Banks, broker-dealers, investment managers, insurance companies and other financial services firms face increasingly sophisticated threats to their data and remote applications. Hacking, once the purview of bored teens and petty criminals, is now a constant threat through the efforts of technically sophisticated international organized criminal groups and sovereign cyber warfare units. Risks range from disruption and downtime, loss of data and confidential consumer information, to theft of money and securities through unauthorized transfers and account access.
At the same time, a new generation of customers demands access to financial accounts through tablets, smart phones, computers and other devices. These customers expect to use mobile devices loaded with user-friendly applications not just to review their accounts, but also to effect transactions and move funds.
Every system and device, from ATMs and point of sale terminals, to customer access devices, to internal wireless networks and routers, is at risk. Financial services firms contract with external vendors for a wide range of systems, support, data and devices to conduct their business. The contracts and relationships with those vendors must be carefully crafted to address cyber-security risks.
Federal and state regulators have taken notice. The Securities and Exchange Commission (SEC), Financial Industry Regulatory Authority (FINRA) and the bank regulators are engaged in targeted examinations of cyber-security efforts, and the SEC, Federal Financial Institutions Examination Council (FFIEC) and Conference of State Bank Supervisors (CSBS) recently have published guidance on vendor management and security considerations. The New York State Department of Financial Services recently announced that it will be scrutinizing cyber-security as an integral part of its bank examinations, and is asking banks to prepare responses to a specific set of questions and information-requests on their security practices and procedures for purposes of the examinations. Other regulators have issued statements outlining required elements of cyber-security programs, and are closely examining the depth and comprehensiveness of financial firms' programs. Administrative enforcement actions and civil litigation are the foreseeable consequences of programs that fail to measure up. The financial threat is also very real and very large.
Financial firms' cyber-security programs must be carefully thought through, coordinated internally within the firm and externally with vendors, and conducted with appropriate resources, support, and sustained effort to deal with continuously evolving threats while meeting customer demands. The effort must be conducted at every level of the company, with oversight from the board, leadership from senior management, and involvement from operating business units, rather than simply technology and security departments and compliance personnel. Firms should formalize the corporate governance elements of their strategies by assigning cyber-security and vendor management considerations to a particular board committee through amendment of its charter, as necessary, and adoption of board resolutions. This designated board committee should then appoint specific senior officers to oversee the program, institute a formal reporting line up from the business units, legal, compliance, audit, technology and security departments, and institute regular periodic reporting by management to the committee.