In 2014, the SEC and FINRA separately conducted sweep exams to increase their understanding of the cybersecurity threats faced by investment advisers and broker-dealers. Recently, both the SEC and FINRA reported on the results of those efforts, and the reports reveal that the two regulators took very different approaches. The SEC’s Risk Alert, which was released on February 3, 2015 (the “SEC Risk Alert”), describes current cybersecurity practices and the frequency with which these practices have been adopted by broker-dealers in comparison to investment advisers. In contrast, FINRA’s February 2015 Report on Cybersecurity Practices (the “FINRA Report”) provides a set of principles and effective practices that FINRA expects member firms to consider as they develop or enhance their cybersecurity programs.
The SEC Risk Alert summarizes the findings of the National Exam Program staff of the Office of Compliance Inspections and Examinations as a result of its examinations of 57 registered broker-dealers and 49 registered investment advisers, conducted under the Cybersecurity Examination Initiative announced in April 2014. Based on the information provided in the SEC Risk Alert, there appear to be significant differences between the practices of broker-dealers and the practices of advisers, with broker-dealers having generally adopted more extensive cybersecurity practices. In particular, although advisers typically have significant interaction with and rely upon third-party vendors and service providers, the SEC Risk Alert indicates that fewer advisers: (1) require cybersecurity risk assessments of vendors with access to their firms’ networks (32% of advisers examined versus 84% of broker-dealers examined), (2) incorporate requirements related to cybersecurity risk in their contracts with third-party vendors (24% of advisers examined versus 72% of broker-dealers examined); and (3) maintain policies and procedures related to information security training for vendors/business partners authorized to access their networks (13% of advisers examined versus 51% of broker-dealers examined).
The FINRA Report combines information gleaned from FINRA’s 2010 and 2011 on-site firm reviews, as well as its 2011 and 2014 examination sweeps to present a detailed series of “Principles and Effective Practices.” These Principles and Effective Practices cover a broad range of topics, including cybersecurity governance and risk management, cybersecurity risk assessment, technical controls, incident response planning, vendor management, staff training, cyber-intelligence and information sharing, and cyber-insurance. Among other topics, the FINRA Report highlights the importance of the active involvement of senior management and also states that boards of broker-dealer firms “should play a leadership role in overseeing firms’ cyber-security efforts.”