Popular stock trading app Robinhood recently experienced a security breach that exposed the personal information of millions of users. While most Robinhood users—and their investments—are safe, there are still important steps you should take to keep your accounts and personal data secure.
The Securities and Exchange Commission’s current rules relating to cybersecurity need to be enhanced with a new one specifically addressing reporting of cybersecurity breaches by registered investment advisors and broker-dealers, according to one of its commissioners.
The SEC has some general rules relating to cybersecurity already in place, Commissioner Elad Roisman, a Republican appointee, said in prepared remarks for his speech at the Los Angeles County Bar Association last week. The Safeguards Rule, implemented in 2000, for example, requires broker-dealers to implement policies and procedures to protect client records and ensure confidentiality of customer information as well as protect against unauthorized access, he said. The SEC also adopted a rule in 2013 requiring certain SEC-regulated entities to have policies and procedures aimed at preventing identify theft, according to Roisman.
Read MoreEarlier this year, Utah joined Ohio to become the second state to enact legislation creating an affirmative defense to certain causes of action arising out of a cybersecurity breach. Though not identical, both Utah’s Cybersecurity Affirmative Defense Act (“CADA”) and Ohio’s Data Protection Act (“ODPA”) primarily underscore the importance for organizations to be proactive in assessing their cybersecurity risk landscape and to then adequately address those risks. What makes these two new laws unique is that the affirmative defenses apply across all U.S. jurisdictions and give organizations an opportunity to mitigate against breach-related litigation, including class actions, unless and until a court decides otherwise. To benefit, organizations should ensure they (1) comply with the law and (2) update the choice of law clause in their website terms and conditions.
Read MoreRegistered investment advisers that rely on independent investment adviser representatives (IARs), operating their own offices, face unique supervision challenges. The SEC’s administrative action against Horter Investment Management, LLC (“Horter”) and its principal illustrates the worst-case scenario. The firm, based in Cincinnati, primarily hired IARs with remote offices.
Read MoreIn our first article to kick off Cybersecurity Awareness Month, we will discuss some steps businesses can take to improve their cyber hygiene. Over the past few years, some of the largest and well-known companies have been affected by data breaches resulting in millions of dollars in losses. Smaller businesses are not immune from data breaches, and even a small data breach impacting only a few thousand records can expose a business to significant losses and reputational damage that may have a devastating impact on its ability to function. Various attack methods can be used against businesses to obtain sensitive data or access funds through fraud. Some common attack methods are compromised credentials, social engineering attacks such as phishing, vishing, and smishing, business email compromise scams, ransomware, and vulnerabilities in third-party software. While no business can expect to be 100% safe, here are some basic practices businesses can implement to improve their cyber hygiene.
Read MoreOverall, it is likely that states will continue to emphasize the importance of cybersecurity programs. Some laws could encourage stronger cybersecurity by providing an affirmative defense. Others could mandate certain cybersecurity practices without affording an explicit affirmative defense. No matter the specifics of a statute or even in the absence of a statute, companies will be well-served to implement an industry-recognized cybersecurity framework. Not only will the frameworks likely reduce the frequency or severity of data breaches, but they may also improve a company’s defense against alleged liability in the event a data breach does occur.
Read MoreConnecticut’s new cybersecurity standards law, which goes into effect on October 1, 2021, protects companies from punitive damages in certain data breach actions where an organization has a cybersecurity program that conforms with an enumerated “industry-recognized cybersecurity framework.” It is the latest in a series of U.S. state efforts to incentivize companies to demonstrate that their cybersecurity programs are aligned with recognized frameworks and thus meet a reasonable standard of care.
Read MoreIt’s not enough to vet third-party technology providers when bringing them onboard because the due diligence evaluation should be ongoing, according to Ben Mathis, chief information officer at Carson Group.
On multiple fronts, the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) continue to increase their focus on cybersecurity. This is understandable as headlines of recent data breaches and ransomware attacks are in the news almost daily. This alert will highlight several of the actions taken by these regulators and proactive measures that financial services companies can implement to avoid the regulatory scrutiny that may follow from a cyber incident.
Read MoreLaws passed in Ohio, Utah and Connecticut are redefining the idea of reasonable cyber security controls across the US, writes global cyber security thought leader and CS Hub Advisory Board member Kayne McGladrey CISSP
Read More