SEC Begins to Scrutinize Registrants' Cybersecurity Practices

In a Risk Alert published on April 15, 2014, the SEC announced plans to examine the cybersecurity practices of over 50 registered broker-dealers and investment advisers. The SEC's Risk Alert closely followed the March 26 Cybersecurity Roundtable at which Chair Mary Jo White underscored the importance of cybersecurity to market security and customer data protection. At the Roundtable, Chair White emphasized the "compelling need for stronger partnerships between the government and private sector" to address cyber threats.

The Risk Alert detailed the types of questions the SEC may ask registrants in these exams about including cybersecurity governance, risks associated with remote customer access and risks associated with vendors and third parties. The sample questions ask whether companies have discovered malware in their systems, suffered a network breach or found that computers used by customers and vendors to remotely access networks have been compromised since January 2013.

The scope and detail of the sample questions reflect the SEC's commitment to assessing and encouraging cybersecurity readiness. In the past, the SEC has actively enforced Rule 30 of its Regulation S-P (Privacy of Consumer Financial Information), the so-called Safeguards Rule, in the cybersecurity area. The SEC has imposed fines ranging from $100,000 to $275,000 for such deficiencies as the failure of a firm to have policies and procedures adequately designed to protect customer records and information, distribution of insufficient written materials regarding safeguarding customer information and failure to implement adequate controls to safeguard customer information.

FINRA has also been active in the area of cybersecurity, as discussed in our previous client alert. However, increased attention in the wake of several recent highly publicized intrusions likely heralds additional enforcement actions and more serious scrutiny of companies' preparedness to respond to the growing threat presented by cyber hackers.

For more information see our full client alert.

SEC Staff Sets Boundaries for Adviser Testimonials in Social Media

A recent Division of Investment Management guidance update established some ground rules on how the "testimonial rule" applies when advisers use social media communications.

Rule 206(4)-1(a)(1) under the Advisers Act prohibits registered investment advisers from publishing any advertisement that refers to "any testimonial of any kind concerning the investment adviser" or concerning any service rendered by the investment adviser. The guidance update notes that "whether public commentary on a social media site is a testimonial depends upon all of the facts and circumstances relating to the statement."

The guidance update introduces the concept of an "independent social media site," which refers to a third-party social media site that predominately hosts user opinions, beliefs, findings or experiences about service providers. An investment adviser's own social media profile or account that is used for business purposes is not an independent social media site.

An investment adviser may not invite clients to post public commentary on its own website, but the adviser may publish the same public commentary on its own site if the commentary comes from an independent social media site. In doing so, the investment adviser may not edit, revise, sort or otherwise change the commentary in a manner that emphasizes favorable commentary or de-emphasizes unfavorable commentary.

Click here to read our client alert, which contains more analysis on the new social media guidance.

To read the full Investment Management Legal + Regulatory Update, click here.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved