See beyond the numbers

Cybersecurity Threats From Main Street to Wall Street

Why is there a sudden increase interest in cybersecurity among regulatory agencies? The answer is in the recent cyber attacks on Main Street, which have prompted Wall Street regulators to assess whether their market participants are vulnerable to such attacks, and if so, what they are doing to protect their client’s information.

On January 30, 2014, the Securities and Exchange Commission (SEC) informed a group of compliance professionals that the agency will assess how asset managers are protecting clients’ non-public information. In the same month, the Financial Industry Regulatory Authority (FINRA) issued a targeted examination letter (also known as sweep examination) to assess broker-dealers’ approaches to managing cybersecurity threats, with a goal of better understanding the following:

  • Types of threats firms face
  • Exposure and major areas of vulnerability
  • Each firm’s approach to managing cybersecurity threats (i.e., risk assessment process, IT protocol and supervision)

SEC to review vendor due diligence process

The Securities and Exchange Commission’s assessment will include reviewing the financial institution’s IT policies, IT training and due diligence efforts on their vendors. Based on the comments made by the SEC during the January 30th meeting, the SEC appears to be particularly interested in financial institutions’ due diligence on vendors and those vendors who have access to sensitive client information. The interest in vendors may be due to the ongoing investigation into intrusion of Target Corp., which investigators have reportedly traced back to a heating, ventilation and air conditioning  vendor whose network credentials may have been stolen by the attackers.

FINRA to assess broker-dealers’ cybersecurity

FINRA’s sweep examination will address a number of areas related to cybersecurity at broker-dealers, including:

  • Risk assessment of the firm’s information technology
  • Business continuity plans in case of a cyber attack
  • Organizational structure and reporting lines
  • Process of sharing and obtaining information about cybersecurity threats
  • Industry threats and concerns
  • Cybersecurity impact on the firm over the last 12 months
  • Approaches to handling distributed denials of service attacks
  • Training programs
  • Insurance coverage for cybersecurity-related events
  • Contractual arrangements with third-party service providers

Customer information protection requirement

Financial institutions, including broker-dealers, investment advisers and asset managers, and investment companies registered with the SEC, are required to comply with Regulation S-P. Section 248.30 of Regulation S-P requires that firms have policies and procedures reasonably designed to safeguard customer information against any anticipated threats and unauthorized access.

Although Regulation S-P has been in effect since November 13, 2000, financial institutions should have an ongoing program to review their policies and procedures to ensure they are reasonably designed to comply with the rule. In addition, financial institutions should conduct a robust IT risk assessment and penetration test of their existing IT infrastructure to identify weaknesses and mitigate risks.

SEC roundtable on cybersecurity

The recent cyber attacks on Main Street have prompted Wall Street regulatory agencies to take a hard look at financial institutions’ cybersecurity policies and procedures.

On March 26, 2014, the SEC will host a roundtable to discuss cybersecurity with market participants and public companies in Washington, D.C. The roundtable will be divided into four panels:

  1. Overall cybersecurity landscape
  2. Public company disclosure issues
  3. Cybersecurity for exchanges and other key market systems
  4. How broker-dealers, investment advisers, and transfer agents address cybersecurity issues, including identity theft and data protection

Broker-dealers can also expect FINRA to share its findings from cybersecurity sweep examinations in the coming year.


Nick Hartofilis, CPA, CRCP, CAMS, is a director in Kaufman Rossin’s Boca Raton, Florida, office. He can be reached at

Bao Q. Nguyen is a manager in Kaufman Rossin’s Boca Raton, Florida, office. He can be reached at

See beyond the numbers

Part 2: Broker-Dealers – What’s Your Priority for 2014?

This is the second part of a two-part series. The first part of this series provided an overview of some of the areas that FINRA or SEC examinations may focus on at your firm in the coming year.

FINRA followed-up on its October 2013 Report on Conflicts of Interest report by further highlighting that examiners will be reviewing firms conflict management practices and the potential impact on customers.  Sales efforts for proprietary products or other products for which the firm may have revenue-sharing agreements will be closely scrutinized to determine whether firms are pushing the sale of such products.

The SEC also highlighted conflict of interests inherent in certain investment advisor business models.  SEC examination staff will focus on adviser compensation arrangements, allocation of investment opportunities, controls and disclosure associated with various fee structures, risk controls and disclosure for leveraged and illiquid products and higher risk products marketed to retail investors.

Anti-Money Laundering – Specialization and Surveillance

No surprise here – fresh off FINRA’s announcement that it will be expanding its new specialized anti-money laundering examinations team to eight people from five, FINRA and the SEC reemphasized their focus on AML issues associated with institutional business.  FINRA has identified issues where customers liquidate large blocks of low-priced securities through delivery versus payment/receipt versus payment (DVP/RVP) accounts raising red flags for AML and Section 5 of the Securities Act of 1933.  Firms that conduct business in low priced securities should consider the red flags outline in FINRA’s Regulatory Notice 09-05.  The SEC has identified proprietary trading firms that give customers direct market access from higher risk jurisdictions as an AML risk that they will focus on in the coming year.

FINRA has also identified customer identification issues with respect to DVP/RVP accounts.  These accounts meet the definition of an account for customer identification purposes (CIP) and, absent a formal reliance agreement with the prime broker, the executing broker is responsible for implementing CIP for these customers.

  1. Specialization – Specialization and centralization of high-risk matters appears to be the growing trend at FINRA as evidenced by the creation of specialized teams in AML, municipal bonds, and most recently recidivist brokers.  In addition to routine FINRA audits, select firms may be subject to stand-alone, targeted examinations by one of these specialized teams.  These focused examinations are typically prompted by regulatory tips or FINRA’s internal surveillance identifying brokers, customers, product types, and/or geographic locations in which your firm conducts business as higher risk.
  2. Surveillance –Similar to its National Surveillance Program, FINRA’s AML team will allocate resources to surveillance to assist in the identification of higher AML risk financial institutions.  By closely working with clearing and introducing firms and through enhanced data analytics, FINRA surveillance will identify firms that pose greater AML risk.

Where Will Your Focus Be?

Ultimately, FINRA and the SEC’s National Examination Program priorities are not exhaustive.  With unique risks, issues, and policies, the important thing is that your firm uses these priorities letters to give your firm regulatory perspective on perceived areas of risk and to help strengthen your compliance and supervisory programs.


Nick Hartofilis, CPA, CRCP, CAMS, is a director in Kaufman Rossin’s Boca Raton, Florida, office. He can be reached at

Bao Q. Nguyen is a manager in Kaufman Rossin’s Boca Raton, Florida, office. He can be reached at

See beyond the numbers

Part 1: Broker-Dealers – What’s Your Priority for 2014?

With 2013 behind us, now is as good a time as any for broker-dealers to prioritize the higher risk areas of their compliance programs.  As FINRA and the SEC have already begun their announcement calls for their 2014 examination program, there truly is no rest for the regulatory weary.  FINRA and the SEC recently issued 2014 Examination Priorities Letters to help you focus and allocate your resources to the higher-risk areas of your business and the areas that may be assessed in your upcoming examination.

Suitability and complex products, leveraged loan products, structured products, leveraged exchange-traded funds and notes, variable annuities, cyber-security and data integrity, private placements, anti-money laundering, insider trading, margin lending practices, leverage and liquidity, algorithmic trading, high frequency trading, and alternative trading systems – where do you start?

Here’s an overview of some of the areas that FINRA or SEC examinations may focus on at your firm in the coming year.

Disclosure, Interest Rates, and the New Frontier

FINRA remains concerned about the suitability of recommendations to retail investors for complex products.   Complex products disclosures, overconcentration in interest-rate-sensitive products and frontier fund risks are three areas where FINRA has placed an increased focus for 2014.

  1. When in doubt, disclose – Given the growth of complex products, FINRA examination staff will continue to focus on the way in which firms disclose product risks to customers and the policies and procedures around those disclosures.  Firms should evaluate their training efforts in this area to ensure that registered representatives are providing a balanced discussion of the product risks and potential scenarios that may result in customer losses.
  2. Interest rates, nowhere to go but up – As today’s record low interest rates will not last forever, FINRA has encouraged firms to consider the downside risks to interest-rate-sensitive products and the equities markets that could result from a sudden shift in the interest rate environment.  Firms should evaluate customers that have near-term liquidity needs that are highly concentrated in higher duration, fixed-income products.  Brokers should be proactive about discussing interest-rate risk with their clients and document client conversations accordingly.
  3. Frontier funds, the new emerging markets – Coming off a disappointing year for emerging market funds due to “taper talk” in the U.S. and slowing growth for emerging market countries, investors may look to frontier markets such as Vietnam, Kuwait and Nigeria for above market returns.  FINRA warns of the heightened risks associated with these markets given political instability, liquidity risk and lower regulatory standards.

Wolf in Sheep’s Clothing

Think twice before hiring brokers with a history of complaints or disclosures for sales practice issues.  FINRA will expand its High Risk Broker Initiative in 2014 and create a dedicated enforcement team to expedite the prosecution of recidivist brokers.  FINRA examinations will evaluate firms’ hiring efforts, heightened supervision, and trading practices of such brokers.

In our next blog post, we will look at Conflict Management and the recent expansion of FINRA’s anti-money laundering team.


Nick Hartofilis, CPA, CRCP, CAMS, is a director in Kaufman Rossin’s Boca Raton, Florida, office. He can be reached at

Bao Q. Nguyen is a manager in Kaufman Rossin’s Boca Raton, Florida, office. He can be reached at

See beyond the numbers

JOBS Act Infographic: What the Heck is Crowdfunding Anyway?

Still trying to figure out how crowdfunding works and what the JOBS Act is? Thanks to the new crowdfunding platform Fundable and, here’s a handy infographic that explains it all.

The 2012 Jumpstart Our Business Start-ups (JOBS) Act presents entrepreneurs with new options for raising capital. Small businesses and start-ups will no longer have to rely solely on banks, venture capitalists and angel investors for financing.

Crowdfunding  evolved from microfinancing and involves soliciting relatively small investments from a very large number of people. Pioneered by charities and arts projects, online crowdfunding platforms help entrepreneurs reach potential investors from around the world.  

The JOBS Act empowers businesses to use crowdfunding platforms to raise as much as $1 million in capital per year from individual investors without registering with the Securities and Exchange Commission (SEC).

If you want to find out how crowdfunding could benefit your business when the law fully goes into effect in early 2013, check out this article that my Kaufman, Rossin colleague, Nicole Denny, CPA, MBA, recently wrote for about how entrepreneurs can get ready now to start raising capital via crowdfunding.

Infographic on the JOBS Act and Crowdfunding from


Lisa Cawley Ruiz is a brand journalist at Kaufman, Rossin’s Miami office. Kaufman, Rossin & Co. is one of the top CPA firms in the country. Lisa can be reached at Connect with Lisa on LinkedIn.

See beyond the numbers

Are You Sure Your Data is Secure?

You’ve taken the necessary precautions to protect your information from unwanted visitors, but are you absolutely certain your data isn’t being compromised?

Data security breaches are occurring in all types of companies – public, private, large, small, and even governmental agencies such as the Securities and Exchange Commission (S.E.C.). According to a recent article in The New York Times, the very entity which governs and oversees the financial market to ensure regulatory compliance may not have given its own employees the same kind of protection it requires of others. To monitor the S.E.C.’s employees’ investments within the Ethics Program System (E.P.S.), the organization hired Financial Tracking Technologies (F.T.T.). F.T.T. was given access to S.E.C. employees’ brokerage account numbers, financial data, and sensitive personal information, and the company subsequently allowed access to its system to a subcontractor and consultant. Although the S.E.C. says it did not grant F.T.T. permission to allow third parties access to its database, F.T.T. argues that it publicly discloses third party permissions on its website concluding that a data breach did not occur in this or any other instance.

This situation still begs the question, “are you sure your data is secure?” If the S.E.C. incidentally risked the security of  imperative information, then how can you be sure your third party providers are not putting your data at risk?

Another surprising move by the S.E.C. is its recent disclosure guidance for public companies to disclose any potential data security breaches having effect on the bottom line, according to the released Cybersecurity disclosure guidance. Therefore, the public will be forewarned about possible compromised data which will be beneficial for investors and the like.

Public, private, large, small – whatever the case may be, you should be taking the necessary precautions to ensure that your data is safe and secure.

Jorge Rey is Director of Information Security for Kaufman, Rossin & Co., one of the top CPA firms in the country. He can be reached at