Shareholder Authentication (published 2015)

• Table of Contents
• Introduction
  • Universe of Transactions
    • Nature of Participants in Shareholder Transactions
    • Types of Shareholder Transactions
    • Means of Transmission of Transaction Requests
• Authentication In Theory
  • Principles of Authentication
    • The First Authentication Factor: What You Know
    • The Second Authentication Factor: What You Have
    • The Third Authentication Factor: What You Are
    • Multi-Factor Authentication
    • Non-Traditional Authentication Factors
    • Mutual Authentication
    • Positive and Negative Authentication Factors
  • Limitations of Authentication
    • Limitations of Authentication Measures in Common Use
    • Limitations of Authentication Measures Generally
• Authentication In Practice
  • Technological Solutions
    • Shareholder Knowledge
    • Hardware and Software Tokens
    • Biometrics
    • Behavioral Patterns
    • Protection of Authenticated Sessions
    • Authentication of Devices
    • Authentication of Transactions
    • Authentication of Fund Groups (Mutual Authentication)
  • Operational Initiatives
    • Overall Threat Environment
    • Risks Associated with Authentication Systems
    • Risks Associated with Particular Transactions
    • Potential Legal Consequences of Transactional Fraud
    • Limiting Potential for Damage from Fraudulent Transactions
    • Protection of Online Transaction Systems
  • Educational Efforts
    • Employee Training and Awareness
    • Shareholder Awareness
• Insurance
• Glossary
• Further Reading

ICI Mutual Publications:

• ICI MUTUAL, RISK MANAGEMENT IN THE DIGITAL AGE: MOBILE COMPUTING, CLOUD COMPUTING AND SOCIAL MEDIA (2012), available at http://www.icimutual.com/system/files/RiskManagementInTheDigitalAge.pdf.
• ICI MUTUAL, THE TWO FACES OF IDENTITY THEFT: OF DATA AND DOLLARS (2006), available at http://www.icimutual.com/system/files/The%20Two%20Faces%20of%20Identity%20Theft.pdf.
• ICI MUTUAL, COMPUTER SECURITY LITE: HALF THE JARGON OF REGULAR COMPUTER SECURITY (A GUIDE FOR MANAGEMENT) (2003), available at http://www.icimutual.com/system/files/Computer%20Security%20Lite.pdf.

General Guidance from Government Agencies:

• NIST, FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY (Feb. 12, 2014), http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
• NIST, DEP’T OF COMMERCE, SPECIAL PUBL’N NO. 800-63-2, ELECTRONIC AUTHENTICATION GUIDELINE (Aug. 2013), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-2.pdf.
• NIST, DEP’T OF COMMERCE, SPECIAL PUBL’N NO. 800-118, GUIDE TO ENTERPRISE PASSWORD MANAGEMENT (DRAFT) (Aug. 2009), http://csrc.nist.gov/publications/drafts/800-118/draft-sp800-118.pdf.
• NIST, DEP’T OF COMMERCE, SPECIAL PUBL’N NO. 800-76-2, BIOMETRIC SPECIFICATIONS FOR PERSONAL IDENTITY VERIFICATION (Jul. 2013), http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-76-2.pdf.
• NIST, Electronic Authentication: Guidance For Selecting Secure Techniques, http://www.itl.nist.gov/lab/bulletns/bltnaug04.htm.
• Internal Revenue Service, Dep’t of the Treasury, Safeguards Technical Assistance Memorandum: Multi-Factor Authentication Implementation (June 2013), http://www.irs.gov/file_source/pub/irs-utl/safeguards-multi-factor-auth-alert.doc.
• FFIEC, Authentication in an Internet Banking Environment (Oct. 12, 2005), http://www.ffiec.gov/pdf/authentication_guidance.pdf.
• FFIEC, Supplement to Authentication in an Internet Banking Environment (June 29, 2011), http://www.ffiec.gov/pdf/Auth-ITS-Final%206-22-11%20(FFIEC%20Formated).pdf.

Securities Regulators:

• SEC, Division of Investment Management, IM Guidance Update: Cybersecurity Guidance, No. 2015-02 (Apr. 2014), http://www.sec.gov/investment/im-guidance-2015-02.pdf.
• SEC, OCIE, National Exam Program Risk Alert: OCIE Cybersecurity Initiative (Apr. 15, 2014), http://www.sec.gov/ocie/announcement/Cybersecurity-Risk-Alert--Appendix---4.15.14.pdf.
• SEC, OCIE, National Exam Program Risk Alert: Cybersecurity Examination Sweep Summary (Feb. 3, 2015), http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.
• SEC, Dep’t of the Treasury, and Financial Crimes Enforcement Network, Joint Final Rule: Customer Identification Programs for Mutual Funds, 40 Act Rel. No. 26031 (Apr. 29, 2003), https://www.sec.gov/rules/final/ic-26031.htm.
• FINRA, Customer Account Protection: Verification of Emailed Instructions to Transmit or Withdraw Assets from Customer Accounts (Jan. 2012), http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/p125462.pdf.
• FINRA, Report on Cybersecurity Practices (Feb. 2015), http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p602363.pdf.