On February 3, 2015, the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) each released publications addressing cybersecurity issues.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) issued a National Exam Program Risk Alert, “Cybersecurity Examination Sweep Summary,” reporting observations and summary data collected during its 2014 “sweep” examinations of 57 registered broker-dealers and 49 registered investment advisers pursuant to the Cybersecurity Exam Initiative.
OCIE collected and analyzed information about how broker-dealers and investment advisers identified and addressed cybersecurity risks. Among other findings, OCIE reported that the vast majority of firms have adopted written information security policies and conduct periodic risk assessments; that most of the firms acknowledged that they had experienced a cyber-related incident; and that 58% of broker-dealers–compared to 21% of investment advisers–maintain cybersecurity insurance (although only one broker-dealer and one investment adviser had filed claims for losses).
The data reveals areas for increased focus. According to the Risk Alert, around a quarter of the broker-dealers admitted financial losses due to fraudulent emails, and, of that group, a quarter of the incidents were the result of employees failing to follow authentication procedures. Only one investment adviser reported a financial loss due to fraudulent emails, and this reported loss was due to an employee deviation from identity confirmation procedures. Thus, firms may want to improve training and employee education on identity authentication and procedures.
OCIE’s sweep also revealed that broker-dealer firms are more aggressive than investment advisers in imposing cybersecurity requirements on vendors. According to the Risk Alert, a majority of investments advisers do not require third-party vendors to conduct cybersecurity risk assessments, include cybersecurity risk provisions in contract terms, and provide information security training. Firms that rely heavily on third-party services providers should consider improving interaction and oversight of those providers as a part of their cybersecurity defense program.
FINRA also released its “Report on Cybersecurity Practices” detailing the results of its examination of a cross-section of broker-dealers, including large investment banks, clearing firms, online brokerages, high-frequency traders, and independent dealers. The Report also identifies principles and practices to consider in formulating an approach to cybersecurity issues and defenses. The Report notes that firms recognized three major cybersecurity-related threats: (1) hackers penetrating firm systems, (2) insiders compromising firm or client data, and (3) operational risks (such as power failures or natural disasters).
The FINRA Report identifies the following practices for firms to consider in formulating cybersecurity defenses, recognizing, however, that there is no one-size-fits-all approach and that cybersecurity programs should be tailored to each firm’s needs and capabilities:
- Establish and maintain an effective corporate governance framework. The Report suggests that firms should implement a framework “that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks.” The framework should include “defined risk management policies, processes, and structures coupled with relevant controls tailored to the nature of the cybersecurity risks the firm faces and the resources the firm has available.”
- Conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors. The Report notes that maintaining asset inventories and keeping track of critical assets are key components of risk assessment.
- Implement technical controls “to protect firm software and hardware that stores and processes data, as well as the data itself.” The Report stresses effective controls in three areas: (1) identity and access management, (2) encryption, and (3) third-party penetration testing.
- Establish incident response planning to limit the damage and costs of a cybersecurity attack. The Report describes the steps to responding effectively to an incident: containment and mitigation; eradication and recovery; investigation; notification; and making clients whole.
- Practice risk-based due diligence on prospective vendors, and establish contractual provisions that allow the firm to maintain vendor oversight. The Report also recommends that vendor systems and processes be included in a firm’s overall risk assessment process.
- Provide cybersecurity training that is tailored to staff needs.
- Establish “mechanisms to disseminate threat intelligence and analysis rapidly to appropriate groups within the firm.” Further, firms should participate in information- sharing organizations to help understand the threats they may face.
- Obtain cyber insurance if a firm determines that a policy aligns with its risk assessments.
Both the SEC and FINRA issued companion investor alerts directed to retail consumers. The SEC’s “Investor Bulletin: Protecting Your Online Brokerage Accounts from Fraud” can be found at http://investor.gov/news-alerts/investor-bulletins/investor-bulletin-protecting-your-online-brokerage-accounts-fraud#.VNOwvLl0w5s, while FINRA’s alert, “Cybersecurity and your Brokerage Firm”, can be found at http://www.finra.org/Investors/ProtectYourself/InvestorAlerts/MoneyManagement/P601655.
The SEC’s National Exam Program Risk Alert can be found at http://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf, and FINRA’s Report can be found at http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p602363.pdf.
If you have additional questions, please reach out to Kramer Levin’s Cybersecurity, Privacy and Data Protection practice team. The authors of this article include: Alan R. Friedman | Alexandra Alberstadt | Erica D. Klein | Dani R. James | Kenneth P. Kopelman |Brendan M. Schulman | Daniel Lennard