SEC Cyber Violations a 'Guessing Game,' say Observers

#Lifestyle Wealth

Shop Related Information

The Securities and Exchange Commission argued this week that a number of large firms had faulty cybersecurity policies and procedures in place, resulting in the breach of clients’ personal information. But a number of industry legal observers say the commission should be clearer about what it requires in the first place.

The commissions’ actions emphasized the implementation of multifactor authentication (MFA) for email communications for employees and contractors. MFA is the “second-step” required to log in to emails or accounts, often requiring a code sent to a mobile phone or other device. According to some securities attorneys, while Regulation S-P, the commission’s data privacy rules, may not specifically require MFA, it turns out firms should nevertheless ensure they have it and that employees comply with it or risk being slapped with similar sanctions and monetary fines by the commission.

“Obviously, past SEC enforcement actions in this area have emphasized the importance of cybersecurity policies needing to be implemented and followed,” A. Valerie Mirko, a partner with Baker McKenzie, said in an interview with “The SEC did not specifically say that Reg S-P mandates MFA in all cases, but it’s making it really clear with these orders that firms should have MFA in place, particularly once a firm is on notice that there may have been email account takeovers.”

The SEC’s actions targeted a number of advisory and brokerage firms under Cetera, Cambridge Investment Research and KMS Financial Services, a former Ladenburg Thalman firm that was eventually folded into Securities America, a b/d under Advisor Group.

According to the commission, the eight firms failed to have proper cyber policies and procedures in place (and in many cases, failed to implement those they did have), which left them vulnerable to attacks from unauthorized third parties in which company emails were taken over, exposing thousands of clients’ personally identifiable information.

The complaint stated, in many cases, employees did not have MFA turned on for their email accounts, even though MFA was spelled out in the firms’ written cyber policies.

Would these firms have escaped the commission’s judgement and monetary fines if they simply had not had MFA policies spelled out in their own documents in the first place? It’s not clear. Regulation S-P requires firms have policies and procedures “reasonably designed” to protect client information.

The ambiguity of that phrase leaves a wide window open for interpretation. Max Schatzow, an attorney at the law firm Stark & Stark, said the commission’s cyber orders this week were frustrating, arguing that the SEC hasn’t supplied adequate guidance on what is reasonable (he also believed the SEC was “throwing a rock at a glass house,” as it’s previously been the victim of its own breaches of data).

“Data security is just a really difficult subject area; it’s really hard to be perfect and advisors across the country and world struggle with it,” Schatzow said. “I think everyone has good intentions and is trying to do their best, but there should be a more collaborative effort to protect Americans’ public data. I don’t think investment advisors should be the scapegoat for that.”

Even if security measures like multi-factor authentication are properly implemented, the industry’s main challenge is contending against risks many aren’t aware of yet, given the evolving tactics of hackers and cyber-criminals, according to Susan Schroeder, a partner and vice chair of the Securities and Financial Services Department at the law firm WilmerHale (and a former head of enforcement for FINRA). Firm policies have to continuously evolve, because no matter how vigilant the firm may be, there will always be innovation from “bad actors” seeking to exploit weaknesses.

“We’re always going to look in the rearview mirror (and say) that people should have known that could have happened,” Schroeder said. “The industry’s trying to manage risk it can’t name right now.”

To Schatzow, the SEC’s actions show that if firms and independent contractors are using email in containing non-public information with clients, multi-factor authentication remains the easiest and most cost-efficient measure for protection. While he didn’t expect the SEC to pursue similar cyber-related enforcement actions against smaller firms immediately, he hopes commission staff release guidance on what they deemed to be ‘reasonable,’ including appropriate funding expenditures for IT work and best practices.

“Just tell us what you want and we’ll try to deliver. If we can’t, then at least we’re making informed decisions,” he said. “But until then, it’s kind of a guessing game.”

To Find More Information, Go To Saubio Digital And Look Up Any Topic

Please follow and like us: Share This Post

Take a look at our comprehensive guide to the best and most popular information ebooks and products available today on Detoxing, Colon Cleansing, Weight Loss and Dating and Romance. They are all in one spot, easy to find and compere to make a quick selection for the product that best fits your needs or wants.

So browse through a category and make your  preferred selection and come back here to read  more choice articles and get a few more helpful tips on ways to help your enhancement.

Detoxing Reviews

Best Body Detoxification Guides & reviews

Colon Cleanse Reviews

Best Colon Cleanse Guides & Reviews

Weight Loss Ebook Reviews

Weight loss products really work! Click here

Dating and Romance Ebook Reviews

Looking for Dating Guides? Click here

Free Traffic System - Increase Targeted Website Traffic with Free Unlimited One Way Links

As an Amazon Associate I earn from qualifying purchases. “ is a participant in third party affiliate and advertising programs; The Amazon Services LLC Associates Program, Awin network, and other affiliate advertising programs are designed to provide a means for sites to earn advertising fees and commissions by advertising and linking to products on other sites and on Amazon and the Amazon logo are trademarks of, Inc, or its affiliates.”

Leave a Reply

Your email address will not be published.

Saubio's Recommended Products