The U.S. Securities and Exchange Commission (SEC) has adopted amendments to Regulation S-P which require investment adviser firms registered with the SEC to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information including procedures for providing timely notification to customers affected by an incident involving sensitive customer information.
Category Archives: Cybersecurity
Beware of Phishing Emails Impersonating FINRA
On Thursday, April 4, we received numerous inquiries from investment adviser firm owners and/or senior executives who had received an unexpected email supposedly from FINRA’s Chief Legal Officer or Chief Information Officer which utilized an email address ending in @ data-finra .org. In response, our Consulting Team contacted the IARD Entitlement Support Line which confirmed that these emails did not originate from FINRA.
On April 18, 2022, Kentucky announced that it had adopted Senate Bill (“SB”) 298, making it the newest state to adopt an investment adviser representative continuing education (“IAR CE”) requirement, joining Mississippi, Vermont, Maryland, Michigan, and Wisconsin. Along with Michigan and Wisconsin, Kentucky’s new rule will become effective January 1, 2023. For investment adviser representatives in Mississippi, Vermont, and Maryland, an IAR CE requirement is already in effect.
Email Phishing Scam from a FINRA Imposter
April 25, 2022
It was brought recently to our attention that many of our investment adviser clients have received a suspicious email similar to the sample below. This email appears to be sent from the email domain: claims-finra.org and includes a subject line such as “Re: FINRA URGENT REQUEST FOR….”
RIA Phishing Email Alert – Posing as FINRA
June 09, 2021
Recently, several of our RIA clients have received suspicious emails claiming to be from FINRA. The suspicious emails used the subject line “New FINRA Request – (Firm Name),” and came from an email address with the domain, “@gateway-finra.org” Below is a screenshot of one of these suspicious emails.
NASAA Reminds RIAs to Contact Regulators Regarding Recent RIA Cybersecurity Incident
January 08, 2021
On January 7, 2021, the North American Securities Administrators Association (NASAA) reminded state-registered investment advisers to report to their primary securities regulator any known issues or concerns related to a recent RIA cybersecurity incident.
In this new environment of working from home during the COVID-19 pandemic, it’s important for investment adviser firms to remember to conduct initial and ongoing due diligence of the cybersecurity policies and practices (including incident response plans) of third-party vendors which maintain confidential information of your investment advisory clients and provide services through the cloud over the Internet.
The Securities Bureau of the Nebraska Department of Banking and Finance has proposed a new rule which would require investment advisers to develop and maintain physical and cybersecurity policies and procedures designed to protect client records and information.
NASAA Cybersecurity Model Rule Package
May 31, 2019
On May 21, 2019, the North American Securities Administrators Association (NASAA) released a model cybersecurity rule package. NASAA’s proposed rule would require investment advisers to adopt policies and procedures regarding information security and to deliver annually its privacy policy to clients.
SEC Risk Alert – Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies
May 07, 2019
On April 16, 2019, the United States Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) issued a risk alert about “Compliance Issues Related to Regulation S-P – Privacy Notices and Safeguard Policies” to encourage investment adviser firms to review their written policies and procedures to, “ensure compliance with the relevant regulatory requirements.”
