Bridging the Week by Gary DeWaal


Bridging the Week by Gary DeWaal: February 2 to 6 and February 9, 2015 (Cybersecurity; Peregrine Financial Fallout; Market Abuse; Collusion)

Bridging the Week    Compliance Weeds    My View    Trade Practices (including Disruptive Trading)    Cybersecurity    Manipulation   
Published Date: February 08, 2015

Two regulators published findings of surveys of buy and sell side firms in the securities industry regarding cybersecurity while making recommendations to help mitigate threats. Also, a national bank settled an enforcement lawsuit by the Commodity Futures Trading Commission related to its alleged role in the collapse of Peregrine Financial Group. As a result, the following matters are covered in this week’s Bridging the Week:

Video Version:

Article Version:

Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats

Both the Securities and Exchange Commission and the Financial Industry Regulatory Authority published observations of their review of cybersecurity practices at securities industry firms—on both the buy and sell sides. FINRA also identified principles and effective practices firms should consider to address cybersecurity threats.

The most dramatic observation is that 88 percent of all broker-dealers and 74 percent of all investment advisers reported already having sustained cyber-attacks directly or through one or more of their vendors, said the SEC. Most attacks were the result of malware and fraudulent emails.

According to the SEC, 54% of all broker-dealers and 43% of advisers specifically said they had received fraudulent emails to transfer customer funds. Where losses were sustained, 25% of the broker-dealers “noted that these losses were the result of employees not following the firms’ identity authentication process.”

Although a large majority of broker-dealers (72%) incorporated requirements related to cybersecurity into contracts with their vendors and business partners, only a small minority of advisers (24%) followed such practice.

Among the principal cybersecurity risks identified by FINRA members are the risk of hackers penetrating systems for account manipulation to destroy data; insiders or other authorized users abusing their access for personal purposes or to place time bombs or engage in other destructive activities; and non-nation states or terrorist groups entering systems to wreak havoc. According to FINRA,

[n]ot surprisingly, the ranking of threats varies by firm and by business model. For example, online brokerage firms and retail brokerages are more likely to rank the risk of hackers as their top priority risk. Firms that engage in algorithmic trading were more likely to rank insider risks more highly. Large investment banks or broker-dealers typically ranked risks from nation states or hacktivist groups more highly than other firms.

Although FINRA acknowledged that “there is no one-size-fits-all approach to cybersecurity,” it identified a number of practices firms should consider to minimize threats. According to FINRA, firms should:

Firms should also consider utilizing cyber-insurance to help mitigate the economic consequences of a cybersecurity breach.

FINRA cautions that, although cyber-threats pose the potential for significant damages, firms can protect themselves:

most successful attacks take advantage of fairly basic control weaknesses. While firms need to stay on guard, they can also take some comfort from this. To be sure, cybersecurity is challenging to address, but it is certainly not impossible. What is required is rigorous attention to detail and execution. Risk assessments can help firms identify and prioritize those steps that are most urgent to undertake. Information sharing can help firms understand the types of threats they may face and available mitigation measures.

The SEC’s survey was based on a review of over 100 broker-dealers and investment advisers, while FINRA’s study was based on a “select” cross-section of large investment banks, clearing firms, online brokerage firms, high-frequency traders and independent dealers. The SEC's survey was conducted by its Office of Compliance Inspections and Examinations.

Contemporaneously with their issue of industry findings, both the SEC and FINRA issued specific recommendations to investors to help them guard against cyber-breaches with their investment accounts.

(Click here for another perspective on this development in the article, “SEC and FINRA Issue Cybersecurity Publications,” in the February 6, 2015 edition of Corporate & Financial Weekly by Katten Muchin Rosenman LLP.)

Compliance Weeds: The SEC’s and FINRA's findings confirm that, regrettably, it is likely not a matter of if a cyber breach may occur, but when and how severe. Firms must continue their efforts to minimize the likelihood of cybersecurity breaches through maintenance of strong intelligence gathering, robust policies and procedures and governance, state-of-the-art technological defenses, ongoing monitoring, and employee training. Cybersecurity has been identified as a major item of focus by many regulators during their 2015 examination of registrants (Click here to access the article, “Cybersecurity, Potential Equity Order Routing Conflicts and AML Among the Top Examination Priorities for SEC in 2015,” in the January 12 to 16 and 19, 2015 edition of Bridging the Week.)

And briefly:

And even more briefly:

My View: Sadly, the relevance of Trading Places, the 1983 classic comedy starring Dan Aykroyd and Eddie Murphy—about the manipulation of the FCOJ futures contract on a trading floor in the old World Trade Center—will soon have little or no context after the closing of New York trading rings, even though FCOJ futures continue to trade electronically at ICE Futures U.S. (ICE Futures U.S. closed its NY trading floors on February 29, 2008). Alas, neither Duke & Duke principals nor anyone else will be able to enter orders and watch trading on the floor (for legitimate or nefarious purposes) any more!

For more information, see:

CME Group Schedules to Close Futures Open Outcry Markets in July:
http://cmegroup.mediaroom.com/index.php?s=43&item=3597&pagetemplate=article

ESMA Determines Not to Recommend NDF Clearing at This Time:
http://www.esma.europa.eu/system/files/2015-esma-234_-_feedback_statement_on_the_clearing_obligation_of_non_deliverable_forward.pdf

ESMA Issues Recommendations to EC Regarding Rollout of Market Abuse Regulation:
http://www.esma.europa.eu/system/files/2015-224.pdf

European Commission Fines ICAP €14.9 Million for Antitrust Violations in Connection With LIBOR Manipulation; ICAP to Challenge:
http://europa.eu/rapid/press-release_IP-15-4104_en.htm

See also, ICAP Press Release:
http://www.icap.com/news/2015/20150204_icap_response_ec_decision.aspx

FIA Issues Recommendations to Enhance Swap Clearing:
http://www.futuresindustry.org/downloads/SEF%20DCO%20Recommendations%20Final%202015-2-3[1].pdf

FINRA Seeks Comments on Proposal to Require ATSs to Submit Fixed Income Quotation Information:
http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p602411.pdf

Global Regulatory Organizations Recommend How Financial Firms Should Enhance Credit Monitoring:
http://www.bis.org/bcbs/publ/joint37.pdf

Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats:

FINRA:
http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p602363.pdf

See also, FINRA Investor Warning:
http://www.finra.org/Investors/ProtectYourself/InvestorAlerts/MoneyManagement/P601655

SEC:
http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf

See also, SEC Investor Warning:
http://investor.gov/news-alerts/investor-bulletins/investor-bulletin-protecting-your-online-brokerage-accounts-fraud#.VNN4aynqdiE

US Bank Agrees to Pay US $18 Million to Resolve CFTC Lawsuit Related to Peregrine Financial Group:
http://www.cftc.gov/ucm/groups/public/@lrenforcementactions/documents/legalpleading/enfusbankorder020415.pdf

See also, Summary Judgment Order (November 2014):
http://www.cftc.gov/ucm/groups/public/@lrenforcementactions/documents/legalpleading/enfusbankorder111914.pdf

The information in this article is for informational purposes only and is derived from sources believed to be reliable as of February 7, 2015. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP and/or Gary DeWaal may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made.


© 2017 Katten Muchin Rosenman. All Rights Reserved.