New reports by the Financial Industry Regulatory Authority ("FINRA") and the SEC's Office of Compliance Inspections and Examinations ("OCIE") highlight the increased regulatory focus in the financial sector on cybersecurity. Both reports merit industry attention.
FINRA Report on Cybersecurity Practices
On February 3, 2015, FINRA released its "Report on Cybersecurity Practices," which follows FINRA's recently issued Investor Alert, "Cybersecurity and Your Brokerage Firm." The report details principles and practices that firms can use to strengthen their cybersecurity efforts, focusing more on general guidance and common firm practices than on specific recommendations. Importantly, however, the report, which is based on FINRA's 2014 targeted examination of a cross-section of firms, highlights eight topics to assist firms in developing and implementing a comprehensive cybersecurity risk management program, which FINRA recognizes will be largely dictated by the size of the implementing firm and the assets and threats present to the firm's business. In addition, the report points to various industry guidelines and standards, such as the National Institute of Standards and Technology ("NIST") Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 and the SANS Critical Security Controls for Effective Cyber Defense, as resources firms can use to assist in preparing and implementing their own cybersecurity plans. The report addresses the following topics:
Governance and Risk Management. The report states that a cybersecurity governance framework is critical to support informed decision making and internal escalation of cybersecurity risks and incidents. FINRA recommends that a firm's framework include risk management policies, processes, and structures combined with controls that are tailored to the nature of the risks for that firm.
Cybersecurity Risk Assessment. An effective cybersecurity plan will include regular risk assessments to identify and analyze threats to a firm's business. For example, FINRA recommends that a firm create and maintain a detailed asset inventory and conduct regular assessments to analyze external and internal threats and asset vulnerabilities. According to FINRA, 80 percent of the firms surveyed have established cybersecurity risk assessment programs; FINRA recommends that all firms implement such a program.
Technical Controls. Effective technical controls will help a firm protect its software, hardware, and data. Examples of effective technical controls include a defense-in-depth strategy, which is a multi-layered system of various controls; identity and access management; data encryption; and penetration testing.
Incident Response Planning. The report states that an effective plan will identify the most common cyber incident types; include containment and mitigation strategies; outline eradication and recovery plans and investigation and damage assessment processes; and prepare a strategy to notify various stakeholders if obligated pursuant to Regulation S-ID, state requirements, and FINRA rules.
Vendor Management. Many cyber threats originate from vendor access to a firm's network, software, and/or data. The report discusses the importance of preparing a risk assessment strategy for vendor relationships that provides for pre- and post-contract due diligence, including important contractual provisions to manage the vendor relationship, and post-termination protocols to minimize risks.
Staff Training. FINRA suggests that many cybersecurity incidents can be avoided or mitigated with proper employee training. Minimizing employee errors can help a firm avoid many types of attacks, such as phishing and other scams.
Cyber Intelligence and Information Sharing. While firms are generally reluctant to share their own cybersecurity information for liability and business-related reasons, among others, FINRA states that increased sharing of information can help firms create a coordinated defense and strategy for common cyber threats.
Cyber Insurance. FINRA recommends that firms regularly review insurance policies to ensure that losses are covered in the event of the most common cyber risks facing the firm.
SEC's Cybersecurity Examination Sweep Summary
On February 3, 2015, the OCIE released the results of its Cybersecurity Examination Sweep Summary, which examined 57 broker-dealers and 49 investment advisers. The important findings include:
- A high majority of those surveyed (93 percent of the broker-dealers and 83 percent of the advisers) have adopted written information security policies, with most of these firms and advisers conducting periodic audits of those policies.
- While most of the firms surveyed have adopted written plans to address the impact of cyberattacks, those policies generally do not address how those firms determine whether they will be responsible for client losses associated with the incident.
- Most of the firms surveyed conduct periodic risk assessments on a firmwide basis to identify threats, vulnerabilities, and potential consequences.
- Most of the firms surveyed reported to have been the subject of a cyber-related incident, either directly or through a vendor.
- The firms surveyed identified best practices through industry information-sharing networks, most notably the Financial Services Information Sharing and Analysis Center ("FS-ISAC").
- Nearly all of the firms surveyed reported the use of data encryption in some form.
While not mandating specific requirements, these new reports nonetheless highlight practices that plaintiffs and regulators alike may come to view as industry standard against which others will be judged, increasing pressure on firms of all sizes to implement and maintain detailed cybersecurity standards, practices, and policies, to prevent and mitigate risks. The reports also represent what some may view as a new baseline of what constitutes reasonable standard of care for cybersecurity.