Increased Focus on Cybersecurity ThreatsApril 16, 2014
FINRA to Examine Broker-Dealers for Cybersecurity Threats
In its 2014 Regulatory and Examination Priorities Letter, FINRA noted that cybersecurity remains a priority and that it will focus on "the integrity of firms’ policies, procedures and controls to protect sensitive customer data." In line with this priority, FINRA announced a Targeted Examination Letter detailing its intention to conduct an assessment of firms’ approaches to managing cybersecurity threats, which FINRA noted may cause potential harm to investors, firms, and the financial system as a whole. FINRA intends to survey and assess about 20 firms with a variety of business models. FINRA’s assessment will focus on areas relating to cybersecurity, including:
- business continuity plans in the event of a cyber-attack;
- understanding concerns and threats faced by the industry;
- assessing the impact of cyber-attacks on the firm over the past year;
- training programs;
- insurance coverage for cybersecurity-related events; and
- arrangements with third-party service providers.
FINRA hopes that its assessment will help it achieve four broad goals: (1) to better understand the threats that firms face; (2) to increase its understanding of firms’ risk appetites, exposure, and major areas of vulnerabilities in their IT systems; (3) to better understand how firms could and do manage these threats; and (4) to share observations and findings as appropriate.
While one of FINRA’s goals appears to be information sharing, broker-dealers should understand that FINRA could take action based on examination findings of weaknesses in cybersecurity controls. At a minimum, broker-dealers should have a process in place for checking cyberthreats and protecting data should an attack occur.
Sources: FINRA Regulatory Examination Priorities (January 2, 2014), available at http://www.finra.org/web/groups/industry/@ip/@reg/@guide/documents/industry/p419710.pdf; FINRA, Targeted Examination Letters Re: Cybersecurity (January 2014).
SEC Examiners to Review Asset Managers Cybersecurity Defenses
As part of OCIE’s routine examinations, the staff intends to scrutinize the policies and procedures that asset managers use to prevent and to detect cyber-attacks. Additionally, the staff will assess whether asset managers are reviewing and enhancing safeguards to protect against security risks. To prepare for such exams, asset managers should review their information technology training programs, analyze whether vendor access to their systems creates potential weaknesses, and review their vendors’ due diligence processes. SEC examiners may also evaluate whether asset managers are properly reporting "material" cyber events to regulators.
Source: SEC Examiners to Review How Asset Managers Fend Off Cyber Attacks, Reuters, Sarah N. Lynch (January 30, 2014).
SEC Holds Cybersecurity Roundtable
On March 26, 2014, the SEC held the Cybersecurity Roundtable in light of growing concerns regarding cybersecurity. The focus of the roundtable was to advise the SEC, the industry, other government agencies, and the private sector of the cybersecurity risks and the strategies to address such risks. The roundtable was divided into four panels: (i) Cybersecurity Landscape, (ii) Public Company Disclosure, (iii) Market Systems, and (iv) Broker-Dealers, Investment Advisers, and Transfer Agents. While each panel focused on specific questions regarding cyber threats and security concerns, many themes permeated throughout each panel’s discussion.
Panelists generally agreed that cybersecurity is one of the primary risks for businesses today and noted that businesses should evaluate external, including risks posed by third party service providers, as well as internal, cybersecurity risks. When discussing what actions the SEC should take in response to these threats, the panelists largely believed that the SEC should issue principles-based guidance rather than crafting rules that attempt to address all industries. They noted that such rules may not be effective given that one solution does not apply to all scenarios and that, due to swift technology advancements, any rules may likely be antiquated not long after adoption. Several panelists did note, however, that the SEC should encourage information sharing among registrants and among other regulatory agencies.
The role of the board of directors was another theme that arose in several panel discussions. Participants repeated that the board’s role is one of oversight, and subject-matter expertise regarding cybersecurity is not required. In fact, they noted that board members who are generalists are better suited to address a variety of business issues. To fulfill their oversight role, boards should be kept apprised of information and should ask meaningful questions regarding a company’s preventive actions.
Finally, panelists also acknowledged that developing procedures for identifying areas of enterprise-wide, potential risks and establishing response methods are the best ways to prepare a company for future cyber-attacks. Some panelists even recommended conducting cyber-attack simulations and involving senior management in those simulations.
While the staff did not indicate that additional rulemaking in response to the roundtable was imminent, as noted above under "SEC Examiners to Review Asset Managers Cybersecurity Defenses," the SEC is moving ahead on reviewing and scrutinizing asset managers’ preventative cybersecurity policies and procedures. The SEC is accepting comments regarding issues addressed at the roundtable until May 2, 2014.
Source: Investment Company Institute Memorandum Regarding Summary of the SEC’s March 26 Cybersecurity Roundtable (March 28, 2014).