Who We Serve

Services

About

Resources

Firm Fined for Inadequate Cybersecurity and Customer Data Protection

Broker-Dealers

Cybersecurity

January 31, 2024

The Case

The firm failed to establish and maintain a supervisory system reasonably designed to safeguard customer records and information in violation of Rule 30(a) of Regulation S-P.

The firm needed stronger cybersecurity practices, including:

  • a system for monitoring all third-party access to firm systems

  • limiting third-party service providers’s access to the firm’s production data and systems

    • ensuring that any approved third-party service provider’s access to the firm’s production environment was logged and monitored

    • requiring multi-factor authentication for third-party service providers

    • implementing endpoint detection and response and security operations center monitoring of all access to firm systems, including third-parties


Why Does This Matter?

The action’s emphasis on cybersecurity reflects the SEC’s heightened focus on registered investment advisers adopting and implementing cybersecurity policies and procedures. Some of the key concerns highlighted by this and previous actions include:

  • transparency of data breach disclosures

  • multi-factor authentication for email accounts

  • security of cloud-based email accounts, and 

  • the importance of implementing an adequate incident response plan.


Based on recent legislation ushering in stricter customer data protection rules and disclosure requirements, fintechs must maintain cybersecurity measures and protect client data.

Were similar regulations enforced in countries outside the US?

Data privacy ramped up globally in 2023, with some of the critical new regulations on a global scale, including the following:

  • Switzerland (Swiss Federal Data Protection Act)

  • Saudi Arabia (Saudi Arabia Personal Data Protection Law) 

  • India (Digital Personal Data Protection Act)

  • EU (EU-US Data Privacy Framework, Digital Services Act, Digital Markets Act)


InnReg's Experience

Since its inception in 2013, InnReg has developed deep expertise in compliance services related to customer data protection and cybersecurity measures as part of its work during FINRA examinations and managing compliance programs for a wide range of fintechs.

Learn More About This Topic

For additional insights, read InnReg’s free Data Protection Compliance Checklist to help you build best practices to meet evolving regulatory requirements.

Subscribe for Compliance Insights
Subscribe for Compliance Insights
Subscribe for Compliance Insights

RIAs

The SEC recently brought settled enforcement actions against two registered investment advisers for failing to establish, maintain, and enforce written policies and procedures reasonably designed to prevent the misuse of material nonpublic information (MNPI), in violation of Section 204A of the Investment Advisers Act of 1940 (Advisers Act) and the Compliance Rule.

RIAs

On Sep. 4, 2024, FinCEN published a final rule (Final Rule) adding certain RIAs and ERAs (collectively, Covered Advisers) to the definition of “financial institution” under the regulations implementing the BSA, and imposing on Covered Advisers broad AML and CFT program requirements, as well as other BSA recordkeeping and reporting requirements.

Broker-Dealers

On November 22, the SEC announced (here) that broker-dealers Webull Financial LLC, Lightspeed Financial Services Group LLC, and Paulson Investment Company, LLC agreed to settle charges that they filed with law enforcement SARs that failed to include required information.

LinkedIn Innreg
X InnReg
Quora Innreg
Blog Innreg

© 2024 InnReg LLC

1101 Brickell Avenue
South Tower, 8th Floor
Miami, FL 33131

LinkedIn Innreg
X InnReg
Quora Innreg
Blog Innreg

© 2024 InnReg LLC

1101 Brickell Avenue
South Tower, 8th Floor
Miami, FL 33131