Attorney Tips
February 2, 2025
Attorney Tips
February 2, 2025
Role-Based Access Controls as a Cybersecurity Tool
A strong cybersecurity program must consider both external and internal threats to sensitive data. One highly effective strategy is implementing Role-Based Access Controls (RBAC) which limits access to client information based on an employee’s specific role.
RBAC restricts access to only those individuals who need the information to perform their job duties, reducing the risk of overly broad access, a common vulnerability that allows attackers to infiltrate.
Here are three key factors that make a strong RBAC.
RBAC provides strong safeguards for client data and demonstrates compliance with regulatory bodies. For help strengthening your cybersecurity program, please contact us at 619.298.2880 or email [email protected].
Cybersecurity Tip: Managing AI Agent Risks in Financial Services
As Investments Advisers, Broker Dealers, Private Funds and others in the financial services industry adopt AI agents for compliance, client service, and analytics, new cybersecurity threats emerge, especially around AI model breaches.
Threat actors may target AI systems through:
Model Inversion Attacks reconstructs sensitive training data from AI outputs such as trading strategies.
Data Poisoning is malicious data put in during training to manipulate model behavior or leak sensitive information.
Prompt Injection exploits user inputs to override safeguards and access internal systems or data.
Actionable Safeguards:
Restrict Access: Limit who can interact with or modify AI systems.
Secure Training Data: Ensure data used to train AI models is encrypted, anonymized where possible, and free from proprietary or personal information.
Monitor Model Behavior: Implement ongoing monitoring for unusual outputs or access patterns.
Vendor Due Diligence: Vet AI vendors thoroughly. Confirm their cybersecurity protocols align with SEC/FINRA expectations.
Incident Response Planning: Update your cybersecurity policies to include AI-related threats and clearly define response steps.
AI offers powerful efficiency but also creates new risks. Staying ahead of model-specific threats is critical to protecting data integrity and meeting regulatory expectations.
Incorporate AI-Specific Risks into Your Cybersecurity Framework.
As the securities and financial services industries continue to integrate AI tools into investment workflows, from predictive analytics to client communications, advisers must treat them as cybersecurity assets subject to regulatory scrutiny.
Key Legal Considerations:
– Under the SEC’s 2023 Cyber Risk Management Rule, advisers must evaluate and document risks from all systems including AI that impact client data or operations.
– Regulators increasingly expect transparency around algorithmic decision-making and data handling.
Action Items:
1. Update policies to include AI in your cybersecurity governance and incident response plans.
2. Perform AI risk assessments that examine:
– Data privacy: Does the AI access or infer sensitive client data?
– Model integrity: Is there a risk of adversarial manipulation or model drift?
– Third-party exposure: Are vendors using secure, compliant models?
– Auditability: Can you explain and reproduce AI-driven decisions?
3. Review contracts to ensure AI vendors meet SEC cybersecurity standards and provide breach notification obligations.
Ignoring AI-specific risks may lead to compliance gaps, operational failures, or enforcement actions.
Responsible Use of AI Intelligent Agents in the Securities Industry
Artificial Intelligence (AI) Intelligent Agents (Algorithmic Trading Systems, AI/Machine Learning Models or Automated Investment Tools) are rapidly becoming part of the securities industry’s operational set up, from trade execution to compliance surveillance and client communication. But without proper governance, these tools can introduce regulatory, operational, and reputational risks.
Intelligent Agents should be governed as regulated participants, not just digital tools. Firms should approach them as high-tiered digital employees, with assigned responsibilities, monitored actions, and enforced accountability.
Action Items & Compliance Risk Mitigation:
• Supervisory Controls: Apply FINRA Rules 3110/3120 to Intelligent Agent activity. Implement logs, alerts, and audit trails.
• Digital Personnel Files: Maintain Intelligent Agent “profiles” with documented use case, data access, model lineage, and risk tier.
• Employee-Level Governance: Treat Intelligent Agents like high-sensitivity employees. Monitor behaviors, apply access controls, and regularly review for misconduct or drift.
• Explainability Standards: Enforce decision transparency, especially in client-facing logic or trading algorithms.
• Licensing Awareness: Evaluate whether Intelligent Agent functions require registered rep oversight or trigger licensing obligations.
• Human Oversight: Maintain active, qualified human supervision over Intelligent Agent activities. AI must support, not replace, compliance accountability.
• AI Incident Playbooks: Update cybersecurity response plans to include anomalies, data misuse, or model failure.
If you are considering or have implemented AI Intelligent Agents, we encourage you to review internal protocols to ensure compliance. For assistance, give us a call at 619.298.2880 or email [email protected].
Roadmap for Evolving Cybersecurity Regulations
The financial services sector continues to face mounting regulatory scrutiny and cybersecurity threats. RIAs, Broker-Dealers, and Investment Advisers must establish a comprehensive cybersecurity roadmap to meet evolving obligations under related regulations. Below is a sample five-year plan:
Year 1:
• Implement MFA across all internal systems
• Encrypt all stored client data
• Review and update cyber insurance coverage
• Maintain a current, written Incident Response Plan
Year 2:
• Strengthen endpoint detection tools
• Upgrade firewalls with advanced technology
Year 3:
• Conduct breach simulations to train staff
• Engage a trusted Managed Detection & Response provider with 24/7 monitoring
Year 4:
• Appoint a dedicated Privacy Officer
• Track compliance in line with jurisdictional regulations
Year 5:
• Provide clients with a secure portal and document vault
• Launch real-time fund dashboards for enhanced transparency
Cybersecurity Obligations: Implementing Regulation S-P
The SEC’s amendments to Regulation S-P significantly heighten cybersecurity obligations for financial firms. By December 3, 2025 (or June 3, 2026 for smaller entities), firms must have a comprehensive incident response program to detect, respond to, and recover from unauthorized access to customer information.
Key requirements include:
– Incident Response Program – Establish written policies to address data breaches and unauthorized access.
– Customer Notification – Notify affected individuals within 30 days of discovering unauthorized use of sensitive information.
– Service Provider Oversight – Ensure third-party vendors handling customer data maintain strong security measures.
Failure to comply could result in enforcement actions and reputational harm. Start now by reviewing your cybersecurity policies, vendor agreements, and incident response procedures to ensure compliance. The deadline may seem distant, but early preparation is critical.
For assistance with your cybersecurity compliance or to assess your firm’s readiness and mitigate risks, please call 619.298.2880 or email [email protected].
Importance of Implementing a Comprehensive Cyber-Attack Response Plan
Developing and maintaining a comprehensive cyber-attack response plan is essential for mitigating damage, ensuring swift response and recovery, maintaining integrity of operations, and meeting SEC and other regulatory agencies’ compliance requirements.
For those in the financial services sector, a comprehensive incident response plan should be created to guide the organization through the steps necessary to identify, contain, and mitigate the effects of a security breach. This plan must include:
– Communication Strategies: A clear approach for notifying affected clients, regulatory bodies, and internal stakeholders. These communications should be timely, transparent, and compliant with regulatory obligations to ensure proper disclosure and mitigate potential reputational harm.
– Regular Testing and Mock Scenarios: To ensure readiness, the plan should be tested through regular drills that simulate real-world cyber-attacks. This prepares staff to act quickly and efficiently under pressure, minimizing the potential impact of the breach.
– Proactive Threat Preparedness: Taking proactive measures to strengthen defenses against cyber threats not only reduces downtime but also ensures that client data remains secure. This enhances confidence among clients and regulators, fostering trust and maintaining the firm’s reputation.
Preparing for cyber incidents ahead of time can significantly reduce the impact of security breaches and ensure a quicker recovery while maintaining compliance and client trust.
MFA in Cybersecurity Compliance
Multi-factor authentication (MFA) is essential for enhancing security and meeting regulatory compliance in the finance sector. By requiring multiple forms of verification before granting access, MFA adds a layer of protection that reduces the risk of unauthorized access, even if passwords are compromised. It is vital for complying with regulations such as SEC Regulation S-P, FINRA Rule 4370, and the Gramm-Leach-Bliley Act, which mandate robust security measures for protecting financial data.
Key action steps for MFA compliance include:
For help with your cybersecurity policies and protocols, contact us at 619.298.2880 or email [email protected]
Kathryn Konzen, Esq., is the Director of Operations and Counsel at Jacko Law Group, PC. With over 15 years of experience in the legal profession, Ms. Konzen brings a diverse range of expertise in area...
