In Case You Missed Them

November 15, 2022    Compliance & Licensing

Cybersecurity
Cybersecurity is the practice of protecting networks, systems, hardware and data from digital attacks. It encompasses everything pertaining to protecting sensitive data – personally identifiable information (“PII”), protected health information (“PHI”), personal information, intellectual property, data, and industry information systems – from theft and damage attempted by criminals and adversaries.

This Field Notice outlines some important best practices around ESI’s cybersecurity requirements. For more best practices and guidance, please review Field Notice 2021-09 Cybersecurity and ESI’s Written Supervisory Procedures.

Branch Cybersecurity Policy
It is recommended that each branch have a documented cybersecurity policy. Here are some items to consider including in the policy:

  1. What to do if there is a cybersecurity-related issue
    To report an incident, please contact your supervisor. In coordination with your supervisor, please contact ESI Compliance (esicompliance@nationallife.com) to report. Cybersecurity-related issues may include, but are not limited to:
    • email hacking
    • password compromise
    • computer hacking
    • computer/device theft or loss
    • Other situations, whether caused by humans or technology, that resulted or could result, in the exposure of confidential information to unauthorized parties 
  2. Vetting third party IT providers or resources
    The ESI Confidentiality Agreement is required whenever a third-party or outside service provider may have access to ESI’s confidential client information or records. Examples of third-party services may include, but are not limited to, shredding services, document storage facilities, office cleaning services, or IT service providers.
    When using outside third-party IT resources, in addition to obtaining a confidentiality agreement, the vendor should be adequately assessed to ensure that they have effective security practices.
  3. Inventory of Assets
    It is recommended that you create and maintain a technology inventory. This should include computers, laptops, scanners, tablets, phones, printers, etc. In case an issue arises, this inventory will help you understand what asset has gone missing or has been impacted and who it belonged to.

Important Reminders
Below is a list of important reminders around security and protection of information:

  • Scanners must be linked to an NLG email: When scanning documents, the scanner must be linked to an NLG email address for the security of the information being scanned. When utilizing a phone or other device to scan or take a photo of documents, such devices must be encrypted and linked to an NLG email address. Outside email addresses may not be encrypted or as secure as your NLG email. 
  • Sharing of passwords is prohibited: Passwords may not be shared for any reason. This includes providing an NRF passwords for an RR’s computer, email, or online system to access client information.
  • Accessing client accounts is prohibited: RRs and NRFs are not permitted to obtain passwords from a client to access a client’s account information or other PII (even with the client’s permission). Only clients may access their own accounts.
  • Email encryption: National Life encrypts email for all outgoing electronic mail that contains PII: ABA routing numbers, credit card numbers, social security numbers, federal tax IDs, and policy numbers. When sending a message with sensitive information, you must use your National Life email account and type “[PRIVATE]” in the subject line to enable the encryption of the message.
  • Phishing emails: Be mindful of suspicious email from unknown senders. Such email may have spelling or grammatical errors or create a sense of urgency. Additionally, never open an email attachment unless it comes from a trusted source. Home office employees may report potential phishing email by clicking the “Phish Alert Report” button within Outlook. Field representatives may forward the email as an attachment to spam@nationallife.com.

Anti-Virus and Encryption
Everyone associated with ESI must have anti-virus software on all computers that access or store clients’ PII. In addition, all portable devices and external media (e.g. zip drive, flash drive, mobile phone, laptop, disks) that access or store clients’ PII must be encrypted. Backup drives should be encrypted to prevent unauthorized access in the event they are stolen or lost.

Anti-virus/anti-malware software vendors that are compliant with Entreda: 

  • AVAST! Software    
  • AVG Technologies
  • BitDefender 
  • Checkpoint
  • Crowdstrike Falcon
  • Fortinet
  • Cylance Protect
  • ESET
  • Kaspersky
  • Malwarebytes Premium
  • McAfee
  • Windows Defender
  • Panda Security
  • SentinelOne
  • Symantec Corp.
  • Norton360
  • Sophos
  • Trend Micro
  • Vipre Anti-Virus
  • Webroot
  • Zone Alarm

Encryption vendors that are compliant with Entreda:

  • Microsoft BitLocker Encryption
  • McAfee
  • Sophos
  • Symantec (full disk encryption only)

Entreda
Everyone is required to have the Entreda Unify System (“Entreda”) software installed on all computers and laptops that access or store clients’ PII or are used to access the agent portal. Entreda monitors the security of the computer system, including any key security control deficiencies status deficiencies.

Once installed, Entreda calculates a security risk score based on certain criteria including auto-screen lock, WiFi, password, and encryption settings, among other factors. A device must maintain a passing score of 660 or above to be compliant. Failure to install Entreda or maintain a passing score of 660 will prevent users from accessing the agent portal. Please refer to FN 2021-19 Entreda Unify Systems for more details.

If you no longer utilize a device for business purposes, all ESI data must be permanently removed from that device. Once removed, please contact Rich Whalen (rwhalen@nationallife.com) to confirm and allow him to remove the device from Entreda reporting.

Questions
If you have any cybersecurity-related questions, please contact your supervisor. 

Private Placement Offerings
Equity Services, Inc. (“ESI”) permits its Registered Representatives and Investment Adviser Representatives (collectively “Representatives) to invest in private placement offerings for their own accounts.  However, ESI’s Code of Ethics requires that all RRs and IARs obtain approval BEFORE investing in a private placement offering. This notice is a reminder of ESI’s process for the review and approval of private placement offerings.

Procedure
Requests for review of a private placement offering should be emailed to the ESI Compliance team at ESICompliance@nationallife.com. With the initial request, include a copy of the offering statement and/or subscription agreement and any other collateral materials you have which describe the program.

Once the necessary information has been received, ESI will complete its review and approve or deny the request. If approved, the Representative will receive an Approval and Stipulation Letter (along with instructions on how to confirm the transaction in Star Compliance) which they must sign and return to Compliance before investing. The letter enumerates the conditions under which they may participate in the offering (see “Stipulations” below).  If denied, the Representative will be notified of the reason for the denial in writing.

You may not invest any capital in a private placement offering prior to receiving approval from ESI. To do so is a violation of ESI’s Code of Ethics and could subject you to disciplinary action. Once you are approved to participate in a program, future additional investments in the same program do not require pre-approval but must be entered into Star Compliance for review by Compliance and for quarterly and annual reporting.

IAR Quarterly Reporting
For IARs, private placements are reportable on the Quarterly Transaction Report covering the quarter in which the transaction occurred, as well as on the Annual Holdings Report, for as long as the holding is maintained.

If the request is approved, the initial transaction and holdings information will automatically populate the quarterly and annual reports, as appropriate.  NOTE:  Private placements are not included on any brokerage firm data feed.  Consequently, any subsequent transactions (buy/sell) in the holding must be manually entered into Star Compliance via the “Private Transactions” tile.

Stipulations
The list below represents the standard stipulations that accompany approval to participate in a private placement offering.  The Firm reserves the right to add any additional stipulations, as warranted.

  • Your insurance and investment businesses are separate and not connected to the investment.
  • ESI understands that you are not aware of any current ESI clients who are investors in the private investment.
  • To the extent any clients may be investors in the proposed private placement, you represent that you have had no involvement with their decision to invest.
  • The private placement offering should not be offered by you or your spouse to any clients, potential clients, or affiliated representatives of ESI or National Life.
  • You will not refer anyone to the proposed private placement to participate in the investments.
  • The private placement offering should not be discussed with ESI or National Life representatives and/or agents.
  • The approval to invest should, in no way, be considered an endorsement of the offering. ESI does not review or approve the merits of private placement offerings. 
  • The transaction must be disclosed on your Quarterly Transaction Report for the quarter in which the transaction is executed, and on your annual personal securities holding report for as long as you hold the security.
  • You represent that you are a passive investor in the private placement and have or will have no role in running the business.
  • You acknowledge your understanding that additional investments in a private placement requires prior review and approval by ESI.

Clients’ Investments in Private Placements
Currently, ESI does not offer private placements. As such, Registered Representatives and Investment Adviser Representatives are prohibited from offering, recommending, evaluating, or in any way facilitating a client to invest in a placement offering. A Representative who facilitates an investment in, or refers a prospect to, a private placement offeror is considered to have engaged in an unapproved private securities transaction, or “selling away”. This includes even just introducing a potential investor to an underwriter or offeror for a private placement. Selling away is a serious FINRA rule violation, and often results in significant regulatory sanctions.

Questions
If you have any questions about this requirement, please contact ESI Compliance, at 800-344-7437.

TC129793(1122)1