All of you who use Equifax to conduct a part of your CIP responsibilities, raise your hands. Ok, now, only to those of you whose hands are in the air: how many of you have checked your firm’s incident response plan to determine the steps that need to be taken in the event of a breach of your customer confidentiality obligations? I am betting that there are very few hands left in the air. And that could be a problem for you.
There have been a lot of articles published about what to do as a consumer if you are among the 145 million Americans whose data got hacked from Equifax. But, lost in all the excitement is the fact that BDs who utilize Equifax to run checks on new customers to satisfy CIP obligations – and that may be a lot, given that FINRA essentially endorsed Equifax for that role in Notice to Member 02-21 – may have exposed those customers’ information to the hackers. And, as a result of that, you could have a variety of reporting obligations which, if you fail to recognize them, could land you in regulatory hot water.
In the event that a BD experiences a breach, it is possible it could have no disclosures to make, or several, depending on where it is located and the nature of the information at issue. This is a function of the fact that disclosure obligations are imposed by state law, among other things. Forty-eight states – all but Alabama and South Dakota – have statutes requiring that customers impacted by the revelation of PII, or personally identifiable information, must be notified. Thus, whether or not a breach has occurred that requires notification, and, if it is required, the method of disclosure, the timing of the disclosure, and who receives the disclosure (not to mention the penalty for not making a required disclosure) will vary from state-to-state. Do not presume that FINRA or the SEC will tell you what to do, or that they will give you a pass just because the size of this breach is so big and has been so widely reported.
In guidance that FINRA has previously supplied in connection with cybersecurity, specifically, the 2015 Report on Cybersecurity Practices, it was pointed out that notification of a breach could very well include “customers, regulators, law enforcement, intelligence agencies, [and] industry information-sharing bodies.” This is because “[f]irms may have notification obligations pursuant to, for example, Regulation S-ID, state reporting requirements and FINRA rules,” in particular, FINRA Rule 4530(b). In addition, according to FINRA, even if a cybersecurity incident does not trigger a reporting obligation, firms are “urged” to report such an incident “to their regulatory coordinator,” and stressed that “the information must be accurate and not misleading.”
This all boils down to a point I made in a blog post earlier this week: handling potentially troublesome compliance issues at a FINRA member firm in 2017 is, basically, a do-it-yourself proposition. You simply cannot count on FINRA to provide useful guidance or assistance. Indeed, what you can count on is FINRA pointing fingers at you if you don’t manage to do things correctly. Here, the Equifax breach appears to have been the fault of Equifax, not any of the BDs who have contracted with it to provide services. Yet, despite the absence of any fault, this breach may have nevertheless created significant regulatory implications for BDs across the country.
So, do your homework. Check your incident response plan – assuming that you have one. If you don’t, now is as good a time as any to prepare one. If you have reports to make, get them in as quickly as possible. And paper up everything you do. Remember: (1) Spot the red flag. (2) Investigate the red flag. (3) Document the fact that you did both. And then keep your fingers crossed that whatever you do is enough to make FINRA happy.