/laws-and-regulations/rules-and-regulations/completed-rulemaking/1210-AB32-2.

[2] Id.

[3] Department of Labor, Conflict of Interest FAQs (Transition Period) (May 2017), available at https://www.dol.gov/sites/default/files/ebsa/about-ebsa/our-activities/resource-center/faqs/coi-transition-period.pdf.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Conflict of Interest Rule, 81 Fed. Reg. 20946, 20992 (April 8, 2016) (to be codified at 29 CFR Parts 2509, 2510, and 2550) (The DOL has stated that if an investment adviser using a flat fee or wrap fee compensation model makes recommendations that would generate additional compensation for the adviser (e.g., adviser recommends rolling an IRA into an annuity that will generate fees for the adviser), then the adviser would need to rely on an exception.)

[10] Id.

[11] Department of Labor, Conflict of Interest FAQs (Transition Period) (May 2017), available at https://www.dol.gov/sites/default/files/ebsa/about-ebsa/our-activities/resource-center/faqs/coi-transition-period.pdf .

[12] Id.

[13] Conflict of Interest Rule, 81 Fed. Reg. 20946, 20653 (April 8, 2016) (to be codified at 29 CFR Parts 2509, 2510, and 2550).