The U.S. Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) and the Financial Industry Regulatory Authority (FINRA) recently published their examination priorities (together, the Examination Priorities) for the 2020 calendar year.1 In general, the 2020 Examination Priorities continue recurring themes from recent prior years.
OCIE’s 2020 Examination Priorities for broker-dealers and investment advisers include the protection of retail investors (including compliance with new standard of care requirements and interpretations), cyber and information security risks, anti-money laundering compliance, firms engaging in the digital asset space and the provision of electronic investment advice.
FINRA’s 2020 Examination Priorities for member firms include those generally identified by OCIE for registered broker-dealers, as well as cash management and bank sweep programs, initial public offerings, liquidity management, trading authorizations and order routing and vendor display rule requirements, among others.
This post summarizes selected aspects of the Examination Priorities that may be of particular interest to broker-dealers and investment advisers. As always, firms should use the 2020 Examination Priorities to review their compliance and supervisory procedures carefully and make any necessary revisions. Firms also should be prepared to explain their compliance and supervisory policies in these areas in their upcoming SEC and/or FINRA examinations, as applicable, and provide documentation of relevant reviews.
Further to the publication of the ICO’s notices of intention to fine British Airways and Marriott in July 2019, the ICO has recently issued a statement delaying the issuance of both GDPR fines which had originally been expected by the end of 2019. (The ICO’s initial notices of intention to fine had stated that British Airways would face a fine of £183m ($228m) and Marriott, a fine of £99m ($123m). We reported on these here: British Airways and Marriott.)
On January 3, 2020, the Division of Swap Dealer and Intermediary Oversight (DSIO) of the U.S. Commodity Futures Trading Commission (CFTC) issued two cyber threat alerts regarding the hacking of approximately one dozen cloud service providers, as described in a Wall Street Journal article published December 30, 2019, entitled “Ghosts in the Clouds: Inside China’s Major Corporate Hack.”
One DSIO cyber threat alert was directed to swap dealers (SDs) and futures commission merchants (FCMs). Another was directed to commodity pool operators (CPOs), commodity trading advisors (CTAs), introducing brokers (IBs) and retail foreign exchange dealers (RFEDs). The National Futures Association (NFA) then sent a blast email to all NFA members in these registration categories (on behalf of the CFTC), with the DSIO alerts attached, further emphasizing to NFA members the information requested by DSIO and the deadlines for providing such information.
There has been a spike in 2019 of targeted cyberattacks against Asia-based fund managers, especially those in a startup phase of business. Regulators worldwide, including the Securities and Futures Commission of Hong Kong, have issued guidelines for reducing and mitigating hacking risks. This post summarizes the practical measures that may be adopted to protect your firm against cyberattacks and the keys to successful crisis management in the event that an unauthorized data breach occurs. (more…)
*This article was first published by Bloomberg Law in August 2019
Companies doing business with California consumers are impacted by the California Consumer Privacy Act (effective Jan. 1, 2020). The CCPA’s private right of action provision gives California residents the right to sue companies when their personal information is subject to unauthorized access and exfiltration, theft, or disclosure due to a company’s failure “to implement and maintain reasonable security procedures and practices.”
Under this provision, consumers may seek actual damages, declaratory or injunctive relief, and statutory damages, which begin at $100 and continue up to $750 “per consumer per incident.” The potential aggregated exposure through consumer class actions could be significant, and companies are searching for ways to mitigate private lawsuits.
The flurry of state legislative activity in the wake of the enactment of the California Consumer Protection Act (CCPA) continues with the New York legislature recently passing two bills to increase accountability for the processing of personal information. On July 25, 2019, Governor Cuomo signed the two bills into law, one which amended the state’s data breach notification law, and another that created additional obligations for data breaches at credit reporting agencies. Together, the new laws require the implementation of reasonable data security safeguards, expand breach reporting obligations for certain types of information, and require that a “consumer credit reporting agency” that suffers a data breach provide five years of identity theft prevention services for impacted residents. Meanwhile, the more comprehensive New York Privacy Act, which many viewed as even more expansive than the CCPA, failed to gather the necessary support in the most recent legislative session.
On June 20, 2019, the Federal Energy Regulatory Commission (“FERC”) approved a North American Electric Reliability Corp. (“NERC”) petition to adopt Reliability Standard CIP-008-6 to strengthen the reporting requirements for attempts to compromise the operation of the United States’ bulk electric system. The prior Critical Infrastructure Protection (“CIP”) Reliability Standards only required reporting where an incident compromised or disrupted one or more reliability tasks. The new standard applies to all registered entities subject to the CIP Reliability Standards.
Just a day after the ICO provided notice of its intention to fine British Airways £183m ($228m) over a separate breach (please see our blog post here), on Tuesday, July 9, 2019, the ICO released another statement of its intention to fine Marriott International, Inc. (“Marriott”) over £99m ($123m) in relation to a security incident affecting the Starwood reservation database which Marriott had acquired in 2016 and discovered in November 2018. The statement came in response to Marriott’s filing with the US Securities and Exchange Commission that the ICO intended to fine it for breaches of the GDPR.
Today we saw the ICO issue a notice of its intention to fine British Airways £183.39m for infringements of the GDPR – a record fine and the largest seen in the UK and the EU. The proposed fine relates to a cyber incident which BA notified to the ICO (as BA’s lead data protection authority, DPA) in September 2018. The incident involved the theft from the BA website and mobile app of personal data relating to customers over a two-week period. In terms of next steps, BA now has an opportunity to make representations to the ICO as to the proposed findings and sanction.
Singapore may soon mandate data breach notifications and data portability via amendments to the Singapore Personal Data Protection Act, or PDPA. The PDPA applies to all organizations that collect, use and disclose data in Singapore, and the PDPA has extraterritorial effect as it applies to all organizations collecting, using or disclosing personal data from individuals in Singapore (whether or not the company has a physical presence in Singapore).