Two regulators published findings of surveys of buy and sell side firms in the securities industry regarding cybersecurity while making recommendations to help mitigate threats. Also, a national bank settled an enforcement lawsuit by the Commodity Futures Trading Commission related to its alleged role in the collapse of Peregrine Financial Group. As a result, the following matters are covered in this week’s Bridging the Week:
- Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats (includes Compliance Weeds);
- US Bank Agrees to Pay US $18 Million to Resolve CFTC Lawsuit Related to Peregrine Financial Group;
- ESMA Issues Recommendations to EC Regarding Rollout of Market Abuse Regulation;
- European Commission Fines ICAP €14.9 Million for Antitrust Violations in Connection With LIBOR Manipulation; ICAP to Challenge; and more.
Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats
Both the Securities and Exchange Commission and the Financial Industry Regulatory Authority published observations of their review of cybersecurity practices at securities industry firms—on both the buy and sell sides. FINRA also identified principles and effective practices firms should consider to address cybersecurity threats.
The most dramatic observation is that 88 percent of all broker-dealers and 74 percent of all investment advisers reported already having sustained cyber-attacks directly or through one or more of their vendors, said the SEC. Most attacks were the result of malware and fraudulent emails.
According to the SEC, 54% of all broker-dealers and 43% of advisers specifically said they had received fraudulent emails to transfer customer funds. Where losses were sustained, 25% of the broker-dealers “noted that these losses were the result of employees not following the firms’ identity authentication process.”
Although a large majority of broker-dealers (72%) incorporated requirements related to cybersecurity into contracts with their vendors and business partners, only a small minority of advisers (24%) followed such practice.
Among the principal cybersecurity risks identified by FINRA members are the risk of hackers penetrating systems for account manipulation to destroy data; insiders or other authorized users abusing their access for personal purposes or to place time bombs or engage in other destructive activities; and non-nation states or terrorist groups entering systems to wreak havoc. According to FINRA,
[n]ot surprisingly, the ranking of threats varies by firm and by business model. For example, online brokerage firms and retail brokerages are more likely to rank the risk of hackers as their top priority risk. Firms that engage in algorithmic trading were more likely to rank insider risks more highly. Large investment banks or broker-dealers typically ranked risks from nation states or hacktivist groups more highly than other firms.
Although FINRA acknowledged that “there is no one-size-fits-all approach to cybersecurity,” it identified a number of practices firms should consider to minimize threats. According to FINRA, firms should:
- maintain a cybersecurity governance framework that facilitates informed decision making and escalation to identify and manage cybersecurity risks;
- regularly try to identify cybersecurity risks associated with firm assets and vendors and ensure they are addressed on a priority basis;
- ensure that software and hardware that stores and processes data, as well as the data itself, is protected through adequate technical controls;
- ensure it maintains adequate policies and procedures, as well as identifies roles and responsibilities to escalate and respond to cybersecurity incidents;
- manage cybersecurity risk in connection with its vendor relationships using a risk-based approach;
- enhance intelligence gathering to help identify, detect and react to cybersecurity threats; and
- provide tailored cybersecurity training to staff.
Firms should also consider utilizing cyber-insurance to help mitigate the economic consequences of a cybersecurity breach.
FINRA cautions that, although cyber-threats pose the potential for significant damages, firms can protect themselves:
most successful attacks take advantage of fairly basic control weaknesses. While firms need to stay on guard, they can also take some comfort from this. To be sure, cybersecurity is challenging to address, but it is certainly not impossible. What is required is rigorous attention to detail and execution. Risk assessments can help firms identify and prioritize those steps that are most urgent to undertake. Information sharing can help firms understand the types of threats they may face and available mitigation measures.
The SEC’s survey was based on a review of over 100 broker-dealers and investment advisers, while FINRA’s study was based on a “select” cross-section of large investment banks, clearing firms, online brokerage firms, high-frequency traders and independent dealers. The SEC's survey was conducted by its Office of Compliance Inspections and Examinations.
Contemporaneously with their issue of industry findings, both the SEC and FINRA issued specific recommendations to investors to help them guard against cyber-breaches with their investment accounts.
(Click here for another perspective on this development in the article, “SEC and FINRA Issue Cybersecurity Publications,” in the February 6, 2015 edition of Corporate & Financial Weekly by Katten Muchin Rosenman LLP.)
Compliance Weeds: The SEC’s and FINRA's findings confirm that, regrettably, it is likely not a matter of if a cyber breach may occur, but when and how severe. Firms must continue their efforts to minimize the likelihood of cybersecurity breaches through maintenance of strong intelligence gathering, robust policies and procedures and governance, state-of-the-art technological defenses, ongoing monitoring, and employee training. Cybersecurity has been identified as a major item of focus by many regulators during their 2015 examination of registrants (Click here to access the article, “Cybersecurity, Potential Equity Order Routing Conflicts and AML Among the Top Examination Priorities for SEC in 2015,” in the January 12 to 16 and 19, 2015 edition of Bridging the Week.)
- US Bank Agrees to Pay US $18 Million to Resolve CFTC Lawsuit Related to Peregrine Financial Group: U.S. Bank, N.A. agreed to pay US $18 million to the court-appointed trustee for Peregrine Financial Group to resolve the enforcement proceeding brought against it by the Commodity Futures Trading Commission related to the bank’s alleged role in the demise of PFG—a futures commission merchant—in 2012. The CFTC brought the legal action in June 2013, claiming that the bank facilitated at least some of the misappropriation of PFG’s customer funds by Russell Wasendorf, Sr., the firm’s principal, that led to PFG’s bankruptcy and loss of more than US $215 million of customer funds. The CFTC claimed that US Bank knowingly facilitated at least some of the principal’s wrongdoing when it permitted Mr. Wasendorf to transfer funds out of a PFG customer account to pay for his private jet, restaurant and divorce settlement, among other things, thereby treating the PFG customer account as a personal commercial checking account. The CFTC also claimed that US Bank acted unlawfully when it accepted PFG’s customer account as security on personal loans to Mr. Wasendorf, his wife and his construction company. In settling this matter, the CFTC acknowledged “that U.S. Bank has already taken significant remedial action to strengthen the internal controls and policies” regarding its handling of customer accounts for its FCM clients. (Click here for additional information regarding the CFTC’s initial lawsuit in the article, “CFTC Sues Bank That Held PFG Funds” in the June 5, 2013 edition of what is now called Between Bridges.)
- ESMA Issues Recommendations to EC Regarding Rollout of Market Abuse Regulation: The European Securities and Markets Authority issued technical advice to the European Commission to make the Market Abuse Regulation applicable to market participants and investors. (MAR—which became law in Europe in July 2014—articulates conduct that constitutes market abuse, including insider dealing and market manipulation.) Among other things, the technical advice provides an extensive non-exhaustive list of indicators of manipulative conduct constituting the prohibited dissemination of false or misleading signals to the market and the use of so-called “fictitious devices” or other forms of “deception or contrivance.” Evidence of wrongful conduct includes, among other behavior: (1) transactions to trade solely to increase the price or volume of trading near a reference point during the trading day (e.g., near the open or close); (2) small orders to trade to ascertain hidden orders (ping orders), (3) orders to trade in order to uncover orders of other traders and to take advantage of the information obtained (phishing); (4) taking advantage of a dominant supply of a financial instrument to distort the price other parties have to deliver at (squeeze); and (5) conduct commonly known as “painting the tape,” “quote stuffing,” “spoofing” and “layering.” ESMA will deliver its technical standards regarding MAR to the EC in July 2015. The Market Abuse Directive and MAR are expected to become applicable for most purposes in July 2016.
- European Commission Fines ICAP €14.9 Million for Antitrust Violations in Connection With LIBOR Manipulation; ICAP to Challenge: The European Commission fined ICAP plc €14.9 million (approximately US $16.9 million) for its alleged role in colluding with other brokers to manipulate the Japanese yen-denominated London Interbank Offered Rate from 2007 to 2010. In 2013, six banks admitted their involvement in this collusion and agreed to pay fines in aggregate of almost €700 million (approximately US $792 million; click here for details in the article, “The European Commission Fines Six Banks €1.71 Billion for Engaging in Anti-Competitive Behavior in Connection With LIBOR and EURIBOR Indices” in the December 2 to 6 and 9, 2013 edition of Bridging the Week). According to the EC, ICAP contributed to the collusion by disseminating false information, using its relationship with several JPY LIBOR panel banks that were not part of the collusion to influence their submissions; and serving as a communications medium between traders at two sanctioned banks, thereby facilitating the wrongful practices between them. ICAP announced it will appeal the EC’s decision in European courts, claiming that “[t]his is a regulatory matter that already has been settled. It is not a competition issue, and the EC has presented no evidence that ICAP facilitated a competition law violation.” ICAP Europe, Ltd. previously settled charges with the Financial Conduct Authority and the Commodity Futures Trading Commission related to the actions of three of its non-US based employees to manipulate the JPY LIBOR from at least October 2006 through January 2011 (click here for details in the article “CFTC and UK FCA Sue and Settle with ICAP Europe; Three Non-US Individuals Indicted by the US Department of Justice,” in the September 23 to 27 and 30, 2013 edition of Bridging the Week).
And even more briefly:
- ESMA Determines Not to Recommend NDF Clearing at This Time: Relying on feedback from a consultation published in October 2014, the European Securities and Markets Authority has determined not to propose the clearing of non-deliverable foreign exchange forwards contracts as this time. Most relevant for ESMA in making its decision were (1) comments received urging a delay in implementing an NDF mandatory clearing obligation; (2) that only one European clearinghouse (CCP) is authorized to clear NDFs and that no third-country CCPs clearing NDFs are approved in Europe; (3) the lack of experience of counterparties with NDF clearing; and (4) the importance of internationally coordinating the roll-out of mandatory NDF clearing.
- CME Group Schedules to Close Futures Open Outcry Markets in July: CME Group announced that it would close most of its open outcry futures trading facilities in Chicago and New York by July 2, 2015. Most options contracts that trade actively on both the floor and electronically, and the S&P 500 futures contract, will continue to be traded in open outcry markets.
My View: Sadly, the relevance of Trading Places, the 1983 classic comedy starring Dan Aykroyd and Eddie Murphy—about the manipulation of the FCOJ futures contract on a trading floor in the old World Trade Center—will soon have little or no context after the closing of New York trading rings, even though FCOJ futures continue to trade electronically at ICE Futures U.S. (ICE Futures U.S. closed its NY trading floors on February 29, 2008). Alas, neither Duke & Duke principals nor anyone else will be able to enter orders and watch trading on the floor (for legitimate or nefarious purposes) any more!
- FIA Issues Recommendations to Enhance Swap Clearing: The Futures Industry Association has proposed recommendations to help facilitate the processing of trades among clearinghouses, clearing members (FCMs) and swap execution facilities. The objective of the recommendations is to help FCMs meet their regulatory obligation to screen each order before its execution.
- Global Regulatory Organizations Recommend How Financial Firms Should Enhance Credit Monitoring: Three global supervisory organizations issued recommendations on how financial service regulators should evaluate firms’ monitoring of credit risk. Among other things, regulators should ensure that firms (1) do not over-rely on internal models; (2) do not engage in risk-taking behaviors in a “search for yield” in the current international low interest rate environment; (3) monitor issues that might arise in connection with the “growing need” for high-quality liquid collateral, and respond appropriately as necessary; and (4) capture central counterparty exposures as part of their credit risk management. The three global organizations are the Basel Committee on Banking Supervision, the International Organization of Securities Commissions and the International Association of Insurance Supervisors.
- FINRA Seeks Comments on Proposal to Require ATSs to Submit Fixed Income Quotation Information: The Financial Industry Regulatory Authority is seeking comment on its proposal to mandate that alternative trading systems—so-called “dark pools”—report quotation information related to fixed income securities. FINRA claims it needs this information to “strengthen its ability to surveil fixed income trading.” Comments are due by April 7.
For more information, see:
CME Group Schedules to Close Futures Open Outcry Markets in July:
ESMA Determines Not to Recommend NDF Clearing at This Time:
ESMA Issues Recommendations to EC Regarding Rollout of Market Abuse Regulation:
European Commission Fines ICAP €14.9 Million for Antitrust Violations in Connection With LIBOR Manipulation; ICAP to Challenge:
See also, ICAP Press Release:
FIA Issues Recommendations to Enhance Swap Clearing:
FINRA Seeks Comments on Proposal to Require ATSs to Submit Fixed Income Quotation Information:
Global Regulatory Organizations Recommend How Financial Firms Should Enhance Credit Monitoring:
Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats:
See also, FINRA Investor Warning:
See also, SEC Investor Warning:
US Bank Agrees to Pay US $18 Million to Resolve CFTC Lawsuit Related to Peregrine Financial Group:
See also, Summary Judgment Order (November 2014):
The information in this article is for informational purposes only and is derived from sources believed to be reliable as of February 7, 2015. No representation or warranty is made regarding the accuracy of any statement or information in this article. Also, the information in this article is not intended as a substitute for legal counsel, and is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. The impact of the law for any particular situation depends on a variety of factors; therefore, readers of this article should not act upon any information in the article without seeking professional legal counsel. Katten Muchin Rosenman LLP and/or Gary DeWaal may represent one or more entities mentioned in this article. Quotations attributable to speeches are from published remarks and may not reflect statements actually made.
© 2019 Katten Muchin Rosenman and Gary DeWaal. All Rights Reserved.