Due Diligence Counsel | Legal Risk Management Tips
M. Jacko
Managing Partner and CEO
Michelle's Bio

Michelle L. Jacko, Esq.

Managing Partner and CEO

Michelle L. Jacko, Esq. is the Managing Partner and CEO of Jacko Law Group, PC (“JLG”), which offers securities, corporate, real estate, and employment law counsel to broker-dealers, investment advisers, investment companies, hedge/private funds and financial industry professionals. In addition, Ms. Jacko is the Founder and CEO of Core Compliance & Legal Services, Inc., a compliance consultation firm.

Ms. Jacko specializes in investment adviser, broker-dealer, investment company and private fund regulatory compliance matters, internal control development, regulatory examinations, transition services, and operational risk management. Her consultation practice is focused on the areas of regulatory exams and formal inquiries, investment and merger and acquisition transactions, exit and succession planning, annual reviews, policies and procedures development, testing of compliance programs (including evaluation of internal controls and supervision), mock exams, senior client issues, cybersecurity, Regulation S-P, and much more.

Over the years and through a transformative market, Ms. Jacko has also developed service solutions throughout her practice, focusing on regulatory, compliance, commercial and corporate strategic solutions for the financial industry. Her practice focuses on formations and registration of broker-dealers, investment advisers and funds and platforms associated with each of these business models.  She focuses on transition and succession planning for companies, spearheading Jacko Law Group’s mergers and acquisitions practice area. She aligns her legal team to directly apply experienced legal acumen and business-savvy foresight to assist clients navigate and traverse the breakaway, formation, and growth plan for their corporation’s continued achievement, expansion, and upward trajectory.

Throughout this process, Ms. Jacko uses her 27 years of regulatory compliance experience to provide risk mitigation strategies to businesses.  She provides her clients with risk assessments, annual reviews and gap analysis, and serves as lead attorney for SEC and FINRA enforcement matters, regulatory formal inquiries, and regulatory examinations.  She has developed a practice that successfully helps our clients to be prepared for examinations through meticulous preparations, including mock interviews, compliance program document reviews, and counsel to members of senior management and interfacing with regulators throughout the process.   She frequently provides counsel on Chief Compliance Officer liability issues, assists advisors with regulatory reporting of disciplinary events and customer complaints, provides counsel on various representative onboarding and exit considerations and drafts complex agreements and client disclosure documents.

Utilizing an unparalleled service with a visionary strategy, Ms. Jacko’s counsel contributes to client success. She fosters trust amongst her team and has forged a path for JLG’s growing and multifaceted merger and acquisition practice, general corporate counsel services and regulatory compliance practice areas.

As a frequent presenter at national financial industry conferences, Ms. Jacko delivers insightful and thought-provoking workshops regarding industry hot topics and rising compliance issues. She is a frequent contributor to various industry journals and publications, including Barron’s Advisor, Charles Schwab, Investment Adviser Association’s IAA Today, National Society of Compliance Professionals’ CurrentsLawyer Monthly MagazineThomson Reuters, and more.  She also is a featured author in Modern Compliance, Vol. 1 and 2.

Ms. Jacko served as the former Vice-Chair of Education of the Corporations Committee for the State Bar of California Business Law Section and is a two-time Board member alumn of the National Society of Compliance Professionals. She is the Co-Founder and a member of the Southern California Compliance Group and also is a FINRA Arbitrator. Ms. Jacko is a member of Vistage International and actively participates in her community.

JLG and Ms. Jacko are proud to be members of the National Women Business Owners (NABWO) Corporation.

Throughout her career, Ms. Jacko has established herself as an influential leader, both locally and industry-wide. She has received numerous accolades and recognitions for her contributions, impact, and thought leadership. Since 2019, she has been selected as a finalist for San Diego Business Journal’s (SDBJ) CEO of the Year Award (2019-2022). She has also been selected for inclusion for the SDBJ’s 2022 Women of Influence 50 over 50, 2021 -2022 Women of Influence in Law SDBJ’s 2018-2022 Business Woman of the Year, 2020-2022 San Diego 500 Influential Business Leaders Award, 2020-2022 SD500, and prestigious 2020 Most Admired CEO Awards. Alongside the many awards from the SDBJ, Ms. Jacko  also was selected as a finalist for San Diego Magazine’s 2020–2021 Influential Women: Woman of the Year Award and was honored as a finalist for the 2019 NAWBO Bravo Awards - San Diego. International magazine CEO Today also selected Ms. Jacko as one of the 2019 and 2020 Business Women of the Year Awards. She also received Acquisition International magazine's Global Excellence Awards: Most Influential Woman in Securities Law 2019–2020 - San Diego, and locally was selected by San Diego Metro as one of the 12 Women of Influence in San Diego, CA.

Before starting both companies, Ms. Jacko previously served as Of Counsel at Shustak & Partners, PC. Prior to that, she was Vice President of Compliance and Branch Manager of the Home Office Supervision team at LPL Financial Services, Corporation (Linsco/Private Ledger). She also served as Legal Counsel of Investments and Chief Compliance Officer at First American Trust, FSB and held the position of Compliance Manager at Nicholas-Applegate Capital Management. In addition, Ms. Jacko was with PIM Financial Services, Inc., and Speiser, Krause, Madole & Mendelsohn, Jackson.

Ms. Jacko received her J.D. from St. Mary’s University School of Law and B.A., International Relations, from the University of San Diego. She is admitted to the State Bar of California and United States District Court, Southern District of California. Michelle holds NSCP’s Certified Securities Compliance Professional (CSCP) designation and is a member of the National Association of Women Lawyers (NAWL).

In addition to her many accomplishments, Ms. Jacko is also dedicated to giving back to her community and charitable organizations. Throughout the years she has dedicated her time and efforts to numerous organizations, including the Autism Tree Project, Wounded Warriors Project, the ASCPA, the San Diego Food Bank, School of the Madeleine and more. She also supports whenever she can the military community.  It is her dedication to her team, her practice and her community that has laid the foundation for JLG’s impact and continued growth and success.

Read less
Practices :
Mergers & AcquisttionsPrivate Equity & Private Fund ServicesSEC/State: Regulatory Compliance Services
Legal Considerations For Your Cybersecurity Program
Due Diligence Counsel Legal Risk Management Tips
August 1, 2016

So often we hear about regulatory compliance considerations governing cybersecurity. But what about considerations from a legal perspective? How do your vendors, who may not be subject to Regulation S-P and Regulation S-ID, help ensure they have adequate safeguards when servicing your firm? This month’s legal tip will focus on areas that we find are often overlooked within financial organizations’ cybersecurity program. This includes contractual provisions to look for and request from vendors, due diligence questions to pose to service providers who have access to non-public information and information needed by counsel to respond to a cyber incident.

Introduction

Cybersecurity is one of the foremost regulatory focus areas in 2016. The topic can be found easily on the SEC’s home page and its list of 2016 examination priority areas. Most financial institutions have taken initial steps to inventory their critical service providers, hardware systems and software; but from our experience, few have gone back to examine their servicing contracts with these critical parties.

Take, for example, an IT vendor. The IT vendor may have a servicing agreement which is silent to the types of reports, if any, they provide in order to assist the compliance officer oversee the program. Can you now go back and ask for this (at no cost)?

What about services such as Dropbox? Does their contract address if and when the firm will be notified if the vendor has a cyber breach? If their agreement is silent, have you conducted due diligence as to how the vendor is complying with the state’s breach notification requirements and data security measures, as applicable?

Do contracts with your law firms and compliance consultants address (or should they address) internal controls they have in place to protect non-public information they may receive about your firm and its clientele and trade secrets? If not, have you conducted due diligence about their cyber and data security controls?

As a fiduciary, there is a regulatory expectation to do just that.

What to Look for in Contracts with Vendors

Not all vendor contracts are alike. While many contain a confidentiality or similar provision, the vendor agreement likely will not address essential internal controls for that vendor to have in place to service a financial industry firm. This is critical, particularly if that vendor is a critical service provider to the firm and will have access to non-public information about your customers and proprietary information, such as trade secrets. To the extent the agreement is silent in this regard, consider presenting an addendum or referencing another similar document that would cover the following areas, and contain the following information, as applicable:

  • Describe when and how the vendor will communicate any known cyber incidents it experiences to you.
  • Describe who owns the data in the event that the servicing contract is terminated or the vendor goes out of business.
  • Describe the safeguarding method through which data and file transfer will occur (e.g., through multiple layers of encryption).
  • Summarize the types of cyber controls mutually expected by the contracting parties.
  • Set forth the expectation to receive an internal control audit or similar report and to otherwise conduct due diligence no less than annually, and as needed.
  • In the case of an external IT vendor, detail the types of reports or communications to be generated from that vendor.

Risk Management Tip: To the extent that the Chief Compliance Officer is relying upon an IT vendor to provide reports and analytics as to the strength of their cyber program, it is critical to receive meaningful information to know the strength and vulnerabilities of your cyber environment.

Due Diligence Questions to Pose to Service Providers

Financial firms should go back to the basics when they interview and ultimately engage vendors to perform a service. Just as financial industry firms should conduct due diligence on any investment before recommending it to a client, such firms should take reasonable steps to investigate how service providers, who are in receipt of or have the ability to access your non- pubic information, take steps to protect such information.

Let’s take, for example, an external IT service provider. Assuming that vendor is not somehow affiliated with a financial industry firm, it is likely that the IT service provider is not subject to the same regulations as are broker-dealers or investment advisers. The vendor has no requirement to maintain electronic communications in native format and survey them periodically. Nor is there a requirement for that IT service provider to have a business continuity plan, much less a cybersecurity plan. The service provider need not think about adopting written policies and procedures to detect, prevent and correct cyber breaches. And there is no need for that service provider to have a cyber incident response plan in the event of a cyber breach.

Regardless of the type of vendor, prior to the onboarding of any service provider or new engagement, consider posing the following questions:

  • Do you have a cybersecurity plan? If yes, would you be willing to share it?
  • How many financial industry firms do you service?
  • Are you familiar with the regulations that pertain to our firm relating to cybersecurity? If yes, what are they?
  • What supervisory controls are in place over vendor employees to ensure that they are not misappropriating non-public personal information of the firm?
  • What are the vendor’s procedures in dealing with terminated employees to ensure that they no longer have access to the firm’s systems and data and have not misappropriated such information and taken it with them?

Next, ask the vendor to provide you with an internal control report (such as an SAAE-16 report) and ask, as needed, how they intend to inform you of a cyber breach; i.e., what is their communication plan. Also, you may wish to inquire as to whether the vendor has cyber liability insurance. To the extent the IT vendor has multiple employees who have company-issued devices (such as laptops, cell phones and tablets), check to see what policies they have in place for wiping the device(s) clean (should it be lost, or in the case of a terminated employee) and for remoting in to service customer accounts. Cyber controls are just as critical for vendors as for the financial industry firm it services.

Working with Counsel in the Event of a Cyber Breach

In the event there is a cyber breach, it is important to immediately investigate and inform your counsel.Counsel will help the firm to determine whether the event is one which should be reported to law enforcement and/or to regulatory authorities. Counsel also will be instrumental in helping you to assess remediation steps, including the type of communications which may be necessary to notify your clients of a potential or actual breach. To the extent the firm has cyber liability insurance, counsel can also assist with tendering of cyber claims to your insurance carrier.

When notifying your counsel of a cyber breach, be prepared to discuss the following:

  • How was the breach discovered?
  • Was it systemic and wide-spread or insulated to one account?
  • Do you know the impact of the cyber breach; (i.e., was any client harmed)?
  • What is your cyber incident response plan and have you completed your investigation?
  • What contractual, statutory and/or regulatory obligations do you have to notify clients and critical service providers of a cyber breach?

Conclusion

Nearly every financial institution has experienced some sort of cyberattack over the last few years. The concern is not if this will occur – it is when. Therefore, it is critically important to proactively take steps now to create a cyber secure environment for your firm. By taking into consideration the aforementioned risk mitigation steps, the firm will be able to further evolve its cybersecurity program.

Author: Michelle L. Jacko, Esq., Managing Partner, Jacko Law Group, PC. JLG works extensively with investment advisers, broker-dealers, investment companies, hedge funds, banks and corporate clients on securities and corporate counsel matters.

This article is for information purposes and does not contain or convey legal advice. The information herein should not be relied upon in regard to any particular facts or circumstances without first consulting with a lawyer.

1 Notably, notifying counsel is just one step in a comprehensive incident response plan. For more information, please review https://www.sec.gov/investment/im-guidance-2015-02.pdf and https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf.

Leave a Reply

Your email address will not be published. Required fields are marked *