Skip to main content
0

On October 6, 2020, FINRA issued a Regulatory Notice warning member firms of a widespread, ongoing phishing campaign that involves fraudulent emails purporting to be from FINRA asking member firms to complete a survey.

The email, which appeared to be authentic, was sent from the domain “@regulation-finra.org” and was preceded by “info” followed by a number, e.g., info5@regulation-finra.org. The regulator recommended that anyone who clicked on any link or image in the email immediately notify the appropriate individuals in their firm of the incident.

The domain of “regulation-finra.org” is not connected to FINRA and firms should delete all emails originating from this domain name.

SEC registered investment advisers and exempt reporting advisers should take note as FINRA manages and administers the Investment Adviser Registration Depositary (“IARD”). Firms using this web-based interface will be familiar with receiving emails with the domain of “@finra.org”. These include, but are not limited to:

  • SECIARDNotifications@finra.org
  • FINRAentitlement@finra.org
  • DoNotReplyEBill@finra.org
  • PFRDSupport@finra.org
  • FINRAPubAccounts@finra.o

 

FINRA has reminded firms to verify the legitimacy of any suspicious email prior to responding to it, opening any attachments or clicking on any embedded links.

The SEC has also issued guidance on cybersecurity and phishing for both registered investment advisers and investment companies.

In the regulator’s view, there are a number of measures that funds and advisers may wish to consider in addressing cybersecurity risk, including the following, to the extent they are relevant:

  1. Conduct a periodic assessment of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3) security controls and processes currently in place; (4) the impact should the information or technology systems become compromised; and (5) the effectiveness of the governance structure for the management of cybersecurity risk. An effective assessment would assist in identifying potential cybersecurity threats and vulnerabilities so as to better prioritize and mitigate risk.
  2. Create a strategy that is designed to prevent, detect and respond to cybersecurity threats. Such a strategy could include: (1) controlling access to various systems and data via management of user credentials, authentication and authorization methods, firewalls and/or perimeter defenses, tiered access to sensitive information and network resources, network segregation, and system hardening;(2) data encryption; (3) protecting against the loss or exfiltration of sensitive data by restricting the use of removable storage media and deploying software that monitors technology systems for unauthorized intrusions, the loss or exfiltration of sensitive data, or other unusual events; (4) data backup and retrieval; and (5) the development of an incident response plan. Routine testing of strategies could also enhance the effectiveness of any strategy.
  3. Implement the strategy through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures. Firms may also wish to educate investors and clients about how to reduce their exposure to cyber security threats concerning their accounts.

This last point brings home the point that registered investment advisers, investment companies and FINRA-member firms should develop a communications strategy with both their staff, their clients and investors about how the firm communicates, what information is typically requested and the manner in which it is requested, and how the firm does not communicate or request information. 

According to Verizon’s 2020 Data Breach Investigations Report, 22% of breaches in 2019 involved phishing.

Click for more on our SEC Compliance services.


Accessible

All courses are accessible on our bespoke web or app platforms immediately upon purchase.

close-link


Automated

All courses are delivered through fully-automated, interactive online visual solutions.

close-link


Affordable

Courses cost from as little as £20 per Learner per Course, or £6 per Learner on Subscription.

close-link


Certified

A certificate is issued on successful completion of all courses for compliance-filing and all UK courses are CPD-certified.

close-link


Measurable

All courses include regular ‘Check Your Knowledge’ sections throughout and an end-of-course Quiz.

close-link


Fast

Courses take from 30 to 90 minutes to complete and can be viewed and completed in multiple sittings.

cross


Purchasing, Onboarding & Volume Discounts

You can purchase any combination of our broad range of e-Learning courses and onboard multiple users in your Firm, in just four quick and easy online steps:

  1. Select the courses and add them to your Basket
  2. Checkout and purchase your course(s)
  3. Sign In and Register your relevant employees/Users
  4. Allocate all your registered employees/Users to their course(s)

We’ll help you connect the dots with clear prompts and assistance throughout this quick and easy four-step process, which includes applying automated Volume Discounts depending on the number of courses you purchase, as follows:

Number of courses Volume Discount
10 – 24 Courses 2.5% Discount
25 – 49 Courses 5% Discount
50 – 99 Courses 7.5% Discount
100 – 149 Courses 10% Discount
150 – 199 Courses 12.5% Discount
200 – 249 Courses 15% Discount
250 – 299 Courses 17.5% Discount
>300 Courses 20% Discount

You will receive an enrolment email for each Course you sign Users up to.

Once registered and enrolled onto their course(s), your employees/Users will each receive a welcome email inclusive of their login credentials/instructions together with a separate enrolment confirmation for each of their courses.

All Clients have access to a centralised User Dashboard with Live Reporting on the progress of all your enrolled employees/Users and from where you can download all your employees/Users Course Certificates once they have successfully completed their courses. This is clearly explained in our Power User Guide, downloadable from your Account.

close-link