The International Organization of Securities Commissions issued two consultation reports on business continuity and recovery planning, including cybersecurity issues—one aimed at market intermediaries and the other at trading venues. IOSCO proposes some baseline standards for both types of entities, as well as for regulators that oversee them.
Separately, the New York State Department of Financial Services issued an update on cybersecurity in the banking sector. It indicated that it will prod banks to improve their oversight of the cybersecurity efforts of their third-party vendors through adoption of new regulations.
Among the specific components IOSCO recommended intermediaries include in their BCPs were (1) an identification of critical business functions and systems, along with primary and backup staff; (2) an assessment of the major threats and impacts considering a wide range of causes (e.g., fire, floods, local protests, terrorism and cyber attacks); (3) steps necessary to ensure clients are able to access their funds and securities promptly in case of a major disruption; (4) identification of dependencies on third-party entities, including clearing and settlement entities; (5) documented procedures for internal and external communications, including with employees, clients, service providers, regulators and other stakeholders (e.g., media); (6) an assessment of funding access and liquidity during a material disruption; and (7) an appropriate governance framework for implementing a successful BCP after a material disruption, among other baseline elements.
In order to protect against cyber attacks, as well as other threats against data, systems and client privacy, IOSCO recommended that intermediaries have a defined security and information technology policy that describes appropriate controls to restrict access to physical assets and information. This policy should address frequent back-up and recovery of data. IOSCO also recommended that intermediaries use back-up data centers to maintain electronic and hard-copy data, and should address the use of firewalls, Internet security and third-party vendors.
IOSCO noted that, although most regulators have at least “some requirements” for intermediaries to maintain BCPs, “it appears there are relatively few jurisdictions that impose the kind of ‘requirements’ with respect to BCPs where failure of a firm to comply might subject it to penalties.” As a result, it urged regulators to formally require intermediaries (1) “to create and maintain a written business continuity plan identifying procedures related to an emergency or a significant business disruption and (2) to update the BCP to reflect material changes in operations or business as well as to assess at least annually whether any other changes are warranted.”
IOSCO made similar recommendations regarding trading venues and the oversight of such entities by regulators. IOSCO specifically recommended that regulators require all trading venues to implement and maintain processes to ensure the “resiliency, reliability and integrity (including security) of critical systems” and a formal BCP.
Comments on IOSCO’s recommendations are due by close of business, June 6, 2015.
Separately, the NYS Department of Financial Services issued a report that identified weaknesses in controls by banking organizations to ensure that their third-party service providers had appropriate cybersecurity measures. According to a survey of more than 150 banking organizations, the NYDFS found that, (1) approximately 33 percent of banking organizations did not require third-party service providers to notify them of information or other cybersecurity breaches; (2) fewer than 50 percent conducted any on-site assessment of their third-party vendors; (3) approximately 20 percent did not mandate third-party vendors to represent that they have minimum information security requirements; and (4) almost 50 percent did not mandate a warranty of the integrity of the third-party vendor’s data or products (e.g., that the data is free of viruses).
My View: It has been often said that there are only two types of financial services firms: those that have experienced cybersecurity breaches and addressed them, and those that have experienced cybersecurity breaches and did not know. Firms should evaluate their cybersecurity measures against objectives standards such as those published by the National Institute of Standards and Technology in February 2014 in its Framework for Improving Critical Infrastructure Cybersecurity (click here to access). Both the Securities and Exchange Commission and the Financial Industry Regulatory Authority recently published insightful observations from their reviews of cybersecurity practices at securities industry firms—on both the buy and sell sides. FINRA also identified principles and effective practices firms should consider to address cybersecurity threats. These too should be reviewed. (Click here for details of these studies and recommendations in the article “Industry Watchdogs Warn Brokers and Advisory Firms on Cybersecurity Threats” in the February 8, 2015 edition of Bridging the Week.)