2018 examination priorities of the SEC’s OCIE announced: Evidence gathering for SEC enforcement actions

By: Steve Levine, Esq., Senior Vice President, Alliant

Examination priorities for the upcoming year were announced by the U.S. SEC Office of Compliance Inspections and Examinations (”OCIE”) in early February 2018.

The OCIE broke down their current priorities into five categories:

  • Compliance and Risks in Critical Market Infrastructure
  • Matter of Importance to Retail Investors*
  • FINRA and MSRB
  • Cybersecurity*
  • Anti-Money Laundering Programs

*The OCIE’s focus on retail investor issues and cybersecurity are “carryover” issues from 2017.

The OCIE conducts the SEC’s National Exam Program. The OCIE has examination responsibilities for over 28,000 registrants including, among others, investment advisers, mutual funds and ETF’s, broker-dealers, transfer agents, national securities exchanges and FINRA.

The OCIE’s role is to improve compliance, prevent fraud, monitor risk and inform policy. Examination results are used by the SEC to improve industry practices by identifying and monitoring risks as well as the pursuit of misconduct. The OCIE shares the results of its findings with the SEC Chairperson, Commissioners, and other SEC divisions, including the SEC Division of Enforcement. While the OCIE conducts examinations, it does not make policy nor conduct enforcement proceedings.

One of the “carryover” issues pertains to an examination of advisers and broker-dealers that offer investment advice to their retail investors through “robo-advisers” and other automated platforms.
With respect to cybersecurity, it is likely the OCIE will remain focused on such issues for the foreseeable future (highlighted by: risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response procedures).

Of the new priorities highlighted by the OCIE, the most interesting is the expected examination as to whether SEC-regulated entities are adapting Anti-Money Laundering (“AML”) programs in light of recent new rules promulgated by the U.S. Treasury Financial Crimes Enforcement Network. It is anticipated that examiners will review for compliance with AML requirements, including whether firms are in fact adapting their AML programs in accordance with regulatory requirements. While the AML rules and regulations are not issued by the SEC, it is against the law to do financial transactions with people and companies on the sanction list. The OCIE would, therefore, expect that at a minimum, advisers should be checking their investors and clients against such sanction lists.

The OCIE may add additional priorities as market conditions develop over the course of the year and as the OCIE identifies emerging risks.

Fraudulent impersonation and cyber insurance

By: Cara Murray, Assistant Vice President, Alliant

The Treasurer gets an email from the CEO directing that money be wired out in connection with a hot new deal. Or a vendor emails a new invoice with updated wire transfer instructions. The money is sent. Except, the directions did not come from the CEO, and the invoice did not come from the vendor. These communications came from someone fraudulently impersonating them. The money has been stolen.

This “employee gets tricked into voluntarily sending money to a thief” kind of situation is what social engineering (or operational failure) fraud coverage responds to. Since the money has been stolen, a crime policy is the obvious first avenue of potential recovery. This is also the first place where insurers initially tried to deny coverage and then crafted policy language to provide the coverage, often with a sublimit and for an additional premium.

Another place a company may think to look for coverage in these social engineering fraud events is a network security and privacy / cyber policy.  As many of these fraudulent instructions come via falsified email addresses or through compromised email accounts, the issue is sometimes viewed as a cyber issue. That said, cyber policies tend to explicitly exclude loss of funds/monies/securities. That’s the main differentiator between cyber coverage and crime coverage when it comes to computer hacking – cyber covers the loss of data, crime covers the loss of money. Increasingly, though, insurers are offering to add social engineering fraud / fraudulent instruction coverage onto cyber policies.

In order to have fraudulent instruction coverage under a cyber policy, the exposure has to be specifically endorsed onto the policy. Several carriers have endorsements for this coverage for the cyber that carve back the exclusionary language to provide the coverage for the loss of money as a result of a fraudulent instruction event. As on crime policies, the fraudulent instruction coverage endorsed onto cyber policies is usually a sublimit.

Fraudulent instruction coverage as part of a cyber policy falls under the “First Party Coverages,” where it is added as its own insuring agreement most of the time, because the coverage is so different from what would otherwise be available under a cyber policy. The coverage triggers the same way it would in a crime form: when there is a fraudulently induced transfer of money based on instruction from someone purporting to be an authorized employee, outsourced provider, or customer of the insured, but who was not actually one of those parties.

So why would an organization want to have this coverage attached to their cyber policy versus attached to their crime coverage? A few differences in the structure of each kind of coverage suggest different strategies when it comes to overlapping coverage. First, the matter of the deductible – it is not uncommon for a company to have the deductible on one of their cyber or crime coverages be lower than the other. Second, the matter of limits – cyber carriers tend not to offer as high of sublimits as are available from the crime side. Additionally, a company having coverage under both the cyber and the crime effectively raises the total limit available for a fraudulent instruction event. Third, the policy type – crime coverage does not always have an aggregate limit, and so the sublimit that applies does so on a per occurrence basis, whereas in the cyber policies, the sublimit is offered as a single aggregate for the full policy period.

As there can be coverage for this kind of exposure under both the crime and cyber policies, it is also possible for a company to have coverage in both places. In such situations, one of the policies will need to be amended to specify that it will respond first in the case of a fraudulent instruction event. The decision of which policy should respond first will depend on the structural differences mentioned above.

With the right coverage, the story doesn’t have to end at “the money was stolen.”