Blog

Category Archives: SEC

Cybersecurity and the Financial Firm

sure-538718_640

You may have become associated with a broker-dealer or investment adviser because your background was finance. Or marketing.  Or even political science, law, or psychology. Not technology. So why is cybersecurity your problem? 

Because the regulators have said it is.

Starting in 2014, the SEC “launched an initiative to examine broker-dealers and investment advisers’ cybersecurity compliance and controls” and would “continue th[o]se efforts [in 2015] and…expand them….”[a]  Specific to investment advisers, the SEC provided guidance this year that funds and advisers “may wish to consider,” and which includes:

  1. periodic assessments of a firm’s unique information gathering and storage, unique or general cyber threats to the firm and its clients, and technology to mitigate those threats;
  2. “a strategy…designed to prevent, detect and respond to cybersecurity threats”
  3. implementation of that strategy “through written policies and procedures and training that provide guidance to officers and employees concerning applicable threats and measures to prevent, detect and respond to such threats, and that monitor compliance with cybersecurity policies and procedures.”[b]

Likewise, FINRA has made it clear that broker-dealers “should develop, implement and test incident response plans. Key elements of such plans include containment and mitigation, eradication and recovery, investigation, notification and making customers whole.”[c]

The regulators have backed up their admonitions with bite.  As of May 2014, “[t]he SEC and FINRA…brought more than 10 enforcement cases against firms based, at least in part, on cybersecurity­ related failures.”[d]  Those failures included “(1) cybersecurity governance; (2) protection of firm networks and customer information; (3) vendors and outsourcing; and (4) responding to cybersecurity breaches.”[e]  And those violations were costly. The sanctions for those breaches ranged “from … $100,000 to $450,000. The only exception [was] a $27,500 fine imposed against a small firm…for a procedural violation without any customer harm.”[f]

 

What does a financial firm need to do? For starters, create a protocol to identify cyber risk unique to that firm and then create a process to manage that risk. Recently, a federal agency (the Federal Financial Institutions Examination Council (FFIEC))[g] facilitated that process by publishing its Cybersecurity Assessment Tool.[h]  According to the FFIEC, the Tool helps “institutions identify their risks and determine their cybersecurity preparedness[, and]…provides a repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.”[i]   As such, it provides some reassurance for firms, since the structure of the Tool “confirms regulatory focus on risk mitigation and adequate management of cybersecurity preparedness, not wholesale elimination of all risk of cyber breaches.”[j]

Financial firms may mitigate some future pain by using this tool. “This [FFIEC] guidance may…impact how regulators, or in the event of a problem, courts hearing civil lawsuits, assess both the institution’s level of preparedness and how the company’s directors and officers discharged their responsibilities in creating and maintaining cybersecurity measures.”[k]  And the risk mitigation isn’t just for the financial firms. It is also for their officers and directors:  “FFIEC set forth specific expectations for the boards of financial institutions (as well as their CEOs), signaling not only the importance of governance in enterprise­-wide cybersecurity risk management, but clarifying that future regulatory examinations will focus specifically on whether the Board fulfilled its cybersecurity-related responsibilities.”[l]

Cyber security is now practically old news. Firms should not only have in place written protocols for cybersecurity, but should be tweaking and testing their existing systems and documenting all cyber breaches. Doing so is not only good business, it shows the kind of firm-wide diligence that might reassure the regulators that your firm is “on it.” Cyber threats will only become more sophisticated, and cyber security will continue to be a priority with the regulators, as data breaches and their consequences continue to headline the news. Do what’s necessary. Use the Cybersecurity Assessment Tool, or whatever other tool does the job, to assess the effectiveness of your protocols. Don’t become the subject of a regulatory enforcement referral because you or your firm fell short.

 

Bohdan S. Ozaruk

Attorney, Jones Morrison, LLP


[a] SEC National Exam Program, Examination Priorities for 2015, at 3, located at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf

[b] IM Guidance Update, No. 2015-02 (Apr. 2015), at 1-2, located at http://www.sec.gov/investment/im-guidance-2015-02.pdf

[c] FINRA Report on Cybersecurity Practices (Feb. 2015) (“FINRA Report”), at 2, located at https://www.finra.org/file/report-cybersecurity-practices

[d] B. Rubin, What To Expect From SEC, FINRA Cybersecurity Enforcement (May 5, 2014) (“B. Rubin, What To Expect”), located at http://www.law360.com/articles/534388/what-to-expect-from-sec-finra-cybersecurity-enforcement

[e] B. Rubin, What To Expect

[f] B. Rubin, What To Expect

[g] The FFIEC “is a formal interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the National Credit Union Administration (NCUA), the Office of the Comptroller of the Currency (OCC), and the Consumer Financial Protection Bureau (CFPB) and to make recommendations to promote uniformity in the supervision of financial institutions.”  https://www.ffiec.gov/about.htm

[h] Located at https://www.ffiec.gov/cyberassessmenttool.htm

[i] https://www.ffiec.gov/cyberassessmenttool.htm

[j] A. Swaminathan, J. Halper, A.  Kim, H. Ullman, N. Nahabet, New Guidance for Financial Institution Directors and Officers In Cybersecurity Preparedness (Aug. 26, 2015), at 1, located at https://www.orrick.com/Events­and­Publications/Pages/New­Guidance­for­Financial­Institution­Directors­and­Officers­In­Cybersecurity­Preparedness.aspx

[k] A. Swaminathan, J. Halper, A.  Kim, H. Ullman, N. Nahabet, New Guidance for Financial Institution Directors and Officers In Cybersecurity Preparedness (Aug. 26, 2015) (“New Guidance-Cyber”), at 1, located at https://www.orrick.com/Events­and­Publications/Pages/New­Guidance­for­Financial­Institution­Directors­and­Officers­In­Cybersecurity­Preparedness.aspx

[l] New Guidance-Cyber, at 1.

 

 
CONTACT MANAGING PARTNER
Stephen J. Jones
Direct Dial For All Offices
914.713.9311  
Telephone
914.472.2300