Last week, the SEC and FINRA separately issued warnings to investment firms about lurking cybersecurity threats.
The SEC’s Risk Alert summarizes the Office of Compliance Inspections and Examinations’ recent examination sweep of 57 broker-dealers and 49 investment advisers. The examinations focused on how firms identify cybersecurity risks; establish cybersecurity policies, procedures, and oversight processes; protect their networks and information; identify and address risks associated with remote access to client information, funds transfer requests, and third-party vendors; and detect unauthorized activity.
The Good, the bad and the ugly. On the positive side, OCIE’s examination found that the vast majority of examined broker-dealers and advisers have adopted written information security policies and most also conduct periodic audits to determine compliance with these policies and procedures. The policies and procedures generally address mitigating the effects of a cybersecurity incident and/or outline the plan to recover from such an incident. However, the policies generally fail to address how firms determine whether they are responsible for client losses associated with cyber incidents and even fewer offered security guarantees to protect their clients against cyber-related losses.
Similarly, while the vast majority of examined firms conduct periodic risk assessments, few applied these requirements to their vendors even though a majority of firms experienced cyber-attacks directly or through one or more of their vendors.
Almost two-thirds of the broker-dealers that received fraudulent emails reported the emails to the Financial Crimes Enforcement Network by filing a Suspicious Activity Report, but only a small number of those firms reported the fraudulent emails to law enforcement or other regulatory agencies. With the exception of an investment adviser who lost in excess of $75,000 as a result of a fraudulent email, advisers generally did not report incidents to a regulator or law enforcement.
Good practices. FINRA’s Report on Cybersecurity Practices identifies principles and effective practices for firms to consider. Good practices include a sound governance framework with strong leadership; the use of risk assessments; the adoption of technical controls; the development, implementation and testing of incident response plans; the exercise of strong due diligence across the lifecycle of vendor relationships; the training of staff; and the use of intelligence-sharing opportunities. FINRA expects firms to consider the principles and effective practices it presents and will assess the adequacy of firms’ cybersecurity programs in light of the risks they face.
Bad consequences. The consequences of failing to adopt a comprehensive cybersecurity policy were recounted by Kevin LaCroix of the D&O Diary. LaCroix noted that a federal district court has upheld the Federal Trade Commission’s authority to bring enforcement actions based on a company’s failure to protect its customers’ private information. And the SEC’s OCIE has made cybersecurity an examination priority for 2015. See, SEC Press Release. And citing the recent remarks of Vincente Martinez, who heads the SEC’s Office of Market Intelligence, Think Advisor said that the Commission and FINRA are using Regulation SP for cybersecurity enforcement purposes and that FINRA is also employing FINRA Rule 2010.