Twin reports provide a roadmap to best practices.
U.S. financial markets and participants, much like other segments of the U.S. economy, are prime targets for technological hacks, intrusions, and breaches that can occur in today’s tech-laden business environment. In the face of these threats, on February 3, the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) each released materials addressing cybersecurity. Although FINRA’s report targeted its broker-dealer members, and the SEC’s report targeted broker-dealers and investment advisers, the reports deliver a message that could apply broadly to all financial market participants. In particular, when stripping away the reports’ financial undercurrent, general concepts are left that could apply to any business or organization that uses or is affected by technology.
Summary of SEC and FINRA Findings
SEC Risk Alert
The SEC’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert (OCIE Cybersecurity Risk Alert) addressing cybersecurity for broker-dealers and investment advisers. The OCIE Cybersecurity Risk Alert presents the findings and recommendations associated with OCIE’s 2014 cybersecurity initiative. As part of that initiative, OCIE examined almost 60 registered broker-dealers and nearly 50 registered investment advisers last year to assess cybersecurity preparedness, compliance, and controls. OCIE staff reviewed related documents and conducted interviews with key personnel at the firms regarding their business and operations, detection and impact of cyber attacks, preparedness for cyber attacks, cybersecurity training and policies, and protocol for reporting cyber breaches. OCIE particularly focused on the following areas of concern:
- Cybersecurity governance (e.g., policies, procedures, and oversight processes)
- Identification and assessment of cybersecurity risks
- Protection of networks and information
- Risks associated with remote customer access and fund transfer requests
- Risks associated with vendors and other third parties
- Detection of unauthorized activity
- Experiences with particular cyber threats
Strikingly, OCIE found that 88% of broker-dealers and 74% of investment advisers examined had experienced a cyber attack, either directly or through a vendor. These attacks included fraudulent emails that sometimes led to losses (e.g., related to fraudulent fund transfer requests) as well as instances of employee misconduct that affected funds, securities, sensitive client or firm information, or the firms’ networks. Certain other OCIE findings related to firms’ adoption of policies and procedures regarding cybersecurity, firm-implemented risk assessments when establishing their cybersecurity policies and procedures, and firms’ use of encryption.
FINRA Cybersecurity Report
FINRA published its Report on Cybersecurity Practices (FINRA Cybersecurity Report) on the same day as the OCIE Cybersecurity Risk Alert. The details in the FINRA Cybersecurity Report are based on, at least in part, FINRA’s 2014 targeted exam of member firms, a 2011 FINRA cybersecurity survey of member firms, and interviews with other organizations involved in cybersecurity. The FINRA Cybersecurity Report cited examples, such as firms’ web-based activities, which can create opportunities for attackers to disrupt or gain access to firm and customer information and employee and customer use of mobile devices to access information at broker-dealers, which can create a variety of new avenues for attack.
The FINRA Cybersecurity Report outlined a risk management–based approach to address cybersecurity threats, but it did not suggest a one-size-fits-all regime for its members nor did it establish any new “per se” requirements. Key aspects include the following:
- The importance of a sound governance framework with strong leadership, including engagement on cybersecurity issues by board- and senior-level management
- The usefulness of risk assessments as foundational tools for understanding potential cybersecurity risks across the full range of a firm’s activities and assets
- Technical controls as central to a firm’s cybersecurity program and, at a general level, use of a “defense-in-depth” and identity- and access-management strategies to conceptualize control implementation
- Development, implementation, and testing of incident response plans, with inclusion of containment and mitigation, eradication and recovery, investigation, notification, and making customers whole as key elements
- Strong management by firm leaders of the cybersecurity risk exposure created by use of vendors and service providers—firms should be cautious about access to sensitive firm or client information or access to firm systems and exercise strong due diligence throughout the lifecycle of these relationships
- Effective staff training as an important defense against cyber threats by helping reduce their likelihood of success
- Opportunities for firms to engage in collaborative self-defense through information- and intelligence-sharing opportunities
Practical Implications and Takeaways
Best Practices Evolving in the Face of Continuing Industry Examinations, Investigations, and Regulatory Reforms
SEC Chair Mary Jo White has emphasized the significance of combating cybersecurity challenges to ensure the stability and integrity of our market system as well as disclosing material information and protecting the market’s customer data. FINRA also clearly emphasized in its 2015 exam priorities that its examiners will review firms’ approaches to managing cybersecurity risk. SEC and FINRA examiners are likely to focus on firms’ governance structures; processes for conducting risk assessments (including follow up); use of frameworks, standards, and controls; and methods and processes for identifying critical assets (including firm and customer information and data). Firms may need to address some or all of the following areas of focus during upcoming exams and audits:
- Examiners may be looking for evidence of firms’ emphasis on the importance of cybersecurity, including allocation of sufficient funding for systems, testing, and information technology/security personnel. Although dedicated technology staff is a plus, regulators are likely to acknowledge that not all firms can allocate resources in this manner. However, a top-down leadership approach will be important, both at the management level as well as with board and committee focus and involvement. Staff involvement, awareness, and training are also likely to be a focus of examiners, including with respect to minimizing risks and reacting to threats or actual cyber events.
- Firms’ levels of preparedness and testing will be a major emphasis of examiners, including risk assessments, intrusion/penetration testing, and tools used to maintain the security of firm assets. Firms may be required to demonstrate that they have developed and implemented reasonably designed policies, procedures, and related controls to combat cybersecurity risks. Firms may also be required to demonstrate their plans for responding to, and mitigating the effects of, potential breaches or other cyber events, including with respect to client communications and remedial measures.
- Regulators appear to be open to, and even encouraging of, information and intelligence sharing among industry peers. This is a delicate area, however, and firms should be cautious of their obligations to maintain the confidentiality of client information (e.g., under Regulation S-P and state and local privacy rules and regulations).
- OCIE’s findings appear to show that investment advisers generally fell behind the examined broker-dealers in terms of the level of focus and infrastructure dedicated to cybersecurity. Investment advisers can expect the SEC’s examiners to hone in on their practices in this regard, especially after having been put on notice of the SEC’s cybersecurity concerns.
Recent SEC Enforcement Cases Pose Warnings for Industry Participants in Light of the SEC’s “Broken Window” Approach
FINRA’s and the SEC’s heightened concern regarding the integrity of the technology infrastructure generally and cybersecurity in particular is not surprising. Recent SEC enforcement actions involving large broker-dealers and exchanges exposed the vulnerability of the securities market to order-entry errors, disruptive practices, and manipulative trading magnified by today’s split-second, high-speed electronic trading. Notably, the SEC’s latest focus on cybersecurity risks and compliance enforcement is consistent with its underlying “broken window” policy and overall enforcement strategy. Under this policy, the SEC has undertaken to establish a strong compliance culture, even where it means targeting nonfraud violations, such as risk-management control and supervisory failure, and infractions of technical rules. OCIE’s cybersecurity initiative and FINRA’s surveys are two additional examples of this industrywide campaign by regulators to enforce compliance and data security.
As a result, look for the SEC to bring enforcement cases involving inadequate cybersecurity preparedness, particularly when broker-dealers and investment advisers fail to respond to “red flags” of cybersecurity deficiencies.
- Firms should undertake proactive, remedial actions when encountering any warnings or “red flags” of cybersecurity vulnerabilities. Firms should aim to be particularly vigilant in attempting to respond reasonably to cybersecurity deficiencies to avoid enforcement scrutiny.
- In particular, broker-dealers and investment advisers who confront these “red flags” should document their responses to demonstrate their reasonable behavior in the event that they undergo subsequent SEC examinations or inquiries.
Building Momentum on the Heels of Recently Implemented Regulations
Although much of the scrutiny that broker-dealers and investment advisers can anticipate over the course of the next year related to cybersecurity is subject to speculation, formal requirements have already been mandated that are designed to prevent or minimize the impact of inadvertent or intentional failures in systems of exchanges and other trading centers as well as the systems of market participants with which they interface. For example, the SEC recently adopted Regulation Systems Compliance and Integrity (Regulation SCI) to address the capacity, integrity, resiliency, availability, and security of the computer, network, electronic, technical, and automated systems of securities exchanges and certain other market participants that directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.
Similarly, the SEC’s Market Access Rule requires, in part, that broker-dealers with market access, or that provide access to an exchange or alternative trading system, restrict access to trading systems to preapproved and authorized persons and accounts. The SEC has already brought and settled actions under the Market Access Rule for circumstances where firms were alleged to have failed to implement or maintain reasonable technology governance structures and system safeguards to mitigate the risk to the markets from the failure of a firm’s systems. At least one of these actions resulted in penalties against the firm’s executives.
Financial market participants tend to be ahead of the curve relative to other industries in terms of their emphasis on using technology and taking steps to secure those systems. The SEC and FINRA reports are the latest, but surely not the last, regulatory emphasis on safeguarding the technology underlying the financial markets. The SEC and FINRA can be expected to eventually identify formal cybersecurity standards or requirements for broker-dealers, investment advisers, and other market participants, including transfer agents, investment companies, and security-based swap dealers. In the meantime, financial firms should take a proactive stance to address internal and external cybersecurity risks.