Investment Management

Posted on Wednesday, July 26 2017 at 8:58 am by

Six Ways to Improve Cybersecurity Policies and Procedures

By Paul Foley and John I. Sanders

The SEC has declared cybersecurity to be an examination priority for financial institutions (i.e., broker-dealers, investment advisers, and registered investment companies) in each of the past four years.[1]  While the SEC’s comments in these examination priority releases are helpful for financial institutions, we believe that the SEC may have provided more useful guidance concerning cybersecurity practices through investor bulletins designed to help investors avoid online fraud.[2]  This guidance reveals helpful insights into the SEC’s evolving approach to cybersecurity.  Accordingly, based on the SEC’s most recently issued guidance to investors, we identify six ways financial institutions could improve their cybersecurity policies and procedures below.[3]

1. Passwords. The SEC has recommended that investors choose a strong password (e., one that includes symbols, numbers, and both capital and lowercase letters) for online access, keep their password secure, and change it regularly.[4]  Consistent with this recommendation, financial institutions may want to consider requiring clients to choose strong passwords and change them regularly.

2.  Biometric Safeguards. The SEC has recommended that investors contact their financial institutions to determine whether they offer biometric safeguards (g., fingerprinting, facial and voice recognition, and retina scans) for mobile device access.[5]  Although biometric safeguards are not currently a standard security feature, financial institutions may want to consider ways they can add biometric safeguards as a feature of mobile device access for their clients.

3.  Public Computers. The SEC has recommended that investors avoid using public computers to access investment accounts.[6]  When an investor does use a public computer, the SEC recommends investors take the following precautions:  disable password saving; delete files, caches, and cookies; and log out of accounts completely when finished.[7]  Financial institutions could help investors follow the SEC’s helpful, but often forgotten, advice by, for example, requiring them to proactively check a box to enable password saving on each new device and automatically logging users out of their online accounts after relatively short periods of inactivity.

4.  Secure Websites. The SEC has recommended that investors not log in to an account unless the relevant financial institution’s website has a secure “https” address.[8]  Many financial institutions have a secure website already, but those that do not may want to consider implementing one.

5.  Links. The SEC has recommended that clients never click on links sent to them by financial institutions with which they do not have a relationship, and to confirm the legitimacy of links sent to them by their financial institutions by calling or emailing the purported sender.[9]  In response to this advice, financial institutions may want to use links judiciously, and ensure that those who will receive calls and emails from clients know what links have been sent to which clients and under what circumstances.  Without such knowledge, financial institution employees may be unable to confirm or deny the legitimacy of the link, undermining client confidence in the financial institution’s cybersecurity policies and procedures.

6.  Review Account Statements. The SEC has recommended that investors regularly review statements and trade confirmations for suspicious activity and contact their financial institution with a written complaint if there is suspicious activity.[10]  In response, financial institutions may want to evaluate their security procedures with respect to redemptions and distributions.  Adopting reliable technological innovations can help prevent suspicious activity and create a business advantage (g., using biometric safeguards or two-factor authentication may be more reliable and less time-consuming than requiring signature guarantees).

Please contact us if you have any questions about this article or the SEC’s cybersecurity guidance.

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s Winston-Salem and New York offices.  John I. Sanders is an associate based in the firm’s Winston-Salem office.

[1] SEC, Examination Priorities for 2014 (Jan. 9, 2014), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf; SEC, Examination Priorities for 2015 (Jan. 13, 2015), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf; SEC, Examination Priorities for 2016 (Jan. 11, 2016), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf;  SEC, Examination Priorities for 2017 (Jan. 12, 2017), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf.

[2] SEC, Cybersecurity, the SEC and You (last visited July 25, 2017), available at https://www.sec.gov/spotlight/cybersecurity (containing a library of resources of both investors and securities industry professionals related to cybersecurity).

[3] SEC, Updated Investor Bulletin:  Protecting Your Online Investment Accounts from Fraud (April 26, 2017), available at https://investor.gov/additional-resources/news-alerts/alerts-bulletins/updated-investor-bulletin-protecting-your-online.

[4] Id.

[5] Id.

[6] Id.

[7] Id.

[8] Id.

[9] Id.

[10] Id.

Posted on Tuesday, June 6 2017 at 12:13 pm by

Kokesh v. SEC:  The U.S. Supreme Court Limits SEC Disgorgement Powers

By Paul Foley and John I. Sanders

Since the 1970s, courts have regularly ordered disgorgement of ill-gotten gains in SEC enforcement proceedings.[1]  According to the SEC, this was done as a means to both “deprive . . . defendants of their profits in order to remove any monetary reward for violating” securities laws and “protect the investing public by providing an effective deterrent to future violations.”[2]  Disgorgement has been one of the SEC’s most powerful tools in recent years.[3]  Yesterday, the Supreme Court issued an opinion that significantly limits the SEC’s ability to disgorge ill-gotten gains.[4]

The question before the Supreme Court in Kokesh v. SEC was whether disgorgement, as it has been used by the SEC, constitutes a “penalty.”[5]  Under federal law, a 5-year statute of limitations applies to any “action, suit or proceeding for the enforcement of any civil fine, penalty, or forfeiture, pecuniary or otherwise.”[6]  The SEC has long argued that disgorgement does not constitute a “penalty” and, therefore, is not subject to a 5-year statute of limitations.  The Supreme Court unanimously rejected the SEC’s position by holding that disgorgement constitutes a “penalty.”[7]  As a result, the SEC will be precluded from collecting ill-gotten gains obtained by the defendant more than five years before the date on which the SEC files its complaint.[8]

In the Kokesh case, the Supreme Court’s decision means that the defendant may retain $29.9 million of the $34.9 million of allegedly ill-gotten gains because that amount was received outside of the 5-year state of limitations.[9]  The Kokesh decision is also likely to have a significant long-term impact on SEC enforcement proceedings by reducing the leverage the SEC can apply while negotiating settlements.

Paul Foley is a partner with Kilpatrick Townsend & Stockton’s Winston-Salem and New York offices.  John I. Sanders is an associate based in the firm’s Winston-Salem office.

 

[1] SEC v. Texas Gulf Sulphur Co., 312 F. Supp. 77, 91 (SDNY 1970), aff ’d in part and rev’d in part, 446 F. 2d 1301 (CA2 1971).

[2] Id. at 92.

[3] SEC, SEC Announces Enforcement Results for FY 2016 (Oct. 11, 2016), available at https://www.sec.gov/news/pressrelease/2016-212.html (illustrating that the SEC has obtained more than $4 billion in disgorgements and penalties in each of the three most recent fiscal years).

[4] Kokesh v. SEC, available at www.supremecourt.gov.

[5] Id. (“This case presents the question whether [28 U.S.C.] §2462 applies to claims for disgorgement imposed as a sanction for violating a federal securities law.”).

[6] 28 U.S.C. §2462 (2017).

[7] Kokesh v. SEC, supra note 4, available at www.supremecourt.gov.  (“SEC disgorgement thus bears all the hallmarks of a penalty: It is imposed as a consequence of violating a public law and it is intended to deter, not to compensate.”).

[8] Id.

[9] Id.

Subscribe to Kilpatrick Townsend's Legal Alerts to help you stay current of new and noteworthy legal issues that may affect your business.