Earlier this month, the U.S. Securities and Exchange Commission (“SEC”) and the Financial Industry Regulatory Authority (“FINRA”) each released reports addressing cybersecurity. FINRA’s report targeted its broker-dealer members, and the SEC’s report targeted broker-dealers and investment advisers, but the twin reports provide a roadmap to cybersecurity for financial market participants generally, both in the US and Canada.
There can be no doubt that cybersecurity is top-of-mind for those regulating the Canadian financial market. For example, the Canadian Securities Administrators recently published CSA Staff Notice 11-326 – Cyber Securityin which it stated “[s]trong and tailored cyber security measures are an important element of issuers’, registrants’ and regulated entities’ controls in promoting the reliability of their operations and the protection of confidential information.” Late last year, the Office of the Superintendent of Financial Institutions published the OSFI Cyber Security Self-Assessment Guidance on cyber security to assist federally regulated financial institutions in assessing the adequacy of their cyber-security practices. Similarly, in December 2014, the Bank of Canada published its Financial System Review report in which it noted it required systemically important domestic financial market infrastructure to complete a self-assessment of their cyber-security practices against standards that promote a risk-based approach to managing cyber-security risk.
The American documents mirror Canadian concern with cybersecurity, and shed additional light on the practices, procedures and processes on which regulators will increasingly focus their attention.
SEC Risk Alert
On February 3, 2015 the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) released acybersecurity Risk Alert, the result of the OCIE’s 2014 cybersecurity initiative in which it examined over 100 registered broker-dealers and investment advisers with respect to their cybersecurity and data protection practices.
OCIE particularly focused on the following areas of concern:
- Cybersecurity governance (e.g., policies, procedures, and oversight processes)
- Identification and assessment of cybersecurity risks
- Protection of networks and information
- Risks associated with remote customer access and fund transfer requests
- Risks associated with vendors and other third parties
- Detection of unauthorized activity
- Experiences with particular cyber threats
The Risk Alert notes that 88% of broker-dealers and 74% of investment advisers reported that they had been the target of a cyber attack, either directly or through a vendor. In a number of cases, these cyber attacks were as simple as fraudulent emails that led to actual losses (for instance, a fraudulent request for fund transfer). Employee misconduct was also identified as a significant factor in cyber security risk. Additional OCIE findings related to firms’ adoption of cybersecurity policies and procedures, implementation of risk assessments, and the use of encryption.
FINRA Cybersecurity Report
The FINRA Cybersecurity Report, published the same day as the FINRA Risk Alert, is based on, among other things, FINRA’s 2014 targeted exam of member firms. The FINRA Cybersecurity Report cited examples of risk factors which could create a variety of new avenues for attack (for instance, the FINRA Cybersecurity Report cites such things as a firms’ web-based activities, and employee and customer use of mobile devices to access information, as examples of activities that elevate risk).
The FINRA Cybersecurity Report, the more prescriptive of the two documents, outlined a risk management–based approach to address cybersecurity threats, however it stopped short of establishing any new requirements, noting that a one-size-fits-all approach to the issue would not be appropriate. However, it did identify several strategies that it considered to be well-advised, including:
- A governance framework with strong leadership, including engagement by board- and senior-level management on cybersecurity issues.
- Risk assessments as a basis for understanding potential cybersecurity risks across a firm’s activities and assets.
- Technical controls as central to a firm’s cybersecurity program.
- Incident response plans that include items on containment and mitigation, eradication and recovery, investigation, notification, and making customers whole as key elements. Also key was the review and testing of such plans.
- Strong management of the cybersecurity risk exposure created by use of vendors and service providers, coupled with the ongoing due diligence during the lifecycle of these relationships.
- Effective staff training to help reduce hackers likelihood of success.
- Participation by firms in information- and intelligence-sharing opportunities to permit proactive defence based on the learning of others.
While both documents focus on the participants in the US financial markets, there is no reason their findings won’t be carefully examined in Canada as well. In light of the increased scope of cyber attacks, and the appeal of the financial markets as a target for hackers and malicious state actors, it is not unreasonable to anticipate that 2015 will see regulators increasingly directing their compliance efforts at the aspects of firms’ cybersecurity programs identified above. Firms will also likely be scrutinized for evidence that a culture of cybersecurity compliance exists within them, including evidence of an appropriate allocation of budget, personnel and resources to IT systems and the demonstration by senior leadership that they are actively involved in leading this culture. Regulators may also begin looking at firms’ levels of preparedness, and ask for evidence of risk assessments, penetration testing, security controls, and a breach response plan.
Interestingly, US regulators appear to advocate information sharing amongst industry participants. While this may be a good practice from the perspective of bolstering cybersecurity, this is a delicate area and firms should be cautious of their obligations to maintain the confidentiality of client information.