Archive for September, 2015

SEC Settles Action Against Investment Adviser for Failing to Adopt Adequate Cybersecurity Policies and Procedures

Wednesday, September 30th, 2015

On September 22, 2015, the SEC settled an enforcement action initiated against R.T. Jones Capital Equities Management, Inc. (“R.T. Jones”), an SEC-registered investment adviser, for its alleged failure to adopt written policies and procedures reasonably designed to protect its customers’ information and records in violation of Rule 30(a) of Regulation S-P under the Securities Act of 1933. Among other things, the SEC alleged that from September 2009 through July 2013, R.T. Jones stored clients’ personal information on a third party-hosted web server, which was ultimately attacked by an unknown hacker who gained access to the personal information of approximately 100,000 individuals, including thousands of the firm’s clients. Although R.T. Jones responded to the attack by promptly retaining multiple consulting firms to identify the source of the attack, notifying affected clients about the attack and offering clients free identity theft monitoring services, the SEC stated that the firm should have taken more proactive measures to detect, prevent and address such cyberattacks. For instance, the SEC suggested that R.T. Jones could have conducted periodic data security risk assessments, erected a firewall, encrypted clients’ personal information stored on its server and/or adopted a cybersecurity attack response plan. Importantly, the SEC brought this action despite the fact that there was no evidence to suggest that any R.T. Jones clients suffered any financial harm as a result of the data breach. Without admitting or denying the findings, R.T. Jones agreed to a cease-and-desist order, a censure and a $75,000 penalty to settle the action.

The action brought against R.T. Jones evidences the SEC’s growing emphasis on cybersecurity preparedness for investment advisers. Therefore, investment advisers should take a close look at how they store clients’ personal information, identify data security risks and adopt appropriate policies and procedures to address such risks. Investment advisers should also train their employees with respect to cybersecurity preparedness and the protection of customer information and records.

How to interact with clients on Facebook in light of new constraints on archiving messages per @danbernstein via @RIABiz @lisshidler

Monday, September 28th, 2015

Another effect of Facebook’s policy changes is that third-party firms can no longer collect and store instant message exchanges between advisors and clients — a practice required by compliance regulations. Advisors can still track clients’ life events without inviting regulators’ wrath — but on their time and without the help of third parties, says Dan Bernstein, a regulatory attorney at MarketCounsel of Englewood, N.J.

“One of the advantages of being on Facebook is you can keep track of a client’s life events and that doesn’t require any regulatory scrutiny. In fact, there is no problem if the advisor is collecting the information him or herself,” he says. “You don’t want to be creepy but you can send an email with a congratulations. That is why is there is supervision with Smarsh for advisors who are using their personal account for business purposes. The third-party providers may not be able to store and supervise these communications any longer.”

Third parties face no limitations on the Facebook business pages, but the user base for the business pages has always comprised only a small fraction of Facebook’s overall user base. This may motivate advisors to persist in using the consumer site — just with a level higher of caution and common sense. “You’ve got to look at what the regulations care about,” Bernstein says. “You don’t need to document and keep track and retain a ‘happy birthday’ but when the conversation starts to change to, ‘I think we want to make some moves in this account’ then it has to be supervised.”

Read more.

“While boosting oversight of advisors was dead politically this year, none of those issue has gone away” says @HDelux via @ThinkAdvisor

Monday, September 28th, 2015

While boosting oversight of advisors via user fees, third-party examiners or a separate self-regulatory organization was dead politically this year, none of those issue has gone away, says Brian Hamburger, CEO of MarketCounsel, and more advisor exams are likely on the horizon.  All three of those issues “continue to be at the forefront of discussions” on how to increase RIA oversight, Hamburger says.

Read more.

‘Disaster recovery, business continuity, cybersecurity, other initiatives advancing despite regulation,’ says @HDelux via @ThinkAdvisor

Monday, September 28th, 2015

Regulatory issues that aren’t getting the attention they need, “but advisors are moving on them nonetheless because they are smart business decisions,” include cybersecurity, business continuity, succession planning and disaster recovery, argues MarketCounsel CEO Brian Hamburger.

Read more.

David Mrazik changes the dialogue on the SEC’s case against Bennett via @FinPlan

Thursday, September 10th, 2015

David Mrazik says Bennett’s hosting of a media program is not the reason for the SEC case; advisors are allowed to promote their businesses. “Nothing says you can’t have a radio show – this case is about truth in advertising and not committing fraud. Supplying misleading information is clearly not in the best interest of clients,” Mrazik says.

Read more.