E.7: Defend, Detect, Prevent: Proactive Cybersecurity, Client Data Protection & Fraud Prevention

Intro (00:00):

This is Advisor Intelligence, the podcast for investment advisors and financial institutions. In each episode, attorneys from your investment management and securities team break down compliance, regulation, and risk into practical insights that help you stay exam ready and ahead of what’s next. This podcast is brought to you by Stark & Stark.

Jeffrey Lang, Esq. (00:28):

Hello everyone, and welcome to the Advisor Intelligence Podcast on cybersecurity and the new regulation SP. My name is Jeff Lang, and I’m here with my colleagues, Steve Galletto and Mittal Patel. We’re going to be talking to you today about new developments in regulation SP, a very, very hot topic, as well as cybersecurity, two very related topics. A lot of people ask us now that we’re done with the ADV season, what are we worried about? What are we focused on? And where are we putting our time in? And I tell folks that we’re spending a lot of time with our clients working through and making sure that they are ready to comply with the regulation SP requirements and with cybersecurity requirements, which have expanded over the past year as the new requirements have rolled out. Steve, do you want to talk about what is significant hot topics with respect to the regulation SP new developments and with respect to cybersecurity?

Stephen Galetto, Esq. (01:34):

Certainly. So larger investment advisory firms have already been subject to the new Reg SP requirements from as far back as December of last year. So now we’re really lining up and making sure that the smaller investment advisors, those investment advisors with less than 1.5 billion in assets under management have an incident response plan in place in order to comply with the new rig SP requirement. Mittal has been instrumental in making sure that our clients have an appropriate policy in place working with our clients to make sure that the policy lines up with their actual level of exposure. Mittal, what have you seen as far as hurdles for investment advisory firms?

Mittal Patel, Esq. (02:17):

I’m going to take it back one step and just say that this regulation does apply to all SEC registered investment advisors. So if you didn’t implement it in December when it was due, you’re late, but we can still help you implement it now.

Stephen Galetto, Esq. (02:31):

Right.

Mittal Patel, Esq. (02:32):

In terms of the incident response plan, what the SEC really wants you to do is have some sort of plan in place for a, in the case that there’s a cybersecurity incident. No two cybersecurity incidents are going to be the same.

Stephen Galetto, Esq. (02:46):

Hopefully not. Hopefully you learned your lesson one the first time, right? I’m

Mittal Patel, Esq. (02:49):

Hoping. I’m hoping. But basically the SEC wants you to have a plan on what you’re going to do in the case that you’re going to have an incident. What are you training your employees to report all the incidents that happen? And what are the steps you’re going to take to actually really learn about the incident, what went on and detect any fraudulent activities?

Stephen Galetto, Esq. (03:13):

So was there a reporting requirement prior to the new Reg SP requirement? Did investment advisory firms have to report anywhere that there was an actual cybersecurity incident or a breach?

Mittal Patel, Esq. (03:23):

Well, that could depend on the state in which the incident also happened, because some states do have cybersecurity reporting requirements, but I would say we did still need to document it in our records if we did have it, but we’re not required to have an incident response plan in place.

Stephen Galetto, Esq. (03:42):

Okay.

Jeffrey Lang, Esq. (03:43):

I just want to interject really quick. There’s an important point that you hit on there very quickly talking about the states. And so one of the key elements here is that if you do experience some form of breach, each of the states has their own methodology or their own requirements relative to what needs to be done. So one of the things that we address with folks is if you have any kind of cybersecurity incident or breach, one of the things that you’ll need to do is figure out which clients in which states are impacted, and then you might be subject to a patchwork of requirements as you undergo your remediation.

Mittal Patel, Esq. (04:26):

So it’s a twofold requirement. Basically, you have the federal requirement now, but also the states as well.

Stephen Galetto, Esq. (04:31):

Right, right, right. One thing I will say about the state issues and reporting and informing all your clients, even with the Reg SP type violation, those firms that carry cybersecurity insurance likely have, or I hope you would have within that cybersecurity insurance coverage, some level of benefit where you can engage a third party to help you identify what those reporting requirements are at the state level to help you mitigate future loss or issue dealing with these types of breaches. So if your cybersecurity insurance policy is up for renewal anytime soon, it’s certainly something you should definitely review with your agent, make sure there is some level of coverage there because what I see cybersecurity insurance policies covering and the value there is these types of breaches, these types of issues, not a server going down or something like that, not an actual ransomware type situation where the system’s locked out.

(05:38):

Most investment advisors are keeping their data in the cloud somewhere at a third party service provider, so there’s protections there. I would say that the largest target for loss here for investment advisors would be with the data breach and needing to inform clients of that.

Mittal Patel, Esq. (05:55):

Definitely. So you touched on a couple of questions that I thought are important to address. What is an incident?

(06:03):

Is it ann incident every time where Jeff clicks on a phishing email.

Stephen Galetto, Esq. (06:07):

That would be a lot of incidents.

Mittal Patel, Esq. (06:09):

I know. Sorry, Jeff.

Jeffrey Lang, Esq. (06:12):

Yeah.

Stephen Galetto, Esq. (06:12):

I think Mittal just got fired.

Jeffrey Lang, Esq. (06:16):

You know what? I would treat it as any situation where you, when I say you, obviously the firm, believe that there might have been some kind of hacking or penetration of your system, some kind of situation where some bad actor was able to breach your firewall, your protections, and potentially access your information.

Stephen Galetto, Esq. (06:43):

What if there’s an Excel spreadsheet with full client names, social security numbers, account numbers, that the investment advisory firm is trying to send their compliance attorney to review or help out with, but it gets misdirected and it goes to the wrong person. Is that an

Jeffrey Lang, Esq. (07:00):

Incident? Yeah. I get that situation every once in a while. One of the things that I’ll do to handle it, it could be. The bottom line is it could be. And what I will try to do in certain circumstances, especially if we are familiar with the other client, is get them to alert them and say, “Is there something that might have come your way?” If we weren’t able to pull it back, just cancel the email, seeing if we can get them to not open to delete it off their system might be one solution. Otherwise, we might need to, in a more involved circumstance, if it was opened on the other side inadvertently, there might be a situation where we want to send some kind of notice out to clients that we did have an incident that’s under control.

Stephen Galetto, Esq. (07:50):

Right.

Jeffrey Lang, Esq. (07:51):

There’s that notification requirement. There’s a notification requirement, not as severe a situation as if it was sent out into the ether or hacked, but nonetheless, a notification, an incident and a notification situation

Stephen Galetto, Esq. (08:03):

Where

Jeffrey Lang, Esq. (08:04):

We may probably want to send a letter saying, “Here’s what happened, here’s what we’ve done.” And then a lot of times folks will offer some form of credit checking as a fail safe measure to make sure that- To mitigate risk. To mitigate risk. So it really is situation specific and there’s going to be varying levels of what you might need to do.

Stephen Galetto, Esq. (08:24):

Right. So if it’s just a client name and an address, something that’s … Well, the fact that somebody happens to be a client of your investment advisory firm isn’t exactly public knowledge, but a client’s name and mailing address is likely searchable, likely something that could be located with enough sniffing around online. I’m pretty sure if people tried long enough and you’re looking at somebody that owns a home, you can probably figure out where they live and honestly, the taxes they’re subject to in their particular county and state. So there’s a lot of information that’s just out there floating around. So not every little bit of information is going to be considered sensitive or non-compliantly

Mittal Patel, Esq. (09:09):

Define it to be non-public personal information. Right.

Stephen Galetto, Esq. (09:12):

Exactly. So an account number, that’s going to be non-public. A social security number, I would hope is non-public, but we don’t know. Yeah. So I think it’s important within the firm as part of your cybersecurity policy and data privacy to implement encryption for sensitive client information and data. Again, if we have an encrypted document with all of our sensitive information, password protected, it’s something that if it is misdirected, it can’t be accessed. It’s not going to be something that’s going to result in an actual incident, right? Right. So we can work within the firm’s cybersecurity culture to ingrain these things, to make sure that if there is a misdirted email, if there is sensitive information that flows out, it’s not complete. It’s not a full issue. So using the last four digits of a social security number, using the last four digits of an account number, something like that.

(10:08):

So the full data set is not available or accessible.

Jeffrey Lang, Esq. (10:12):

Let’s talk about reporting incidents like the reporting structure for a second. And this is sort of, I would say, akin to the incident response plan, right?

Stephen Galetto, Esq. (10:22):

Right.

Jeffrey Lang, Esq. (10:22):

So how does it begin? It begins by somebody identifying that there might have been some kind of breach. Now a lot of times-

Mittal Patel, Esq. (10:33):

Somebody, you mean an employee?

Jeffrey Lang, Esq. (10:34):

An employee. Right. Thank you. And so a lot of times, in my experience, what’ll happen is the firm will be contacted by a client who says, or clients, and the clients are saying, “Well, we’re all receiving this email,” because some kind of list has gone out. But it can also be something where somebody realizes that they have been hacked or they clicked on the wrong thing, their phishing scam or some kind of social engineering where they unfortunately clicked on something that they shouldn’t have and this type of thing can happen. And folks will often realize that, “Okay, this is something that I now realize looking back at it, I shouldn’t have clicked on that. ” Don’t be silent. Bring it to the attention of the CCO so that the firm can react accordingly.

Stephen Galetto, Esq. (11:26):

There’s no worse reaction to clicking on something you shouldn’t have clicked on than just closing your computer and walking away. You need to tell somebody. Right. So don’t be silent.

Mittal Patel, Esq. (11:35):

Right.

Stephen Galetto, Esq. (11:35):

Don’t be silent. Can’t be silent. Can’t be silent. Turning off your computer doesn’t solve the problem. It doesn’t. You need to let your IT folks know- Not even if

Jeffrey Lang, Esq. (11:43):

You reboot.

Stephen Galetto, Esq. (11:44):

Not even if you reboot four times in order to get Microsoft Office to actually function on your computer.

Jeffrey Lang, Esq. (11:50):

Okay. I’ll be right back.

Stephen Galetto, Esq. (11:51):

Yeah, please do. So we want to get to a point where not only are we not clicking on the email, we’re reporting that we received the email. So that email that also might be in one of your colleagues inboxes isn’t left for them to go ahead and click on. I think everyone on camera here or on this podcast has clicked on an email that we shouldn’t have clicked on at one point or another. Mittal, please back me up here. Jeff. I know Jeff, we didn’t want to throw Jeff under the bus, but if you left me hanging out here in the lurch, like you’d never clicked on one of these phishing emails. I’m sure you’ve clicked on something. Own it.

Mittal Patel, Esq. (12:31):

No.

Stephen Galetto, Esq. (12:32):

Own it. No. All right. Mittal’s perfect. But I’ve been inundated with emails and I’ve been out of the office for a few days and I come back in and I’m clicking through something and something looks like a legitimate email and I’ll open it up and I’ll see an attachment and I’ll almost click on it and then I’ll scroll my mouse over it and I’ll see that it’s a misdirected website or something like that. We receive regular training here at Stark & Stark. So we’re aware of this, but we should implement this level of training at the investment advisory firm.

Jeffrey Lang, Esq. (13:05):

You know what’s interesting? Speaking of that training, I do a lot of mock audits and I’ve been doing a lot of mock audits for a few years right now. And one of the things we focus on in the mock audit is A, training and B, penetration and vulnerability testing. And it strikes me that if you go back two years, three years, but maybe even two years, when I talk to firms and say, “Hey, what are you doing in terms of firm training using Nobe4 or one of these vendors?” Two years ago, the answer would have been, “Gee, you think I ought to do that? ” We’ll consider it. Yeah. Seems like a good idea. Now it is becoming a standard. Same thing with penetration and vulnerability testing by a third party, which by the way, when I say third party, I mean even somebody other than your IT person, because if the IT person does the penetration of vulnerability testing, he’s only testing what he set up theoretically.

(13:57):

So it’s great to have even a third party test whether or not the penetration of vulnerability test that you’re appropriately

Stephen Galetto, Esq. (14:04):

Protected. Why do you think people are doing this more?

Jeffrey Lang, Esq. (14:08):

I think first of all that folks are paying more attention to and seeing in the media and hearing from their peers that this is a real thing. It’s not a theory anymore. Your other firms, people you know, are getting hacked. People are really suffering from this. You cannot avoid it in the news. It’s a thing. So the key is these things that before, like having the full cybersecurity policy, having the very, very robust Reg SP policy, whereas before these were sort of like, “You know, I’ll do that. I’ll make sure I have something.” Now this is real and now people really have experienced … A lot of people have experienced hacks. A lot of people have experienced ransomware, fraud. I can tell you as someone who gets the call that the fraudsters, the bad actors are remarkably sophisticated. Their ability to know who’s who in your firm and direct emails to people and asking things in a manner that you don’t think it’s a fraud because- The social engineering.

(15:14):

… because it works because it sounds right and that is critical.

Stephen Galetto, Esq. (15:19):

Right. Absolutely. Names are being spelled correctly. You’re getting emails that are in English. AI is certainly being used in this space as well. Without

Jeffrey Lang, Esq. (15:30):

A doubt, AI

Stephen Galetto, Esq. (15:31):

Is being used. Mittal, from your perspective, what are our clients or other investment advisory firms most concerned about? I’ve had years of exposure to this from firms that never had considered having a cybersecurity policy up to the firms that were then required to have a cybersecurity policy and firms that have had losses as a result of either data breaches, fraudulent requests for transfers of funds from client accounts. I’ve seen all sorts of social engineering, but what do you see at the forefront?

Mittal Patel, Esq. (16:13):

I see a couple of things. The first thing is accidentally sending out emails or information to the wrong third parties, which we covered earlier, ransomware attacks, which they still occur. And then the other is concerns related to third party vendors. A lot of our clients are using third party vendors, and now they need to make sure that the third party vendors have the appropriate safeguards in place to protect our clients’ information.

Stephen Galetto, Esq. (16:40):

Right. So under Reg SP, I believe it’s 72 hours, right? Once you become aware of the actual data breach. In a previous podcast, we were talking about our time at the IAA conference in Washington DC. And there was a brief section where a director at the SEC was talking about how they understand that the 72 hour reporting process or window is a very short window and how you are relying upon your third party vendors and how they are putting it back on the investment advisors to force the third party vendors to more promptly inform of these breaches. They understand that the 72 hours might not necessarily be doable, right?

Mittal Patel, Esq. (17:26):

So you just raised an important question. Does the 72 hour provision, quote unquote, provision need to be in writing?

Stephen Galetto, Esq. (17:34):

Need to be in writing in a contract with a vendor? I would certainly recommend that. Every time I’m reviewing one of these third party vendor contracts, I try to get it in there. But if you’re going toe to toe with Microsoft, good luck getting Microsoft to accept any sort of amendment or revision to their agreement. Until there’s enough pressure on them, not necessarily call out Microsoft, but other large vendors too, until there’s enough pressure on these large vendors and cloud service providers or third party vendors like Redtail and Black Diamond, stuff like that, to report within 72 hours, you’re not going to get the traction. They’re not going to budge on that.

Mittal Patel, Esq. (18:11):

And I always see that on a weekly basis. And I always tell clients, if we can’t get it in writing, what we need to do is we need to review the third party vendor’s privacy policy and the agreements we have in place with them to make sure that we are adequately covered because at the end of the day, we are still responsible for our client’s data.

Stephen Galetto, Esq. (18:30):

Absolutely. 100%.

Jeffrey Lang, Esq. (18:31):

We are communicating the expectation to them, to the third party vendor, that we would have this information in 72 hours. Now, as Steve was saying, we may not always be able to get that representation in writing, but we need to make it clear that this is our expectation in terms of how we’re going to do business with them.

Mittal Patel, Esq. (18:52):

And it’s interesting that you mentioned an interesting point. You mentioned that we want to communicate it. I’ve seen some firms actually send out letters to their third party vendors to indicate them-

Stephen Galetto, Esq. (19:02):

This is our level of expectation.

Mittal Patel, Esq. (19:03):

This is our level of

Stephen Galetto, Esq. (19:04):

Expectation. That’s right.

Mittal Patel, Esq. (19:05):

It doesn’t necessarily need to be signed, but you just want to notify them.

Stephen Galetto, Esq. (19:09):

Right. Right. Look, investment advisors are a highly regulated entity type, right? Microsoft and other large vendors, Amazon, AWS, and the like service far more industries than just the financial industry, far more client types than just investment advisors. They need to be aware that you are a highly regulated entity and that you are subject to this requirement. So they understand that if they’re going to offer that service to you as an investment advisor, this is what you need to do in order to comply with regulation.

Mittal Patel, Esq. (19:45):

So if there’s a breach on our third party vendors side, do we still have to follow our incident response plan?

Stephen Galetto, Esq. (19:51):

100%.

Jeffrey Lang, Esq. (19:53):

Speaking of third party vendors, this is another hot topic. And I can say that this third party vendors, due diligence, having third party vendor information, especially for those third party vendors that hold PII, I can tell you this is such a hot topic in SEC exams right now. Maintaining both the initial due diligence and ongoing due diligence of the third party vendors that we use.

Stephen Galetto, Esq. (20:18):

Just because you go through that initial due diligence doesn’t mean you’re absolved from going forward and continuing to ask for these questions and to continue to get the due diligence packets from these folks. If they’re a large enough vendors, they already have a due diligence packet that’s ready and they just shoot it out on it. That’s

Jeffrey Lang, Esq. (20:34):

Right. That’s right. A lot of the folks that are in the vendors that are in this space pretty much have material that they can get out to you right away that really fits the bill. Some others may not, and you just simply got to do your best in terms of collecting A, whatever information that they’ll give you upon request, and B, what other information you might be able to glean from either public sources or from their website.

Stephen Galetto, Esq. (21:02):

And the more sophisticated the vendor, the more you’re going to want in that due diligence packet, right? You’re going to want a SOC level one or level two audit. You’re going to want somebody that understands what a due diligence packet is when you ask for it.

Mittal Patel, Esq. (21:14):

That’s a problem if they

Stephen Galetto, Esq. (21:15):

Don’t. Right? Do you want a third party vendor handling your client sensitive information if they don’t know how to provide a due diligence packet for you to review and take in as part of your books and records? Probably not. But I think that the environment keeps on changing, which is why it’s important to review your cybersecurity policy at least once annually. Make sure you’re keeping up with the trends. Make sure that you’re using an appropriate encryption software. Make sure you’re training your staff. Training is important. It needs to be consistent and needs to be continual. It’s not just bringing on new folks. It’s a matter of fortifying what you’ve already trained your existing employees to do as a matter of process and protocol. All it takes is just one lazy click of an email that shouldn’t be touched to cost your firm an awful lot of money.

(22:11):

So training and updating the cybersecurity policy is important. I think the takeaway, I think the primary takeaway of this podcast episode is that client privacy and maintaining security and safeguarding client information, sensitive client information is at the forefront of the cybersecurity review and regulation. I think when the SEC comes in to do a sweep cybersecurity exam, because at this point, when the SEC is doing a regular exam, just a standard exam, they’ll touch on cybersecurity, but they don’t go full on in. The cybersecurity sweep exams can be intensive. Again, I think the SEC is looking at more of a right size compliance approach these days, which means a bit more understanding as far as the level that the firm has taken to implement technology software and training. But again, you’re never going to get in trouble for doing more.

Jeffrey Lang, Esq. (23:15):

And just bearing in mind that when you talk about cybersecurity policy or policy and procedure, we’re not just talking about the last two thirds of a page in a regular manual.

Stephen Galetto, Esq. (23:27):

Not at all.

Jeffrey Lang, Esq. (23:28):

We’re really talking about probably, at this point, a standalone manual with data mapping exhibits in it that tracks where your data is maintained, who has what, on what platform, and all of that information. Reg SP, the cybersecurity manual, and also the first cousin to all of this, Reg SID, the written identity theft policy and procedure. Reg SID, which is kind of part of all this process, is noted as one of the SEC exam priorities for the upcoming year. So you’re looking at all of this as sort of one family of topics around the general idea of security and security protection, information protection. And thinking about it from that context, rather than thinking, “Well, it’s just one small portion, last page of my manual.” It’s a standalone living, breathing topic that must be addressed very, very thoroughly now.

Stephen Galetto, Esq. (24:28):

All right. Well, thank you, Jeff. Thank you, Mittal. I appreciate your insights and the conversation, and I look forward to our future podcasts.

Intro (24:41):

The Advisor Intelligence Podcast provides general information and commentary only. The content is not legal advice, nor does it create an attorney-client relationship. For more information about Stark & Stark services, please visit our website at stark-stark.com.