Investment Management

Posted on Wednesday, July 26 2017 at 8:58 am by

Six Ways to Improve Cybersecurity Policies and Procedures

By Paul Foley and John I. Sanders

The SEC has declared cybersecurity to be an examination priority for financial institutions (i.e., broker-dealers, investment advisers, and registered investment companies) in each of the past four years.[1]  While the SEC’s comments in these examination priority releases are helpful for financial institutions, we believe that the SEC may have provided more useful guidance concerning cybersecurity practices through investor bulletins designed to help investors avoid online fraud.[2]  This guidance reveals helpful insights into the SEC’s evolving approach to cybersecurity.  Accordingly, based on the SEC’s most recently issued guidance to investors, we identify six ways financial institutions could improve their cybersecurity policies and procedures below.[3]

1. Passwords. The SEC has recommended that investors choose a strong password (e., one that includes symbols, numbers, and both capital and lowercase letters) for online access, keep their password secure, and change it regularly.[4]  Consistent with this recommendation, financial institutions may want to consider requiring clients to choose strong passwords and change them regularly.

2.  Biometric Safeguards. The SEC has recommended that investors contact their financial institutions to determine whether they offer biometric safeguards (g., fingerprinting, facial and voice recognition, and retina scans) for mobile device access.[5]  Although biometric safeguards are not currently a standard security feature, financial institutions may want to consider ways they can add biometric safeguards as a feature of mobile device access for their clients.

3.  Public Computers. The SEC has recommended that investors avoid using public computers to access investment accounts.[6]  When an investor does use a public computer, the SEC recommends investors take the following precautions:  disable password saving; delete files, caches, and cookies; and log out of accounts completely when finished.[7]  Financial institutions could help investors follow the SEC’s helpful, but often forgotten, advice by, for example, requiring them to proactively check a box to enable password saving on each new device and automatically logging users out of their online accounts after relatively short periods of inactivity.

4.  Secure Websites. The SEC has recommended that investors not log in to an account unless the relevant financial institution’s website has a secure “https” address.[8]  Many financial institutions have a secure website already, but those that do not may want to consider implementing one.

5.  Links. The SEC has recommended that clients never click on links sent to them by financial institutions with which they do not have a relationship, and to confirm the legitimacy of links sent to them by their financial institutions by calling or emailing the purported sender.[9]  In response to this advice, financial institutions may want to use links judiciously, and ensure that those who will receive calls and emails from clients know what links have been sent to which clients and under what circumstances.  Without such knowledge, financial institution employees may be unable to confirm or deny the legitimacy of the link, undermining client confidence in the financial institution’s cybersecurity policies and procedures.

6.  Review Account Statements. The SEC has recommended that investors regularly review statements and trade confirmations for suspicious activity and contact their financial institution with a written complaint if there is suspicious activity.[10]  In response, financial institutions may want to evaluate their security procedures with respect to redemptions and distributions.  Adopting reliable technological innovations can help prevent suspicious activity and create a business advantage (g., using biometric safeguards or two-factor authentication may be more reliable and less time-consuming than requiring signature guarantees).

Please contact us if you have any questions about this article or the SEC’s cybersecurity guidance.

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s Winston-Salem and New York offices.  John I. Sanders is an associate based in the firm’s Winston-Salem office.

[1] SEC, Examination Priorities for 2014 (Jan. 9, 2014), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf; SEC, Examination Priorities for 2015 (Jan. 13, 2015), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf; SEC, Examination Priorities for 2016 (Jan. 11, 2016), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf;  SEC, Examination Priorities for 2017 (Jan. 12, 2017), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf.

[2] SEC, Cybersecurity, the SEC and You (last visited July 25, 2017), available at https://www.sec.gov/spotlight/cybersecurity (containing a library of resources of both investors and securities industry professionals related to cybersecurity).

[3] SEC, Updated Investor Bulletin:  Protecting Your Online Investment Accounts from Fraud (April 26, 2017), available at https://investor.gov/additional-resources/news-alerts/alerts-bulletins/updated-investor-bulletin-protecting-your-online.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

Posted on Friday, July 14 2017 at 12:01 pm by

Broker-Dealers and Investment Advisers Exempted from CFPB’s Arbitration Agreement Rule

By Paul Foley and John I. Sanders

The Consumer Financial Protection Bureau (the “CFPB”) issued a final rule on July 10, 2017 that has received widespread attention.[1]  The rule, promulgated pursuant to section 1028(b) of the Dodd-Frank Act, generally regulates “arbitration agreements in contracts for specified consumer financial products and services.”[2]  More specifically, the rule prohibits the use of arbitration agreements by providers of certain financial products and services “to bar the consumer from filing or participating in a class action.”[3]  Despite the apparent wide sweep of the rule, it includes important exemptions for broker-dealers and investment advisers.

First, the rule expressly exempts from its prohibitions “broker-dealers and investment advisers, as well as their employees, agents, and contractors, to the extent regulated by the SEC.”[4]  Also, the rule exempts those “regulated by a State securities commissioner as a broker-dealer or investment adviser.”[5]  As a result of these exemptions, the use of arbitration agreements by broker-dealers and investment advisers will continue to be regulated by the SEC and state regulators.  So far, the SEC has not exercised its authority under section 921 of the Dodd-Frank Act to restrict the use of arbitration agreements as the CFPB has done, and there is no indication it will do so soon.[6]

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s Winston-Salem and New York offices.  John I. Sanders is an associate based in the firm’s Winston-Salem office.

[1] See e.g., Megan Leonhardt, Money Magazine, CFPB Just Issued a New Rule That Would Protect Consumers From Predatory Fine Print (July 11, 2017), available at http://time.com/money/4852123/cfpb-mandatory-arbitration-rule/; Maria LaMagna, MarketWatch, CFPB Announces Rule That Could Help Consumers Sue Financial Firms for Millions (July 11, 2017), available at http://time.com/money/4852123/cfpb-mandatory-arbitration-rule/; and Jessica Silver-Greenberg and Michael Corkery, The New York Times, U.S. Agency Moves to Allow Class-Action Lawsuits Against Financial Firms (July 10, 2017), available at https://www.nytimes.com/2017/07/10/business/dealbook/class-action-lawsuits-finance-banks.html.

[2] CFPB, Final Rule: Arbitration Agreements (July 10, 2017), available at https://www.consumerfinance.gov/policy-compliance/rulemaking/final-rules/arbitration-agreements/ (hereinafter “Arbitration Rule”).

[3] Id. at p. 1.

[4] Id. at p. 478.

[5] Id. at p. 479.

[6] 15 U.S.C. 78o(o) (authorizing the SEC to regulate broker-dealer arbitration agreements) and 15 U.S.C. 80b-5(f) (authorizing the SEC to regulate investment adviser arbitration agreements).