You may have become associated with a broker-dealer or investment adviser because your background was finance. Or marketing. Or even political science, law, or psychology. Not technology. So why is cybersecurity your problem?
Because the regulators have said it is.
Starting in 2014, the SEC “launched an initiative to examine broker-dealers and investment advisers’ cybersecurity compliance and controls” and would “continue th[o]se efforts [in 2015] and…expand them….”[a] Specific to investment advisers, the SEC provided guidance this year that funds and advisers “may wish to consider,” and which includes:
- periodic assessments of a firm’s unique information gathering and storage, unique or general cyber threats to the firm and its clients, and technology to mitigate those threats;
- “a strategy…designed to prevent, detect and respond to cybersecurity threats”
- implementation of that strategy “through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures.”[b]
Likewise, FINRA has made it clear that broker-dealers “should develop, implement and test incident response plans. Key elements of such plans include containment and mitigation, eradication and recovery, investigation, notification and making customers whole.”[c]
What does a financial firm need to do? For starters, create a protocol to identify cyber risk unique to that firm and then create a process to manage that risk. Recently, a federal agency (the Federal Financial Institutions Examination Council (FFIEC))[g] facilitated that process by publishing its Cybersecurity Assessment Tool.[h] According to the FFIEC, the Tool helps “institutions identify their risks and determine their cybersecurity preparedness[, and]…provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”[i] As such, it provides some reassurance for firms, since the structure of the Tool “confirms regulatory focus on risk mitigation and adequate management of cybersecurity preparedness, not wholesale elimination of all risk of cyber breaches.”[j]
Financial firms may mitigate some future pain by using this tool. “This [FFIEC] guidance may…impact how regulators, or in the event of a problem, courts hearing civil lawsuits, assess both the institution’s level of preparedness and how the company’s directors and officers discharged their responsibilities in creating and maintaining cybersecurity measures.”[k] And the risk mitigation isn’t just for the financial firms. It is also for their officers and directors: “FFIEC set forth specific expectations for the boards of financial institutions (as well as their CEOs), signaling not only the importance of governance in enterprise-wide cybersecurity risk management, but clarifying that future regulatory examinations will focus specifically on whether the Board fulfilled its cybersecurity-related responsibilities.”[l]
Bohdan S. Ozaruk
Attorney, Jones Morrison, LLP
[a] SEC National Exam Program, Examination Priorities for 2015, at 3, located at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf
[b] IM Guidance Update, No. 2015-02 (Apr. 2015), at 1-2, located at http://www.sec.gov/investment/im-guidance-2015-02.pdf
[c] FINRA Report on Cybersecurity Practices (Feb. 2015) (“FINRA Report”), at 2, located at https://www.finra.org/file/report-cybersecurity-practices
[d] B. Rubin, What To Expect From SEC, FINRA Cybersecurity Enforcement (May 5, 2014) (“B. Rubin, What To Expect”), located at http://www.law360.com/articles/534388/what-to-expect-from-sec-finra-cybersecurity-enforcement
[e] B. Rubin, What To Expect
[f] B. Rubin, What To Expect
[g] The FFIEC “is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote uniformity in the supervision of financial institutions.” https://www.ffiec.gov/about.htm
[j] A. Swaminathan, J. Halper, A. Kim, H. Ullman, N. Nahabet, New Guidance for Financial Institution Directors and Officers In Cybersecurity Preparedness (Aug. 26, 2015), at 1, located at https://www.orrick.com/EventsandPublications/Pages/NewGuidanceforFinancialInstitutionDirectorsandOfficersInCybersecurityPreparedness.aspx
[k] A. Swaminathan, J. Halper, A. Kim, H. Ullman, N. Nahabet, New Guidance for Financial Institution Directors and Officers In Cybersecurity Preparedness (Aug. 26, 2015) (“New Guidance-Cyber”), at 1, located at https://www.orrick.com/EventsandPublications/Pages/NewGuidanceforFinancialInstitutionDirectorsandOfficersInCybersecurityPreparedness.aspx
[l] New Guidance-Cyber, at 1.