In February 2015, both the Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”) released reports containing information for best practices and other data on the issue of cybersecurity within financial services firms.
OCIE Cybersecurity Examination Sweep Summary
The SEC’s Office of Compliance Inspections and Examinations (“OCIE”) recently examined 57 broker-dealers and 49 registered investment advisors concerning how they address the legal, regulatory and compliance issues associated with cybersecurity. The participating firms provided perspectives from a cross-section of the financial services industry and insights regarding various firms’ vulnerability to cyber-attacks.
The OCIE’s National Examination Program staff examined various issues relating to cybersecurity practices, discerning basic distinctions among the level of preparedness of the examined firms. Among the findings summarized in the report were the following:
- The vast majority of examined broker-dealers and advisers have adopted written information security policies, and most conduct periodic audits to determine compliance with these information security policies and procedures.
- The vast majority of examined firms conduct periodic risk assessments on a firm-wide basis to identify cybersecurity threats, vulnerabilities, and potential business consequences.
- Most of the examined firms reported that they have been the subject of a cyber-related incident, and have experienced cyber-attacks directly through one or more of their vendors.
- Many firms identify best practices through information-sharing networks such as industry groups, associations, and other organizations.
- The vast majority of examined firms report conducting firm-wide inventorying, cataloguing, or mapping of their technology resources.
- The firms’ cybersecurity risk policies relating to vendors and business partners revealed varying findings, with most broker-dealers incorporating requirements relating to cybersecurity risk into their contracts with vendors and business partners and few advisors incorporating such requirements.
- Almost all the examined broker-dealers and advisers make use of encryption in some form.
- Many examined firms provide their clients with suggestions for protecting their sensitive information.
- The designation of a Chief Information Security Officer (“CISO”) varied by the firms’ business model.
- The examined firms varied in their use of cyberinsurance policies.
The OCIE indicates it is still reviewing the information gathered in the examination and continues to take comments and suggestions.
Please click here to access the February 3, 2015 summary.
FINRA Report on Cybersecurity Practices
FINRA released its February 2015 report, also focusing on cybersecurity within the financial services industry. The report is intended to assist firms in addressing cybersecurity, and to make responding to cyberthreats a high priority. The report analyzes a variety of factors that are driving firms’ exposure to cybersecurity threats, and “presents an approach to cybersecurity grounded in risk management to address these threats.” The report also “identifies the principles and effective practices for firms to consider, while recognizing that there is no one-size-fits-all approach to cybersecurity.”
The report identifies the top three cybersecurity threats as:
- hackers penetrating firm systems,
- insiders compromising firm or client data, and
- operational risks.
The report summarizes its key points as follows:
- A sound governance framework with strong leadership is essential.
- Risk assessments serve as foundational tools for firms to understand the cybersecurity risks they face across the range of the firm’s activities and assets.
- Technical controls, a central component in a firm’s cybersecurity program, are highly contingent on firms’ individual situations.
- Firms should develop, implement and test incident response plans. Key elements of such plans include containment and mitigation, eradication and recovery, investigation, notification and making customers whole.
- Firms should manage cybersecurity risk exposures that arise from vendor relationships by exercising strong due diligence across the lifecycle of their vendor relationships.
- A well-trained staff is an important defense against cyberattacks. Effective training helps reduce the likelihood that such attacks will be successful.
- Firms should take advantage of intelligence-sharing opportunities to protect themselves from cyber threats.
FINRA sent its information request to a cross-section of firms, including large investment banks, clearing firms, online brokerages, high-frequency traders, and independent dealers. Although many of the practices discussed in the report “are geared to large firms with sophisticated management structures,” FINRA notes that small firms can also benefit from the findings.
Please click here to access the February 2015 report.