- The SEC and FINRA Will Continue to Audit the Financial Services Industry to Ensure Cybersecurity Protocols Are Current and Viable
- March 5, 2015 | Author: Carlos Enrique Provencio
- Law Firms: Wilson Elser Moskowitz Edelman & Dicker LLP - Dallas Office ; Wilson Elser Moskowitz Edelman & Dicker LLP - Washington Office
- On February 2, 2015, Wilson Elser released an overview entitled Corporate Hacking and the Financial Services Industry that provided in-house counsel with talking points to better discuss and understand their corporate cyber-resilience plans. The following day, information on the SEC and FINRA cyber sweeps was released to the public.
The SEC, in its Cyber Security Examination Sweep Summary, highlighted cybersecurity governance as an area where firms have focused resources to limit exposure to cyber risk. The summary indicated that a majority of broker-dealers and registered investment advisors have adopted written information security policies, frequently within their business continuity plans. It also noted that the vast majority of firms conduct firmwide periodic assessments. Some have plans and protocols for assessing the cyber risk of vendors and business partners. Finally, as recommended in Corporate Hacking and the Financial Services Industry, most firms inventory and map the computers, handheld devices, software and log-in capabilities of their systems’ users and employ encryption technology.
These are all positive points, but the SEC summary also highlighted deficiencies in the efforts. It demonstrates that widespread weaknesses remain in how broker-dealers and advisors are addressing cybersecurity with their vendors. The great majority of advisors are not requiring vendors with access to their networks to conduct risk assessments, nor are they incorporating cybersecurity concerns into their vendor contracts. A substantial percentage of the surveyed advisors and broker-dealers are lacking policies and procedures to ensure that business partners and vendors with access to their networks are trained regarding cybersecurity. Further, more than half of the advisors and a significant percentage of broker-dealers are not insured against cybersecurity incidents.
What the SEC did not survey was the technical sufficiency of the firms’ governance efforts. In other words, the SEC demonstrated that there is industry-wide use of cybersecurity protocols, but cannot confirm whether firms are using technically sufficient methods to protect themselves. As discussed in Corporate Hacking and the Financial Services Industry, firms can confirm the sufficiency of their methods through audits and penetration tests. Not surprisingly, 88 percent of the broker-dealers and 74 percent of the advisors reviewed have been the subject of a cyber-related incident. As stated in Corporate Hacking, the question is not if you will be hacked but when you will be hacked. Perhaps what was most surprising was the low number of broker-dealers (58 percent) and advisors (21 percent) who carry cyber-insurance. Nevertheless, as noted in Wilson Elser’s overview, companywide awareness is the first important step in developing a multilayer cyber defense.
FINRA’s Report of Cybersecurity Practices, a much more in-depth report than the SEC’s, provides an encompassing look at governance, detection, prevention and remediation of cyber incidents. Like the SEC’s summary, FINRA’s report stresses the importance of firmwide governance over all aspects of cybersecurity. Like Corporate Hacking and the Financial Services Industry, FINRA correctly instructs that firms “need to incorporate multiple views - including from the business, information technology, risk management and internal audit - in conjunction with senior management and board oversight to implement an effective cybersecurity program.”
FINRA also encourages industry intelligence sharing as well as use of NIST, ISO and IEC technology frameworks in developing inventory and mapping protocols. One area where FINRA provides useful guidance not addressed by the SEC is the use of a security metrics system for measuring progress in implementation, effectiveness and impact of cybersecurity. FINRA describes one firm’s security dashboard for tracking patch coverage, vulnerability management, security infrastructure performance (e.g., anti-malware, anti-spam, posture checking), access control management, secure application development, training and awareness, and vendor risk. Finally, FINRA’s report provides extensive treatment of the topic of cyber-insurance. Among the firms that FINRA reviewed, 71 percent of firms either purchased stand-alone cyber coverage or added a cybersecurity rider to their fidelity bonds.
As noted, there are no assurances against being hacked. As the SEC summary and FINRA report suggest, however, a lot can be done to mitigate the risk in the area of information security: The regulators expect all of their member firms to be aware, knowledgeable and vigorous in protecting the “personally identifiable information” of investors. Rest assured, the SEC and FINRA will continue to audit member firms to ensure that they are updating their cybersecurity protocols to combat new threats.