Navigating the New Cybersecurity Rules: What Companies Need to Know

Public companies must report their cybersecurity risk management, governance and strategy on their annual filings for fiscal years ending on or after Dec. 15, 2023, to comply with the recently imposed Securities and Exchange Commission (SEC) rules.

In the U.S., almost all publicly traded companies with a focus on consumers and a large number of financial services corporations have experience in cybersecurity. This results from cybersecurity regulations being implemented by various federal agencies and all states. Specifically, the Safeguards Rule in Gramm-Leach-Bliley (GLB) requires the following types of  financial institutions to address cybersecurity to establish extensive measures:

 

  • Banks
  • Savings and loans
  • Insurance companies
  • Broker-dealers
  • Investment advisers

The SEC implemented a prior set of disclosure rules for reporting firms to give investors the necessary data to evaluate the impact of a cyberattack. Further, many other registered firms have enacted cyber procedures on their own initiative, based on responsible legal guidance.

As a result, following the introduction of the new law, financial services firms, consumer-oriented reporting firms and businesses that have independently implemented cyber policies shouldn’t have any significant implementation issues. However, those that haven’t will have a considerable undertaking to address these new requirements. Therefore, the 10K revisions will have an extensive impact on these companies.

The rule’s provisions will likely sanction those failing to comply with the change. This could involve letters of caution, fines and suspension.

 

Navigate the Cybersecurity Requirements by Taking Steps

Here are some steps to help your company navigate the new cybersecurity requirements:

Ensure a written information security policy (WISP) is in place. This creates a framework for cyber management and typically calls for creating and upkeeping a risk assessment manual and a written asset inventory.

The WISP also includes procedures addressing access controls, identity and access management, entitlement transparency, and other important topics listed below:

 

Access to Entitlement Transparency

Human Resources (HR) should be able to provide immediate access to your company’s entitlement transparency structure, including a complete listing of access by each employee to the firm’s system from initial employment to departure.

Upon employee advancement or transfer, the employee’s new superior, HR and an appropriate senior techie should reassess the employee’s access. This should be an established firm procedure and not a one-off. If an employee has been reprimanded in any way or has a questionable employment history, this should be maintained in their file.

 

Departure/Termination Procedures

Creating definitive procedures that can be immediately implemented upon termination plays a significant role in your company’s cybersecurity. These procedures should include immediate notification company-wide of an announced departure, especially if it’s a termination for cause.

Upon notification of an employee’s departure, immediately implement access restrictions. Upon departure, execute an immediate and complete access shutdown. It’s important to understand that current employee’s access to a former employee’s HR files is often a critical factor in illegal intrusions into the firm’s systems. In all of this, consider when a current or former employee is involved in a breach and what you would want to know about him/her to evaluate the situation properly.

 

Password Protection Policy

A strong password protection policy is mandatory for access security and should incorporate a requirement for multi-factor verification, including a user code and a password. The password should have eight alphanumeric characters with at least one symbol, should be changed every 90 days and not repeated for at least six months. Three errors in an attempted entry should suspend use for at least an hour and be reported to IT.


Data Loss Protection

One of WISP’s primary functions is to ensure that your company’s designated information requiring security is adequately protected in accordance with its degree of risk.

This review should be based on:

 

  • Guidance from National Institute of Standards and Technology (NIST) releases and guidelines
  • Relevant industry guidelines
  • Operational manuals
  • Data maps
  • Audits (internal and external)
  • Testing (internal and external)
  • Other appropriate mechanisms

 

Finally, determine if the company’s personal identifiable information (PII) and other designated data are being properly identified, maintained and protected within the firm’s systems.

 

Security Devices and Review

To accomplish compliant, sophisticated protection, the company should employ technology such as encryption, firewalls, intrusion detection and protection systems, as well as monitoring and auditing devices. One approach is to institute a defense-in-depth strategy using the devices above layered within the firm’s systems. This review’s determination is vital to your company and should be documented and maintained in the WISP Manual.

After an incident, the entire team should conduct follow-up reviews to make recommendations for corrective and remedial action, and it should then oversee and approve this action.

 

Training

In conjunction with legal, IT and outside IT forensic vendors, your company should develop cybersecurity training programs, including mock and tabletop sessions. Develop and provide regular cybersecurity awareness training for all personnel and regularly update this to reflect current risks.

The chief compliance officer (CCO), in conjunction with the chief information security officer (CISO), should conduct follow-up reviews. To establish an effective training program, they should work with legal and IT and outside legal and IT advisers.

Training should also discuss the appropriate handling of customer’s requests for username and password changes, wire transfers and identity verification—particularly those involving large money transfers to an overseas location or third parties. This should include sound practices regarding opening e-mail attachments and links, including using simulated phishing campaigns where the firm identifies and retests employees who failed the exercise.

 

Vendor Selection and Management

Vendors play an essential role in a company’s business and, as a result, have a significant involvement in cybersecurity. Vendors and employees are two major risk factors in cybersecurity breaches.

As such, have an established due diligence process for the selection of vendors, which should focus on cybersecurity awareness. As a part of your cybersecurity program, develop a strong vendor management plan. Finally, ensure all vendor contracts contain pertinent provisions and employ regular oversight practices.

 

Cyber-Insurance

Check your existing policies for their cyber insurance coverage. If appropriate, discuss with your insurer to address any areas requiring additional coverage. You don’t necessarily need to obtain a separate cybersecurity policy if you have proper coverage otherwise. Also, the employment of a WISP can significantly assist a firm in evaluating the need for and securing appropriate insurance.

 

Phishing

No U.S. business, small or large, can escape phishing attacks. These can result in the loss of substantial sums of money, often in six and seven figures, and valuable, susceptible company information. As a result, phishing problems can be reduced through training and testing, which includes demonstrations of various attacks experienced by peer firms. Although there’s no easy solution, regular and informed testing and training can effectively address this problem.

 

Testing

Regular testing is required of all WISPs and involves internal testing by firms and independent outside vendors. Most testing aims to ensure that key controls, systems and procedures of a WISP meet established standards.

One of the most important types of testing is third-party penetration testing. Penetration testing is an essential element in any cybersecurity program. It simulates an internal or external attack on a company’s computer network to detect its vulnerabilities and evaluate your firewall system’s effectiveness.

In conjunction with legal, compliance and a trusted outside vendor, IT should develop cybersecurity training and testing programs, including mock and tabletop sessions. These tests should be administered periodically (annually, quarterly and when necessary) by capable internal or outside technology experts and can be invaluable to your cybersecurity program.

 

Incident Response Plan

Lastly, a major element of a WISP is its Incident Response Plan, which provides a procedural structure for your company to respond to a cybersecurity incident expeditiously. The plan should contain specific policies and procedures for responding to a cyber incident with specific provisions.

 

The plan should require the firm to establish an incident response team (IRT) responsible for addressing all cyber incidents. Depending on the company and the cyber incident, the IRT can comprise members from IT, compliance, legal, HR and other relevant departments. Each member should be a seasoned officer sophisticated in the firm’s technical systems and operations.

 

Partner with Legal Experts for Assistance

A law firm with a sophisticated cybersecurity group can assist with all the undertakings described above and do so expeditiously and cost-effectively. Pastore LLC has a sophisticated group of seasoned counsel who can direct the development and completion of a WISP and be crucial players in effectively advising on any cyber incident.

 

This article is intended for informational purposes and does not constitute legal advice.

 

(Jack Hewitt is a securities lawyer and focuses on securities litigation and regulatory advice and counsel to broker-dealers, investment banks and investment advisers. His work involves virtually every aspect of the federal and state securities laws, including equity, fixed income and derivatives trading, market manipulation, net capital, short-selling, suitability, record retention, insider trading, cybersecurity and registration issues.)

FINRA Fine and Suspension for Former CEO Dismissed

Pastore attorneys successfully represented the former CEO of a broker dealer in a regulatory dispute with FINRA. When Pastore was retained, FINRA was seeking a multi-month suspension, thousands of dollars in fines, and was days away from serving a complaint.  In the space of a few months, Pastore convinced FINRA to close the case without levying a dollar in fines or a single day of suspension.

Data-Centric Security Strategies and Regulatory Compliance

In the wake of a recent spate of cybersecurity breaches, the practice of data-centric security has received renewed attention from business leaders concerned about the integrity of critical data. As defined by a PKWare white paper, data-centric security focuses on protecting data itself, rather than the systems that contain it.1 Central to the concept of data-centric security is the notion that the systems established to store and guard data sometimes crumble in the face of cyberattacks.1 Given that all manner of data storage systems have shown themselves to be vulnerable, it is hard to argue with this foundational principle. Rather than offering prescriptions for the improvement of systems, then, data-centric security places safeguards around the data itself – safeguards which are automatically applied and regularly monitored to ensure data security.1

Data-centric security strategies have several key advantages over the “network-centric” models currently employed by many firms.2 As discussed, data-centric strategies account for the proclivity of security networks to succumb to cyberattacks by securing the data itself. In addition, because security measures are built into data, “security travels with the data while it’s at rest, in use, and in transit,” a characteristic of data-centric strategies that facilitates secure data sharing and allows firms to move data from system to system without having to account for inevitable variations in security infrastructure.3 Moreover, data-centric security allows for easy access to data (a cornerstone of productivity in any firm) without compromising data security. In fact, Format-Preserving Encryption (FPE) – the specific type of encryption employed by many data-centric strategies4 – “maintains data usability in its protected form,” striking a balance between security and accessibility.5 Clearly, data-centric strategies provide stronger, more all-encompassing, and eminently manageable modes of data protection.

But perhaps the most important aspect of data-centric security is its essential role in any security regime compliant with New York State cybersecurity regulations. In fact, as the data security company Vera has noted, “the new rules are focused not just on protecting information systems but on securing, auditing and the disposition of data itself.”6 New York’s determination to advance data-centric security is evident in certain provisions of the recent cybersecurity regulation, the most important of which mandate that companies “restrict access privileges not only to systems but to the data itself.”6 Moreover, New York State’s cybersecurity regulations reflect the priorities of data-centric security because they require firms to “implement an audit trail system to reconstruct transactions and log access privileges,” a system which allows the security of individual pieces of data to be monitored automatically.6 New York regulators have already recognized the benefits of data-centric security strategies. Now, with the assistance of legal experts well-versed in cybersecurity compliance, companies concerned about their data security can too.

____________________________________________________________________________________

  1. https://pkware.cachefly.net/webdocs/pkware_pdfs/us_pdfs/white_papers/WP_Data_Centric_Security_Blueprint.pdf
  2. https://www.symantec.com/blogs/expert-perspectives/data-centric-security-changing-landscape
  3. https://www.comforte.com/fileadmin/Collateral/comforte_FS_tokenization_vs_FPE_WEB.pdf?hsCtaTracking=8a3a11b3-5ba3-4e1a-a41f-78bb92d22458%7C358952c5-4dff-4793-bbeb-8835361c3b14
  4. https://www.1stmarkets.de/en/blog/blog-article-3
  5. https://www.techpowerusa.com/wp-content/uploads/2018/03/MicroFocus.Techpower-Big-Data-eBook-2018-9434.pdf
  6. https://www.vera.com/wp-content/uploads/2018/02/Veras-Guide-to-the-NY-DFS-Regulations.pdf

Cybersecurity Compliance Could Have Saved Capital One Millions

A recent cybersecurity breach involving one of the country’s largest financial services firms illustrates both the necessity of strong cybersecurity regulations and the imperative for credit card holders to jealousy safeguard their personal information. In a criminal complaint filed July 29th, 2019 at the U.S. District Court for the Western District of Washington, the federal government alleged that Paige A. Thompson, a computer engineer, had taken advantage of a gap in Capital One’s cloud security to obtain the personal financial records of millions of the company’s customers in the U.S. and abroad.1 Thompson, who used the online alias “erratic,” allegedly exploited a defect in Capital One’s firewall to access confidential financial information stored on the servers of the Cloud Computing Company, a Capital One service provider.1 Despite Capital One’s claim that “no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised,” the episode is a reminder that without robust cybersecurity measures and a broad-based commitment to personal data security, information stored with American financial institutions remains vulnerable to cyberattack.2 In fact, had Thompson been more careful to remain anonymous,3 the data breach could well have become catastrophic.

First, the data breach demonstrates the value of robust cybersecurity regulations. For example, if Capital One’s cybersecurity measures had met the stringent standards of the regulations issued by New York State’s Department of Financial Services that is now being enforced by the state’s new Cybersecurity Division, this problem may have been avoided. The DFS has committed itself to ensuring that “encryption and other robust security control measures” characterize the cybersecurity policies of the state’s financial services firms.5 Had Capital One encrypted or tokenized6 all of the data subject to the recent breach, it is possible that the effects of the cyberattack may have been less widespread. In fact, the criminal complaint against Thompson notes that “although some of the information” targeted by the cyberattack “has been tokenized or encrypted, other information[…]regarding their credit history has not been tokenized,” allowing “tens of millions” of credit card applications to be compromised.1 Of course, the cybersecurity regulations adopted by New York State are burdensome. But the alternative is even worse – especially considering that Capital One will “incur between $100 million and $150 million in costs related to the hack, including customer notifications, credit monitoring, tech costs and legal support,” a price tag that doubtless outstrips the costs of regulatory compliance.3

Pastore & Dailey is a leading firm in the drafting and implementation of procedures necessary to comply with federal and state securities and banking cybersecurity regulations and laws, which in this case could have saved Capital One millions if properly followed.

Second, the cyberattack bears out the importance of diligence in safeguarding financial information. According to Forbes, individuals worried about the security of their financial information can take a host of precautions: “[updating] passwords,” avoiding the use of e-mail accounts to share confidential information, “[establishing] two-factor authentication,” and so on.7 Cyberattacks like the one that recently struck Capital One have become a fact of life for many Americans who bank online, but they need not be costly. Common-sense precautions and security diligence can go a long way towards ensuring the integrity of your financial records.

New DFS Cybersecurity Division

Perhaps as a signal of its commitment to fight cybercrime and stringently enforce its cybersecurity regulations, New York State recently established a “cybersecurity division”1 within the state’s Department of Financial Services (DFS). The creation of the division marks yet another step taken by New York State to guard against the dangers posed by cyberattacks, perhaps motivated by its status as the home of many prominent financial services firms. In addition, the presence of the division strongly suggests that the cybersecurity regulation2 issued by DFS in Spring 2017 [WB1] cannot be taken lightly by the state’s largest and most important financial services firms. Aside from the comprehensive nature of the regulation and the sizable power afforded to the new cybersecurity division, the novelty of New York’s recent innovations in cybersecurity regulation suggests their importance and staying power. In fact, as JDSupra notes, the creation of the new division more or less completed a years long process that has made “New York[…]the only state in the country that has a banking and insurance regulator exclusively designated to protect consumers and companies from the ever-increasing risk of cyber threats.”1

Some financial services firms, conscious of their vulnerability to cyberattacks, will doubtless welcome these additional steps. As a report from the Identity Theft Resource Center notes, financial services firms “are reportedly hit by security incidents a staggering 300 times more frequently than businesses in other industries.”3 Far from being mere annoyances, these cyberattacks are often extremely costly. In fact, according to a study from IBM and the Ponemon Institute, the cost to a financial services firm per record lost in a cyberattack was more than $100 greater than the cost to the average company.4 Moreover, cyberattacks can also cripple consumer confidence in financial services firms, causing them to lose business and endure even greater costs.5 In general, then, cyberattacks can damage both a financial services firm’s sensitive records and its public image, making them a grave threat to any such company’s bottom line.

It would be a mistake, however, to think about DFS regulation purely in terms of cost reduction. Regulation also entails costs – not least because compliance with the 2017 regulation can be investigated and punished by DFS’ new cybersecurity division. In fact, these new developments indicate that cybersecurity will not come cheaply, especially because the regulation imposes a bevy of new security requirements on top firms, costing them a not insignificant amount of time and money. From multi-factor authentication to training programs to the appointment of a “Chief Information Security Officer,” the now fully enforceable regulation will force financial services firms to foot the bill for a host of cybersecurity measures.6

  1. https://www.jdsupra.com/legalnews/new-york-creates-cybersecurity-division-20881/
  2. https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf
  3. https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 3
  4. IBM and the Ponemon Institute, The Cost of a Data Breach (2017), summarized in https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 6
  5. https://www.idtheftcenter.org/wp-content/uploads/2019/02/ITRC_Generali_The-Impact-of-Cybersecurity-Incidents-on-Financial-Institutions-2018.pdf, pg. 8
  6. https://www.dfs.ny.gov/docs/legal/regulations/adoptions/dfsrf500txt.pdf, pg. 5

Technology Regulation in the Federal Securities Market

Pastore & Dailey LLC has an extensive RegTech practice, and Jack Hewitt, a P&D Partner, is one of the country’s authorities in this area.  In line with this, P&D is pleased to announce that Bloomberg BNA has just published Mr. Hewitt’s new treatise, Technology Regulation in the Federal Securities Markets.

The treatise is structured into three major segments – cybersecurity, the new market technologies and blockchain.  The cybersecurity segment provides a comprehensive review of all applicable federal and state regulations and guidelines while the market technology segment addresses, among others, the Cloud, robo-advisers and smart contracts.  The final segment, Blockchain, includes cryptocurrency, tokens and ICOs.  Mr. Hewitt, whose expertise extends to virtually all major business sectors, regularly reviews client cybersecurity and technology procedures and would be pleased to discuss performing one for your firm.

Please use the below link to view the Table of Contents and the chapters on Information Security Programs and ICOs of the new treatise.

https://s3.amazonaws.com/pdlaw-cdn.sitesdoneright.net/userfiles/WebSample.pdf

Cryptocurrency Technology Is Driving Innovation

Interest in cryptocurrency and its underlying technology has steadily rose over the past several years. The final week of 2017 alone saw the debut of over a dozen new cryptocurrencies within the market. Moreover, Bitcoin’s explosive increase in value in 2017 from $1,000 to almost $20,000 has made “Bitcoin” and “cryptocurrency” household terms.[1] The accelerating rate of creation of new currencies and the fluctuation in value of various existing currencies have provided investors with substantial profit opportunities. Unsurprisingly, the financial services industry is making significant investments in the underlying block-chain technology. From individual programmers to large fintech firms, there is a race to secure the intellectual property rights for all aspects of block-chain and cryptocurrency technology.

Financial Services

The block-chain technology functions to increase security and decrease inefficiencies regarding cyber transactions. The software accomplishes this by securely hosting a transaction between two individuals without the requirement of a third party to transfer and record the exchange of funds (i.e. banks, credit card companies, etc.). The transactions are then publicly memorialized in a distributed ledger as a link in the chain’s archive. At its core, the block-chain model is a peer-to-peer system; because of this, the software has the potential to revolutionize the financial services industry by reducing the number of parties required to send and receive payments. This decentralized model is one of the characteristics that makes block-chain unique, and financial firms have recognized the tremendous value of the software.

As the value of the block-chain model became more apparent, the United States Patent and Trademark Office (“USPTO”) was flooded with new patent applications concerning block-chain and cryptocurrencies. At the end of 2017, Bank of America, Mastercard, Paypal and Capital One were leading the field in research and development, and represented the top four patent holding entities in the realm of block-chain and cryptocurrencies.[2] The primary technological focus of these top four firms has been financial forecasting, digital data processing and transmission of secure digital data.[3] In fact, Bank of America was recently issued its latest patent from the USPTO, which outlined a cryptocurrency exchange system that would seamlessly convert one digital currency to another.[4] It may be no coincidence that the top four firms leading research and development on block-chain are those that stand to lose the most from the elimination of third-parties in cyber transactions. It is important, at this point in block-chain’s development, that such firms secure a position on the new playing field if cryptocurrency does displace traditional transaction models.

Internet Data Usage

The sprint to secure intellectual property rights does not, however, solely focus on the current block-chain technology; firms are also looking ahead on how to improve the software and how to benefit from future developments and applications. Several firms are focusing specifically on the distributed ledger aspect of block-chain in order to create a personal virtual identity for each of the software’s users.[5] This concept has significant potential to allow individuals to begin to profit off of their personal data. Currently, websites such as Google, Amazon and Facebook track individual’s internet usage and gain considerable value from their personal data with little to no benefit to the user. The creation of an online avatar that hoards this data in a ledger, and makes it available only with the user’s permission, could bring significance to an individual’s internet browsing data. Users could begin to charge companies a fee to gain limited access to this information, even in miniscule amounts. Cryptocurrency effortlessly weaves itself into the system because currencies like Bitcoin are divisible to the hundredth of a millionth degree. This divisibility makes it possible for you to extract value from as little as 0.00000001 of a Bitcoin for a company to see that you have been looking at Volkswagens on Craigslist all afternoon.

This virtual identity system may not be too far off. In 2017, the state of Illinois launched a block-chain pilot for the digitization of personal data, such as birth certificates.[6] The system has the potential to be the framework for the digital identities discussed above, and could further establish an extraordinarily convenient method of sharing verified personal documents.[7] Although this system immediately raises the question of cybersecurity in the minds of most, block-chain technology is, in fact, vastly more secure than our current systems.[8]

Cyber Security

In 2017, Equifax saw one of the largest cyber security breaches in history. The current method of storing millions of individuals’ personal data is piling it together on the same system, which is then encrypted and secured. The issue, as illustrated by Equifax, is that once the security mechanisms are breached, the cyber burglar then has access to the entirety of the stored data.[9] Block-chain, however, stores each individual’s data separately in its own encrypted and secured space. If a hacker wished to steal data from a block-chain, they would be required to decrypt each of the individual’s data separately; in the case of Equifax, the hacker(s) would have been required to bypass 140,000,000 encryptions.[10] For this reason, cyber security firms are becoming increasingly involved in block-chain technology as well.

Mobile Applications

The cyber security and financial services industries are not the only industries honing in on the cryptocurrency craze. It is also worth mentioning the flood of new applications from the mobile software market. The rapid origination rate of mobile applications, no matter how redundant or superfluous they may seem, is compelling United States intellectual property filings. Cryptocurrency mobile applications can provide a wide range of services for their users: market information through applications such as zTrader, Bitcoin Checker and Bitcoin Price IQ; portfolio services through Cryptonator, CoinDex and Mycelium; and trading platforms through Coinbase, CEX.IO and CoinCap. More significantly, many of the most popular websites which provide mobile application support are beginning to accept cryptocurrency as a payment method. Notably, online retailer Overstock.com, online dating service OkCupid.com, electronics retailer Newegg.com, and travel booking agency Expedia.com are among the firms now accepting bitcoin as payment for their services.[11] Cryptocurrency also has the potential to transform the mobile gaming industry.

A dimension of mobile applications which has received a lot of negative publicity over the past few years is predatory in-app purchases. Many mobile gaming applications, which are typically marketed to children and teenagers, are free to download and play, but incentivize frequent micro-transactions from the user. These aptly dubbed “freemium” games result in cases of young users racking up a bill in the range of several hundreds of dollars, to their parent’s surprise. In fact, many applications offer purchases of in-game currencies up to $99 per transaction. This model may change, for better or for worse, with the rise of cryptocurrency. As discussed above, the Bitcoin is divisible to the hundredth of a millionth degree. The mobile gaming industry could see a transition from incentivizing young players to make frequent large transactions, to mobile games charging a fraction of a Bitcoin per minute (or second) of game time. The application would likely request access to your Bitcoin wallet and simply deduct fragments of a Bitcoin for as long as the game remains active. Whether this will be a welcome change is to be determined.

Conclusion

Cryptocurrency and block-chain technology are causing us to rethink our current financial and cyber-social systems. The characteristics that make block-chain unique—the decentralized model, distributed ledger, individual security, sense of virtual identity—are quickly being applied in new and innovative ways. The result is a surge in new intellectual property from forward thinking firms as we move into what may be an important technological shift for many of our country’s industries.

____________________________________________________________________________________

[1] Coindesk, Bitcoin (USD) Price, Coindesk (last visited Jan. 2, 2018) https://www.coindesk.com/price/.

[2] Jay Sharma, How Bitcoin Became a Game Changer Overnight, IPWatchdog (Dec. 4, 2017), http://www.ipwatchdog.com/2017/12/04/bitcoin-game-changer-overnight/id=90519/.

[3] Id.

[4] Nikhilesh De, Bank of America Wins Patent for Crypto Exchange System (Dec. 7, 2017, 3:00 UTC), https://www.coindesk.com/bank-of-america-outlines-cryptocurrency-exchange-system-in-patent-award/; the Bank of America patent granted by the USPTO is identified by United States Patent No. 9,936,790.

[5] Michael Mainelli, Blockchain Could Help Us Reclaim Control of Our Personal Data, Harvard Business Review (Oct. 5, 2017), https://hbr.org/2017/10/smart-ledgers-can-help-us-reclaim-control-of-our-personal-data.

[6] Michael del Castillo, Illinois Launches Blockchain Pilor to Digitize Birth Certificates, Coindesk (Aug. 31, 2017, 23:00 UTC), https://www.coindesk.com/illinois-launches-blockchain-pilot-digitize-birth-certificates/.

[7] Id.

[8] See Mainelli, supra note 5.

[9] See Mainelli, supra note 5.

[10] Id.

[11] Mariam Nishanian, 8 surprising places where you can pay with bicoin, Business Insider (Oct. 11, 2017 6:00 PM), http://www.businessinsider.com/bitcoin-price-8-surprising-places-where-you-can-use-2017-10/#expediacom-1.

SEC Proposes Regulation Best Interest for Brokers

On April 18, 2018, the SEC proposed “Regulation Best Interest,” which is the latest in a long and disputed line of proposed attempts by various governmental bodies to homogenize the duties owed by brokers and investment advisers to their respective clients. Professionals in the financial services industry and others should take note that they have until approximately July 23, 2018i to file a public comment on the proposed SEC rule, and investors should take this opportunity to educate themselves on the current differences between “brokers” and “investment advisers,” including the different standard of care that each owe their clients.

BACKGROUND

For decades, customers of the financial services industry have been confused by (if not outright unaware of) the different “standards of care” that their “brokers” and “investment advisers” have owed them.

On the one hand, “[a]n investment adviser is a fiduciary whose duty is to serve the best interests of its clients, including an obligation not to subordinate clients’ interests to its own. Included in the fiduciary standard are the duties of loyalty and care.”ii Investment advisers typically charge for their services via an annual fee assessed as a percentage of the “assets under management” (the so-called “AUM”) that the investment adviser “manages” for the client. The primary regulator of an investment adviser is either the SEC (usually for relatively larger investment advisers – i.e., those managing more than $100 million AUM) or a state securities commission (usually for relatively smaller investment advisers – i.e., those managing less than $100 million AUM).

On the other hand, brokers “generally must become members of FINRA” and are merely required to “deal fairly with their customers.”iii  FINRA Rule 2111 requires, in part, that a broker “must have a reasonable basis to believe that a recommended transaction or investment strategy involving a security or securities is suitable for the customer, based on the information obtained through the reasonable diligence of the [broker] to ascertain the customer’s investment profile” (the “suitability” standard).iv  Rather than a percentage of AUM, brokers’ compensation is typically derived from commissions they charge on each of the trades they execute for their clients. FINRA, a non-governmental organization, is the primary regulator for almost all brokers in the U.S.

At first blush, a layman retail client could easily be excused for struggling to understand the difference between the requirements of an investment adviser to “serve the best interests of its clients” and those of a broker to “deal fairly with their clients.” This confusion is exacerbated when a broker is also registered as an investment adviser, thus clouding what “hat” the advisor is wearing when dealing with a client.

Tortured Regulatory History

Regulator concern about this confusion has existed for decades.  In 2004, the SEC retained consultants to conduct focus group testing to ascertain, in part, how investors differentiate the roles, legal obligations, and  compensation between investment advisers and broker-dealers. The results were striking:

In general, [the focus] groups did not understand that the roles and legal obligations of investment advisers and broker-dealers were different. In particular, they were confused by the different titles (e.g., financial planner, financial advisor, financial consultant, broker-dealer, and investment adviser), and did not understand terms such as “fiduciary.”v

In 2006, the SEC engaged RAND to conduct a large-scale survey on household investment behavior, including whether investors understood the duties and obligations owed by investment advisers and broker-dealers to each of their clients. First, it should be noted, “RAND concluded that it was difficult for it to identify the business practices of investment advisers and broker-dealers with any certainty.”vi  Second, RAND surveyed 654 households (two-thirds of which were considered “experienced”) and conducted six focus groups, and reported that such participants –

…could not identify correctly the legal duties owed to investors with respect to the services and functions investment advisers and brokers performed. The primary view of investors was that the financial professional – regardless of whether the person was an investment adviser or a broker-dealer – was acting in the investor’s best interest.vii

In 2010, the Dodd-Frank Act mandated the SEC to conduct a study to evaluate, among other things, “Whether there are legal or regulatory gaps, shortcomings, or overlaps in legal or regulatory standards in the protection of retail customers relating to the standards of care for providing personalized investment advice about securities to retail customers that should be addressed by rule or statute,” and to consider ”whether retail customers understand or are confused by the differences in the standards of care that apply to broker-dealers and investment advisers.”viii A conclusion of that study was as follows:

[T]he Staff recommends the consideration of rulemakings that would apply expressly and uniformly to both broker-dealers and investment advisers, when providing personalized investment advice about securities to retail customers, a fiduciary standard no less stringent than currently applied to investment advisers under Advisers Act Sections 206(1) and (2).

In 2013, the SEC issued a “request for information” on the subject of a  potential “uniform fiduciary standard,”ix but never promulgated a rule after receiving more than 250 comment letters from “industry groups, individual market participants, and other interested persons[….]”x

Finally, on April 8, 2016, the U.S. Department of Labor adopted a new, expanded definition of “fiduciary” to include those who provide investment advice or recommendations for a fee or other compensation with respect to assets of an ERISA plan or IRA (in other words, certain “brokers”) (the “DOL Fiduciary Rule”). Many brokerage firms and others (such as insurance companies) made operational and licensing adjustments to prepare for the DOL Fiduciary Rule while various lawsuits were filed in attempts to invalidate the controversial rule. Most recently, the United States Court of Appeals for the Fifth Circuit vacated the DOL Fiduciary Rule on March 15, 2018.xi

“Suitability” Standard vs. “Fiduciary” Standard

The “suitability” standard of a broker is a far cry from the “fiduciary” standard of an investment adviser.  As the SEC has stated, “Like many principal-agent relationships, the relationship between a broker-dealer and an investor has inherent conflicts of interest, which may provide an incentive to a broker-dealer to seek to maximize its compensation at the expense of the investor it is advising.”xii  Put more bluntly, “there is no specific obligation under the Exchange Act that broker-dealers make recommendations that are in their customers’ best interest.”xiii

FINRA (including under its former name, NASD) has certainly striven to close that gap via its own interpretations and disciplinary proceedings, and has succeeded to a point.  Specifically, a number of SEC administrative rulings have confirmed FINRA’s interpretation of FINRA’s suitability rule as requiring a broker-dealer to make recommendations that are “consistent with his customers’ best interests” or are not “clearly contrary to the best interest of the customer.”xiv However, the SEC has highlighted that these interpretations are “not explicit requirement[s] of FINRA’s suitability rule.”xv

This lower duty of care for brokers (as opposed to investment advisers, who have a fiduciary duty) has had and continues to have purportedly large and definitive financial consequences for retail investors:

Conflicted advice causes substantial harm to investors. Just looking at retirement savers, SaveOurRetirement.com estimates that investors lose between $57 million and $117 million every day due to conflicted investment advice, amounting to at least $21 billion annually.xvi

A 2015 report from the White House Council of Economic Advisers (CEA) estimated that –

[…]conflicts of interests cost middle-class families who receive conflicted advice huge amounts of their hard-earned savings. It finds conflicts likely lead, on average, to:

  • 1 percentage point lower annual returns on retirement savings.
  • $17 billion of losses every year for working and middle class families.
SEC”S NEWLY-PROPOSED “REGULATION BEST INTEREST”

Despite the controversy over the DOL Fiduciary Rule and its recent, apparent defeat, the SEC has been working under the guidance of Chairman Jay Clayton since 2017 to finally rectify the confusion among investors as to the different standards of care applicable to brokers versus investment advisers.xvii

The latest development in that regard has been the proposal by the SEC of “Regulation Best Interest” (“Reg. BI”) on April 18, 2018.xviii  The proposed rule is significant in its proposed breadth. Subparagraph (a)(1) of the proposed rule would provide as follows:

A broker, dealer, or a natural person who is an associated person of a broker or dealer, when making a recommendation of any securities transaction or investment strategy involving securities to a retail customer, shall act in the best interest of the retail customer at the time the recommendation is made, without placing the financial or other interest of the broker, dealer, or natural person who is an associated person of a broker or dealer making the recommendation ahead of the interest of the retail customer.xix

This is a sea change in the duty of care owed by brokers to their retail clients, as it would effectively enhance a broker’s duty of care to approximate that of an investment adviser’s (at least in regard to retail clients).xx

To satisfy the “best interest” obligation in subparagraph (a)(1), subparagraph (a)(2) of Reg. BI would impose four component requirements: a Disclosure Obligation, a Care Obligation, and two Conflict of Interest Obligations.xxi

For the “Disclosure Obligation,” subparagraph (a)(2)(i) of Reg. BI would require the broker to –

reasonably disclose[] to the retail customer, in writing, the material facts relating to the scope and terms of the relationship with the retail customer, including all material conflicts of interest that are associated with the recommendation.xxii

For the “Care Obligation,” subparagraph (a)(2)(ii) of Reg. BI would require the broker to “exercise[] reasonable diligence, care, skill, and prudence to” do the following:

(A) Understand the potential risks and rewards associated with the recommendation, and have a reasonable basis to believe that the recommendation could be in the best interest of at least some retail customers;

(B) Have a reasonable basis to believe that the recommendation is in the best interest of a particular retail customer based on that retail customer’s investment profile and the potential risks and rewards associated with the recommendation; and

(C) Have a reasonable basis to believe that a series of recommended transactions, even if in the retail customer’s best interest when viewed in isolation, is not excessive and is in the retail customer’s best interest when taken together in light of the retail customer’s investment profile.xxiii

Finally, for the two “Conflict of Interest Obligations,” subparagraph (a)(2)(iii) of Reg. BI would require the following:

(A) The broker or dealer establishes, maintains, and enforces written policies and procedures reasonably designed to identify and at a minimum disclose, or eliminate, all material conflicts of interest that are associated with such recommendations.

(B) The broker or dealer establishes, maintains, and enforces written policies and procedures reasonably designed to identify and disclose and mitigate, or eliminate, material conflicts of interest arising from financial incentives associated with such recommendations.xxiv

Furthermore, Reg. BI would expand the SEC’s records requirement rules (i.e., Rules 17a-3 and 17a-4) to  provide that “[f]or each retail customer to whom a recommendation of any securities transaction or investment strategy involving securities is or will be provided,” a broker obtain and maintain for six years “[a] record of all information collected from and provided to the retail customer pursuant to [Reg. BI].”xxv

CONCLUSION

The SEC’s proposed “Regulation Best Interest” is a significant proposal that could have far-reaching impact across the securities brokerage and other segments of the financial services industries. Whether this latest regulatory effort to establish a more consistent standard of care for brokers and investment advisers will succeed is unknown, but the proposed rule is certainly an aggressive step in that regard.

All those interested will have until approximately July 23, 2018 to file a public comment on the proposed rule. Meanwhile, investors should take this opportunity to educate themselves on the current differences between “brokers” and “investment advisers,” including the different standard of care that each owe their clients.

ENDNOTES

i   The specific date will be established once the proposed rule is published in the Federal Register.

ii   Staff of the U.S. Securities and Exchange Commission, Study on Investment Advisers and Broker-Dealers As Required by Section 913 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Jan. 2011) (“Study”), at iii, available at www.sec.gov/news/studies/2011/913studyfinal.pdf.

iii  Study at iv.

iv  FINRA Rule 2111(a), available at http://finra.complinet.com/en/display/display.html?rbid=2403&record_id=15663&element_id=9859&highlight=2111#r15663, as of April 23, 2018.

v   Study at 96.

vi  Study at 97.

vii Study at 98.

viii Study at i.

ix  See Request for Data and Other Information: Duties of Brokers, Dealers and Investment Advisers, Exchange Act Release No. 69013 (Mar. 1, 2013), available at http://www.sec.gov/rules/other/2013/34-69013.pdf.

x   Regulation Best Interest, Exchange Act Release No. 34-83062 (April 18, 2018) (“Reg. BI Proposal”), at 20, available at https://www.sec.gov/rules/proposed/2018/34-83062.pdf.

xi  Reg. BI Proposal at 27.

xii     Reg. BI Proposal at 7.

xiii Reg. BI Proposal at 8.

xiv Reg. BI Proposal at 14, fn. 15.

xv Reg. BI Proposal at 8, fn. 6.

xvi Reg. BI Proposal at 20, fn. 28, quoting Letter from Marnie C. Lambert, President, Public Investors Arbitration Bar Association (Aug. 11, 2017) (“PIABA Letter”).

xvii    Chairman Jay Clayton, Public Comments from Retail Investors and Other Interested Parties on Standards of Conduct for Investment Advisers and Broker-Dealers, Public Statement, June 1, 2017, available at https://www.sec.gov/news/public-statement/statement-chairman-clayton-2017-05-31.

xviii   See Reg. BI Proposal.

xix Reg. BI Proposal, at 404.

xx In a related SEC proposal regarding investment advisers that was also dated April 18, 2018, the SEC stated that “[a]n investment adviser’s fiduciary duty is similar to, but not the same as, the proposed obligations of broker-dealers under Regulation Best Interest,” and that “we are not proposing a uniform standard of conduct for broker-dealers and investment advisers in light of their different relationship types and models for providing advice[….]” See Proposed Commission Interpretation Regarding Standard of Conduct for Investment Advisers; Request for Comment on Enhancing Investment Adviser Regulation, Investment Advisers Act Release No. IA-4889 (April 18, 2018), available at https://www.sec.gov/rules/proposed/2018/ia-4889.pdf.

xxi Reg. BI Proposal, at 404.

xxii Reg. BI, subparagraph (B), Reg. BI Proposal, at 404.

xxiii   Reg. BI Proposal, at 404-405.

Subparagraph (b)(2) of Reg. BI would define “retail customer’s investment profile” as including, but not be limited to, “the retail customer’s age, other investments, financial situation and needs, tax status, investment objectives, investment experience, investment time horizon, liquidity needs, risk tolerance, and any other information the retail customer may disclose to the broker, dealer, or a natural person who is an associated person of a broker or dealer in connection with a recommendation.” Reg. BI Proposal, at 406.

xxiv   Reg. BI Proposal, at 405.

xxv      Reg. BI Proposal, at 406-407

Pastore & Dailey Wins Suitability Arbitration for Investor

A Pastore & Dailey client recently prevailed in a FINRA Arbitration against a broker dealer firm regarding compliance failures and unsuitable investments solicited by the broker. The arbitration took place in Houston, Texas. Pastore & Dailey was co-counsel with a well known former general counsel of a large securities firm. Our client asserted claims arising from oil and gas master limited partnerships for breach of fiduciary duty, negligence, failure to supervise, unsuitability, misrepresentation, violation of the Florida Securities and Investor Protection Act, Fla. Stat. § 517.301, and breach of contract. Our client was ultimately awarded both damages and attorneys fees.

Suspension of Trading for Hong Kong Blockchain Firm

Last week, on January 8, 2018, the Securities and Exchange Commission (“SEC”) suspended trading of UBI Blockchain Internet, Ltd. (“UBI”) stock until January 22, 2018.[1] UBI, formerly JA Energy, is a Hong Kong-based technology firm focusing on the Blockchain technology underlying cryptocurrency.[2] Coincidently, one of the focuses of this over-the-counter traded company is on the application of the distributed ledger technology to trace food and drug products from the producer to the consumer.[3] According to UBI’s legal counsel, the motivation behind this innovation is to prevent counterfeit products.[4]

The erratic behavior of UBI shares caught the eyes of the SEC in early December as the company’s stock sky-rocketed in price. On December 1, 2017, shares of UBI were trading at $6.12, and just eighteen days later, the value had swiftly rose to $83.00 per share, and even selling as high as $115.00 per share.[5] The subsequent decline in value was just as precipitous. Within a week of its peak, the value of UBI stock had fallen to $29.00 per share and further down to $22.00 per share before the close of the 2017 year. The freeze on trading allows the SEC an opportunity to investigate the causes of the sudden and drastic changes in the firm’s stock activity.

The SEC is tasked with closely monitoring the trading activity of publicly traded companies. Spikes in value and in the volume of trades within the market, like those seen here with UBI, raise red flags for the SEC to act upon. Pursuant to Section 12(k) of the Securities Exchange Act of 1934, the SEC may temporarily suspend the trading in particular securities pending an investigation.[6] In the case of UBI, the commission cited two distinct justifications for its suspension: concerns with (1) the accuracy of assertions dating back to September 2017 regarding the company’s business operations; and (2) the unusual and unexplained market activity in the company’s Class A common stock since November 2017.[7] It remains to be seen whether the cause of the fluctuation was caused by SEC violations or by a frenzy as the market responded to UBI’s pharmaceutical application of the Blockchain technology.

_____________________________________________________________________________________________________________

[1] U.S. Securities and Exchange Commission, Securities Exchange Act od 1934: Release No. 82452,  https://www.sec.gov/litigation/suspensions/2018/34-82452.pdf (last visited January 14, 2018, 3:05 PM).

[2] Matt Robinson, Crypto Stock That Surged 900% in 2017 is Hit With SEC Halt, Bloomberg (Jan. 8, 2018, 10:39 AM), https://www.bloomberg.com/news/articles/2018-01-08/crypto-stock-that-surged-900-percent-in-2017-gets-sec-suspension.

[3] Cory Johnson, How One Mysterious Startup is Riding the Bitcoin Wave, Bloomberg (Dec. 27, 2017, 12:17 PM), https://www.bloomberg.com/news/articles/2017-12-27/bedwetting-to-blockchain-how-one-startup-rode-the-bitcoin-craze.

[4] Id.

[5] UBI Blockchain Internet Ltd., Marketwatch, https://www.marketwatch.com/investing/stock/ubia/charts (last visited January 14, 2018, 3:07 PM).

[6] See supra note 1.

[7] See supra note 1.