In January, FINRA and the SEC both released their examination priorities for 2015. Not surprisingly, given the 64% increase in cyber-attacks reported by midsize companies in 2014 over 2013, both regulators are focused on evaluating firms’ approaches to cybersecurity risk management.1
In its 2015 priorities letter, FINRA reiterated its intention to focus on firms’ governance structures and processes for conducting risk assessments. FINRA noted that it anticipates publishing in early 2015 the results of a cybersecurity sweep it initiated in 2014. We anticipate that the report will articulate specific guiding principles, as well as perhaps some “best practices” for firms to consider in developing and implementing their cybersecurity programs. FINRA is expected to focus on the firm’s efforts to assess their vulnerabilities, identify those critical assets most in need of protection, and then adopt controls appropriate to the firm’s size and business model to address the identified needs.
The SEC is similarly focused on cybersecurity issues, yet has provided less guidance as to the nature and extent of its focus on this subject. Nevertheless, we anticipate that the SEC’s Office of Compliance Inspections and Examinations (OCIE) will promulgate some guidance in this regard during 2015.2
Notwithstanding the absence of express guidance from the SEC on cybersecurity issues, in April 2014, OCIE issued a Risk Alert related to the SEC’s cybersecurity initiative. The alert can be found at http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf. Included with the alert were sample document and information requests related to cybersecurity issues. The sample requests cover a number of topics and thus provide a good roadmap of areas firms should address preemptively before any regulatory examination into cybersecurity matters: 1) identification of risks/cybersecurity governance; 2) protection of firm networks and information; 3) risks associated with remote customer access and funds transfer requests; 4) risks associated with vendors and other third parties; 5) detection of unauthorized activity; and 6) experiences with cybersecurity threats.
Notwithstanding the foregoing, in the absence of express guidance or articulated “best practices” from the regulators, firms still are left to guess a bit at the appropriate approach. In attempting to chart an approach, familiarity with the National Institute of Standards and Technology’s “Framework for Improving Critical Infrastructure Cybersecurity” (the “NIST Framework”) may be helpful.3 The NIST Framework is a voluntary set of standards and best practices to help organizations manage cybersecurity risks. The SEC used this Framework as guidance for drafting a number of the sample information requests issued in April 2014 (see supra). Accordingly, we anticipate that the SEC might look to the NIST Framework in evaluating firms’ efforts to identify, assess, and manage cybersecurity risks.
The first month of 2015 saw a flurry of activity surrounding cybersecurity. Both the SEC and FINRA have made it a top priority for examinations, which should come as no surprise against the backdrop of the Obama administration’s and Congress’ recent increased scrutiny on cybersecurity issues. Until FINRA and the SEC provide additional guidance regarding their expectations for cybersecurity compliance, firms are encouraged to review and implement the NIST Framework and preemptively review, implement, and prepare responses to OCIE’s April 2014 sample requests.