SEC Names Gabriel Benincasa As Its First Chief Risk Officer

Original Article

Press Release


Washington D.C., Feb. 28, 2019 —

The Securities and Exchange Commission today announced that Gabriel Benincasa has been named the Commission’s first Chief Risk Officer.  This position was created by SEC Chairman Jay Clayton to strengthen the agency’s risk management and cybersecurity efforts.

As Chief Risk Officer, Mr. Benincasa will coordinate the SEC’s continued efforts to identify, monitor, and mitigate key risks facing the Commission.  Working within the SEC’s Office of the Chief Operating Officer, he will also serve as a key adviser on other matters related to enterprise risks and controls.  Julie Erhardt, who had been serving as Acting Chief Risk Officer while the SEC completed its recruitment efforts, will return to her role as Deputy Chief Accountant for Technology and Innovation in the Commission’s Office of the Chief Accountant.

“Establishing the Chief Risk Officer position at the SEC is an important step forward in our continuing efforts to strengthen the agency’s risk management program,” said Chairman Jay Clayton.  “Gabe is an experienced senior leader with deep risk, legal, compliance, and financial markets expertise.  I am certain we will benefit from his advice and insights.  I also want to thank Julie for giving us a running start on this initiative.”

“I look forward to working with Gabe to maintain a robust risk management program at the agency,” said Ken Johnson, the SEC’s Chief Operating Officer.  “Gabe’s strong background in risk management positions him well to help the SEC continue to evaluate a wide range of current and emerging challenges, whether related to our markets, cybersecurity, or our own operations.”

Mr. Benincasa added, “It is an honor to serve America’s investors and markets as the SEC’s first Chief Risk Officer.  I look forward to joining the team and building upon existing programs to help the agency tackle current and future challenges.”

Mr. Benincasa brings to the SEC significant experience in senior leadership roles in risk and compliance in the financial sector. He began his legal career as an attorney at Davis Polk & Wardwell before working for Morgan Stanley and other financial firms. He has served in roles including as Director of Enterprise Risk Management and Vice Chair of the Risk Control Committee for a financial services holding company; Deputy Global Head of Operational Risk Management for an investment bank; General Counsel and Chief Compliance Officer for an institutional asset management company; and Global Head of Compliance for a financial technology company.

Mr. Benincasa is an attorney and a Certified Public Accountant. He earned his J.D. from Fordham Law School and a Bachelor’s in Business Administration from Baruch College.

SEC Investigative Report: Public Companies Should Consider Cyber Threats When Implementing Internal Accounting Controls

Washington D.C., Oct. 16, 2018 —

The Securities and Exchange Commission today issued an investigative report cautioning that public companies should consider cyber threats when implementing internal accounting controls. The report is based on the SEC Enforcement Division's investigations of nine public companies that fell victim to cyber fraud, losing millions of dollars in the process.

The SEC's investigations focused on "business email compromises" (BECs) in which perpetrators posed as company executives or vendors and used emails to dupe company personnel into sending large sums to bank accounts controlled by the perpetrators. The frauds in some instances lasted months and often were detected only after intervention by law enforcement or other third parties. Each of the companies lost at least $1 million, two lost more than $30 million, and one lost more than $45 million. In total, the nine companies wired nearly $100 million as a result of the frauds, most of which was unrecoverable. No charges were brought against the companies or their personnel.

The companies, which each had securities listed on a national stock exchange, covered a range of sectors including technology, machinery, real estate, energy, financial, and consumer goods. Public issuers subject to the internal accounting controls requirements of Section 13(b)(2)(B) of the Securities Exchange Act of 1934 must calibrate their internal accounting controls to the current risk environment and assess and adjust policies and procedures accordingly. The FBI estimates fraud involving BECs has cost companies more than $5 billion since 2013.

"Cyber frauds are a pervasive, significant, and growing threat to all companies, including our public companies," said SEC Chairman Jay Clayton. "Investors rely on our public issuers to put in place, monitor, and update internal accounting controls that appropriately address these threats."

Stephanie Avakian, Co-Director of the SEC Enforcement Division, said, "In light of the facts and circumstances, we did not charge the nine companies we investigated, but our report emphasizes that all public companies have obligations to maintain sufficient internal accounting controls and should consider cyber threats when fulfilling those obligations."

The issuance of the SEC's report coincides with National Cybersecurity Awareness Month.

In consultation with the Division of Corporation Finance and the Office of the Chief Accountant, the SEC's investigations were conducted by Brent Wilner, Creighton Papier, and Maria Rodriguez, and supervised by Diana Tani, John Berry, and Michele Layne of the Los Angeles Regional Office.


SEC Charges Firm With Deficient Cybersecurity Procedures

Washington D.C., Sept. 26, 2018 —

The Securities and Exchange Commission today announced that a Des Moines-based broker-dealer and investment adviser has agreed to pay $1 million to settle charges related to its failures in cybersecurity policies and procedures surrounding a cyber intrusion that compromised personal information of thousands of customers.

The SEC charged Voya Financial Advisors Inc. (VFA) with violating the Safeguards Rule and the Identity Theft Red Flags Rule, which are designed to protect confidential customer information and protect customers from the risk of identity theft.  This is the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule.

According to the SEC’s order, cyber intruders impersonated VFA contractors over a six-day period in 2016 by calling VFA’s support line and requesting that the contractors’ passwords be reset. The intruders used the new passwords to gain access to the personal information of 5,600 VFA customers.  The SEC’s order finds that the intruders then used the customer information to create new online customer profiles and obtain unauthorized access to account documents for three customers.  The order also finds that VFA’s failure to terminate the intruders’ access stemmed from weaknesses in its cybersecurity procedures, some of which had been exposed during prior similar fraudulent activity.  According to the order, VFA also failed to apply its procedures to the systems used by its independent contractors, who make up the largest part of VFA’s workforce.

“Customers entrust both their money and their personal information to their brokers and investment advisers,” said Stephanie Avakian, Co-Director of the SEC Enforcement Division.  “VFA failed in its obligations when its deficiencies made it vulnerable to cyber intruders accessing the confidential information of thousands of its customers.”

“This case is a reminder to brokers and investment advisers that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Robert A. Cohen, Chief of the SEC Enforcement Division’s Cyber Unit.  “They also must review and update the procedures regularly to respond to changes in the risks they face.”

Without admitting or denying the SEC’s findings, VFA agreed to be censured and pay a $1 million penalty, and will retain an independent consultant to evaluate its policies and procedures for compliance with the Safeguards Rule and Identity Theft Red Flags Rule and related regulations.

The SEC’s investigation was conducted by Arsen Ablaev of the Cyber Unit and Paul Montoya in the Chicago Regional Office.  The case was supervised by Kathryn Pyszka in the Chicago Regional Office and Mr. Cohen.  The examination that led to the investigation was conducted by the Chicago Regional Office with the assistance of the National Examination Program.  The examination team included Kristine Baker, Stacey Gohl, Thu Bao Ta, David Mueller, Daniel Dewaal and Emilie Abate.


Robert Cohen, The Cyber Security Chief Of The SEC Makes Sound Warning To Cryptocurrency Exchanges

Due to the increasing number of cryptocurrency-related scams, the Securities and Exchange Commission in the United States has been keeping a Close eye on the industry for the purpose of protecting investors. The reach of the SEC in the United States just got to a whole new level after an announcement was made yesterday.

A while ago, the SEC announced that it was building a case against an Ethereum based cryptocurrency exchange for the first time. This case is being championed by Robert Cohen, The head of SEC’s cyber unit. Speaking exclusively to Forbes, Cohen said that creating exchanges with blockchain doesn’t eliminate the responsibilities of the creator. This warning is timely as decentralized exchanges are being launched with relative ease day by day. In Cohen’s words:

“We are not focused on how you label the technology. We are focused on its function and what you’re trying to achieve with this technology. We don’t care if it is dubbed decentralized or smart contract based, what matters is that it is an exchange”.

What Are Decentralized Exchanges?

Decentralized exchanges are exchanges that are run by a self-executing code and not by individuals. Rather than connecting buyers with sellers, these exchanges don’t act as intermediaries. They use smart contracts to connect people directly. Even if these exchanges are based on self-executing codes, Cohen emphasized that the individuals who create these codes are still responsible for them. While the currently battle the SEC is fighting is with EtherDelta, Cohen used this as an opportunity to warn the creators of decentralized exchanges.

Cohen reassures the public that the SEC is working hard to ensure that exchanges within the United States are compliant. However, he did not explain how they intend to handle decentralized exchanges that have anonymous creators. The intentions of the SEC are pure but the fact remains that the nature of exchanges based on blockchain technology make them practically impossible to shut down. When it comes to centralized servers, access can easily be revoked but the case isn’t the same for decentralized exchanges which are becoming increasingly popular. The SEC may need to develop a new means of enforcement to keep order and protect investors.