SEC, FINRA Taking a Closer Look at Cyber-Security Risks

After many years on the back-burner, cyber-security is suddenly a hot topic at the Securities and Exchange Commission and other regulators.

The SEC is now looking closely at how best to protect the integrity of securities market systems and customer data, as well as how material information about data breaches at public companies should be disclosed to investors and the public.

The Financial Industry Regulatory Authority is also taking a harder look at how data security lapses could affect financial markets.  In January, for example, FINRA announced that it would be conducting a sweep of the securities firms it regulates this year to assess firms' approaches to managing cyber-security risks. Citing increased threats to firms' critical IT systems, and their potential harm to investors, firms, and financial systems, FINRA stated that the purpose of its inquiry was to:

better understand the types of threats that firms face;

increase FINRA's understanding of firms' risk appetite, exposure, and major areas of vulnerabilities in their IT systems; and

better understand firms' approaches to managing these threats, including through risk assessment processes, IT protocols, application management practices, and supervision.

In April, Daniel Sibears of FINRA, which promised to share its findings and observations with member firms, said that the preliminary results of its inquiry showed that the top cyber-security risks facing broker-dealers are “operational risk, ‘insider' risks posed by rogue employees, and hackers penetrating [broker-dealer] systems.” Sibears added that he expected FINRA to “push out some effective practices” for broker-dealers to follow in the cyber-security area, which will presumably come after FINRA completes a full review and analysis of the results of the cyber-security inspections.

The SEC, too, has been sounding the alarm on cyber-security.  In February, SEC Commissioner Luis Aguilar stated at the annual SEC Speaks conference in Washington, D.C., that he was growing increasingly concerned with the potential for cyber-attacks on American companies and financial institutions that could bring serious harm to the financial markets.

“Clearly, both market participants and issuers need to consider and develop appropriate preventive safeguards, and they need to have adequate plans in place that will make it easier to quickly repair the damage of an attack.”

—Luis Aguilar,

Commissioner,

Securities and Exchange Commission

Aguilar is concerned that the SEC isn't doing enough to ensure that financial companies and other companies are preparing for attacks from hackers and others. He observed that the SEC's efforts in the cyber-security area so far have focused primarily on issuer disclosure obligations, rather than how SEC-regulated entities and public companies could best prepare for, and respond to, the “inevitable” cyber-attack.  “Clearly, both market participants and issuers need to consider and develop appropriate preventive safeguards, and they need to have adequate plans in place that will make it easier to quickly repair the damage of an attack,” Aguilar said.

At a March 26 cyber-security roundtable held at SEC headquarters in Washington, D.C., Chairman Mary Jo White, her  four fellow commissioners, and 33 cyber-security experts met for nearly six hours to explore the numerous data security issues facing public companies, exchanges, and investment firms such as broker-dealers and investment advisers. White began the meeting by stating that cyber-threats were now a global threat of “extraordinary and long-term seriousness” that had even surpassed terrorism in the eyes of the FBI. “The public and private sectors must be riveted, in lockstep, in addressing these threats,” she stated.

Aguilar stated that there was “no doubt that the SEC must play a role in this area.  What is less clear is what that role should be.” He said that it was his hope that following the roundtable, the SEC would be in a position to take additional steps to address cyber-threats.  One immediate step that Aguilar called for was the establishment of a cyber-security task force composed of representatives from each division of the agency that would regularly meet to discuss cyber-security issues and advise the Commission as appropriate. The SEC has yet to announce the formation of such a task force.

A Call to Action

A few key themes emerged from the cyber-security roundtable. One of the most important was the universal call from the panelists for greater sharing of information—both between private firms and between the public and private sectors.  “You can't have information security and information technology without information sharing,” said Larry Zelvin, director of the U.S. Department of Homeland Security's National Cyber-security and Communications Integration Center.  The Center fielded 240,000 incidents in 2013 and put out 12,000 actionable reports.

Andy Roth, a partner at the law firm Dentons, added that better information sharing would address the current problem of information asymmetry, where one side has much more information than the other. “The bad guys are very good at sharing information,” he observed.

Another key theme roundtable panelists raised was the importance of viewing cyber-security as a business issue rather than as an IT issue. The panelists emphasized the need for senior management in companies to help create a culture that cyber-security is everybody's responsibility, and offered a reminder that cyber-security is not a one-off type of problem that companies can hope to solve and then move past. 

Zelvin stated that there is nothing that financial firms can buy to make the issue of cyber-security go away. “There are people that can help you,” he said, “but ultimately I think it's the companies themselves that are really going to have to manage this.  You can't outsource it.  You can't buy this away.”

Ari Schwartz, acting senior director for cyber-security programs for the White House's National Security Council, agreed: “[it's] not really a problem that you're going to get past.  It's a problem you're going to manage.”

Like FINRA the SEC recently began working to gather more information from the securities industry on cyber-security readiness. The SEC's Office of Compliance Inspections and Examinations announced last month, for example, that it would begin examinations of more than 50 registered broker-dealers and registered investment advisers.

OCIE stated that the examinations would focus on items such as the firms' identification and assessment of cyber-security risks, protection of networks and information, cyber-security risks associated with vendors and other third parties, detection of unauthorized activity, and experiences with certain cyber-security threats.

Cyber-Security Assessments

In addition, OCIE published a detailed module with sample requests for information and documents that it said companies subject to cyber-security examinations could use to assess their firms' level of preparedness. Based on this module, securities firms should be prepared for detailed examinations in the following areas:

Identification of Risks/Cyber-security Governance: OCIE will probe firms' practices in areas such as inventorying physical devices, software platforms and systems; maps of network resources and data flows; lists of connections to the firm's network from external sources; and detailed information on periodic risk assessments, if any, by firms to identify cyber-security threats, vulnerabilities, and potential business consequences.

Protection of Firm Networks and Information: OCIE will seek information on firms' cyber-security risk-management process standards, and detailed information on firms' practices, policies, and controls regarding issues such as the protection of their networks; data destruction; encryption; and cyber-security incident response.

Risks Associated With Remote Customer Access and Funds Transfer Requests: OCIE will probe whether firms are providing customers with online account access, and how firms are authenticating customers and handling the risks of hackers.

Risks Associated With Vendors and Other Third Parties: OCIE will examine whether firms require cyber-security risk assessments for their vendors and business partners, and the standards established for such third parties.

Detection of Unauthorized Activity: OCIE will seek information on firms' practices aimed at detecting unauthorized activity on their networks and devices, such as aggregating and correlating event data from multiple sources, establishing written incident alert thresholds, network monitoring, and using software to detect malicious code on firm networks and mobile devices.

Incidents the Firm Has Experienced Since Jan. 1, 2013: OCIE will be gathering detailed information and documents on specific incidents that firms have experienced that resulted in “losses of more than $5,000, the unauthorized access to customer information, or the unavailability of a firm service for more than 10 minutes.”

While the OCIE examinations will be limited to just 50 firms at this point, the ramifications are much broader. As law firm Gibson Dunn noted in a recent memo to its clients, OCIE's publication of the module is not common practice and appears to indicate that the SEC wants all regulated firms to carefully re-assess their cyber-security risk-management processes.  Moreover, it is likely that the results of OCIE's examinations will be used by the SEC to help determine what role the agency should play in this area, including possible rulemaking initiatives.

In just the first four months of 2014, the issue of cyber-security has surged to the forefront in the world of securities regulation. Regulated entities should expect the SEC and other regulators' interest in this area to only increase in the months and years ahead.