On October 6, 2020, FINRA issued a Regulatory Notice warning member firms of a widespread, ongoing phishing campaign that involves fraudulent emails purporting to be from FINRA asking member firms to complete a survey.
The email, which appeared to be authentic, was sent from the domain “@regulation-finra.org” and was preceded by “info” followed by a number, e.g., firstname.lastname@example.org. The regulator recommended that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident.
The domain of “regulation-finra.org” is not connected to FINRA and firms should delete all emails originating from this domain name.
SEC registered investment advisers and exempt reporting advisers should take note as FINRA manages and administers the Investment Adviser Registration Depositary (“IARD”). Firms using this web-based interface will be familiar with receiving emails with the domain of “@finra.org”. These include, but are not limited to:
FINRA has reminded firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links.
The SEC has also issued guidance on cybersecurity and phishing for both registered investment advisers and investment companies.
In the regulator’s view, there are a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including the following, to the extent they are relevant:
- Conduct a periodic assessment of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk.
- Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include: (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening;(2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events; (4) data backup and retrieval; and (5) the development of an incident response plan.
Routine testing of strategies could also enhance the effectiveness of any strategy.
- Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.
This last point brings home the point that registered investment advisers, investment companies and FINRA-member firms should develop a communications strategy with both their staff, their clients and investors about how the firm communicates, what information is typically requested and the manner in which it is requested, and how the firm does not communicate or request information.
According to Verizon’s 2020 Data Breach Investigations Report, 22% of breaches in 2019 involved phishing.