How Financial Firms Can Meet Cybersecurity Expectations

The Financial Industry Regulatory Authority (FINRA)  and the Securities and Exchange Commission (SEC) recently released their findings and industry practices reports based on last year’s sweep examinations. Broker-dealers and registered investment advisory (RIA) firms hoping to be in compliance with industry regulations should take steps today to improve their IT security based on the reports as well as on 2015 examination priorities issued by both agencies.

In early 2014, FINRA and the SEC conducted focus examinations on broker-dealers and investment advisory firms’ cybersecurity frameworks. FINRA sent targeted examination letters to broker-dealers to gain an understanding of the state of cybersecurity in the industry. Additionally, the SEC Office of Compliance Inspections and Examinations (OCIE) staff examined registered broker-dealers and investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity.

As the result of the sweep examination, FINRA issued its findings in the February 2015 Report on Cybersecurity Practices which includes industry practices for risk management that can help broker-dealers improve their information technology (IT) security and comply with regulations. The agency’s  2015 Examination Priorities letter builds upon the policies outlined in the 2014 report and also introduces guidance on complying with Rule 17a-4(f), concerning the appropriate methods of storing electronic records in the event of a cyber-attack.

The result of the SEC’s focus examination was issued in the February 2015 Cybersecurity Examination Sweep Summary which outlines the examined firms’ practices for identifying risks related to cybersecurity, establishing cybersecurity governance, protecting firm networks and information, identifying and addressing risks associated with vendors and other third parties and detecting unauthorized activity in their systems. The SEC’s 2015 Examination Priorities Letter continues the initiative to review cybersecurity compliance and controls and expand the responsible parties to include transfer agents.

Best practices outlined in FINRA’s 2015 report

While there is no one-size fits all approach to cybersecurity, FINRA’s 2015 report offers a comprehensive approach to cybersecurity that broker-dealers should consider in their IT compliance efforts. Specifically, the report outlines “principles and effective practices” for cybersecurity that are intended to assist firms in their efforts to respond to sophisticated and evolving cyber-threats by 1) identifying and addressing vulnerabilities in their systems; and 2) reviewing their approach to managing threats to risk assessment procedures, IT protocols and application management.

Last year’s focus examinations were conducted in light of increasing threats for firms’ IT systems from a variety of sources and the potential harm those threats pose to investors, firms and financial systems as a whole. The 2015 report highlights the critical role that IT plays in the industry and the importance of protecting valuable investor information.

Specifically, FINRA’s report highlights eight key areas related to cyber security:

1. The importance of a sound governance framework with strong leadership
2. Risk assessment of the firm’s information technology systems
3. Technical controls and in-depth strategies to conceptualize control implementation
4. Development, implementation and testing of incident response plans
5. Contractual arrangements with third party security service providers
6. Training programs
7. Current understanding of concerns and threats in the industry
8. Insurance coverage for cybersecurity-related events

Findings from the SEC’s cybersecurity examination

OCIE’s cybersecurity initiative sought to assess the preparedness of securities firms and obtain a better understanding about the industry’s recent experience with attacks in order to better protect investors and markets from risk. In 2014, more than 50 broker-dealers and approximately 50 RIAs received requests for information from the SEC, including records needed to assess financial institutions’ cybersecurity frameworks.

Specifically, the OCIE cybersecurity examination focused on the following:

1. Cybersecurity governance
2. Cybersecurity risk identification
3. Network and information protection
4. Remote customer and employee access
5. Fund transfer requests
6. Vendors and third party management
7. Unauthorized access detection

The Cybersecurity Examination Sweep Summary report found that 88% of examined broker-dealers and 74% of examined RIAs have been the subject of a cyberincident.

Of the firms examined, most have adopted written information security policies that include business continuity plans, utilizing external standards for best-practice guidance. Many firms identify best practices through information-sharing networks such as industry groups, associations and organizations.

The findings varied when the SEC examined firms’ cybersecurity risk policies related to vendors and third-party business partners. Most broker-dealers incorporate cybersecurity risk requirements into their vendor contracts, but the majority of advisors failed to do so, according to the report.

Improving your firm’s cybersecurity

Because of the nature of information that broker-dealers and investment advisors obtain about investors, they are especially vulnerable to cybersecurity threats. Firms have access to sensitive information including social security numbers, addresses, birthdates, bank account numbers, and other valuable information that cyber-criminals could potentially sell to the highest bidder.

FINRA’s and the SEC’s 2014 sweep examination results demonstrate a need for a robust cybersecurity infrastructure – something that can be time-consuming and costly to implement. Firms with small IT teams may not have adequate resources in-house, and so they may want to consider engaging a third-party IT provider who can help them comply.

For example, one section of the FINRA examination report highlights the need for incident response planning, including policies and procedures and roles and responsibilities for escalating and responding to cyber-incidents. Small firms may not have the in-house resources to properly contain and mitigate cyber-incidents and implement credit monitoring or reimbursement strategies for clients.

Will  broker-dealers and RIAs be ready for an  examination tomorrow? Preparing for a cybersecurity examination requires a multi-dimensional approach. Below are some questions that broker-dealers and RIAs should ask when determining if there is a need to enhance existing cybersecurity policies and procedures at their firms.

• Does my firm’s written information security program follow an established framework?
• Has my firm performed a risk assessment, including a review of technology, cybersecurity procedures, online account access platforms, and physical threats in the last 12 months?
• Does my firm have a written business continuity plan that includes cybersecurity threats?
• Does my firm encrypt data when it is in storage and in transmission? If so, do we have a documented policy for encryption?
• Has my firm performed vulnerability testing in the last 12 months?
• Does my firm have procedures in place to authenticate email requests that seek to transfer customer funds? If so, are our employees aware of the importance of following protocol?
• Does my firm have a vendor management program to manage the risk posed to our organization by each vendor?
• Do our vendor and business partner contracts include cybersecurity requirements?
• Is my firm’s network segregated to protect customer data?
• Does my firm provide remote access to our network and, if so, is it controlled and monitored?

For small firms struggling with the cost of compliance, questions like these can be overwhelming. Addressing cybersecurity compliance requirements with limited resources is a step-by-step process. Larger firms may already have the resources needed to comply, but smaller firms may need to consider more practical and cost efficient approaches to mitigating cybersecurity threats.

Firms that plan to hire third-party vendors or that have existing vendor relationships that include access to sensitive information should have a plan in place to screen and manage those candidates.  Ask vendors to show that they are meeting industry standards, quiz them on their cybersecurity policies, and inquire about the internal controls they have in place to help assess their level of cyber-protection.

Consequences for non-compliance

Firms that fail to comply with FINRA and SEC regulations may face significant fines or other enforcement measures. Before the sweeps began, enforcement actions were taken against firms with cybersecurity failures such as inadequate written procedures and a failure to conduct assessments of those procedures. Those actions included fines of up to $250,000.

Now that both agencies have released their cybersecurity examination reports and examination priorities letters, FINRA and the SEC will likely take enforcement actions against firms that suffer data breaches – whether the customers are harmed through the release of sensitive data or not – which may include sanctions and six-figure fines.

With FINRA and SEC’s February 2015 cybersecurity reports and 2015 examination priorities letters released by both agencies, firms should take immediate action to comply with regulations. The issues highlighted in both the SEC’s Cybersecurity Examination Sweep Summary and FINRA’s 2015 Report on Cybersecurity Practices demonstrate the expectations that both agencies have about cybersecurity. Firms should apply these insights to buttress their IT frameworks.

_____

Bao Q. Nguyen, MBA, CAMS, is a risk advisory services director in Kaufman Rossin’s Boca Raton, Florida, office. Bao can be reached at bnguyen@kaufmanrossin.com.

Jorge Rey, CISA, CISM, CGEIT, is an information security and compliance director in Kaufman Rossin’s Miami office. Jorge can be reached at jrey@kaufmanrossin.com.