Increasing attacks on financial services firms and other industries have prompted creation of cybersecurity regulations and guidelines from the U.S. Securities and Exchange Commission (SEC), Securities and Futures Commission (SFC) of Hong Kong, among others.
C-level executives expect cybersecurity to become a top priority for regulators in 2016: some 19% expect it to be the number one priority for regulators in 2016, against 18% for AML and KYC requirements, and 15% for efforts to ensure a firm-wide culture of compliance, according to a recent report by Duff and Phelps. These results for cybersecurity were largely driven by US respondents, where 35% expect regulators to prioritize this area. In the UK, it was lower, at 12%, with compliance culture (22%) seen as the focus for regulators – a reflection, perhaps, of the Senior Managers and Certification Regimes being introduced for banks, and likely the wider industry. The findings result from an online survey questioning 193 financial services professionals (including 98 senior executives) from across the world.
In 2016, SEC-regulated companies (mainly securities exchanges, securities brokers and dealers, investment advisors and mutual funds) will have to update their old cybersecurity policies and procedures and address the main concerns the Office of Compliance Inspections and Examinations pointed out last year as its areas of focus in the upcoming examination initiative:
Governance and Risk Assessment:
Examiners may assess whether registrants have cybersecurity governance and risk assessment processes relative to the key areas of focus discussed below. Examiners also may assess whether firms periodically evaluate cybersecurity risks and whether their controls and risk assessment processes are tailored to their business. Examiners also may review the level of communication to, and involvement of, senior management and boards of directors.
Access Rights and Controls:
Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Examiners may review how firms control access to various systems and data via management of user credentials, authentication and authorization methods. This may include a review of controls associated with remote access, customer logins, password, and firm protocols to address customer login problems, network segmentation and tiered access.
Data Loss Prevention:
Some data breaches may have resulted from the absence of robust controls in the areas of patch management and system configuration. Examiners may assess how firms monitor the volume of content transferred outside of the firm by its employees or through third parties, such as by email attachments or uploads. Examiners also may assess how firms monitor for potentially unauthorized data transfers and may review how firms verify the authenticity of a customer request to transfer funds.
Some of the largest data breaches over the last few years may have resulted from the hacking of third-party vendor platforms. As a result, examiners may focus on firm practices and controls related to vendor management, such as due diligence with regard to vendor selection, monitoring and oversight of vendors and contract terms. Examiners may assess how vendor relationships are considered part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
Without proper training, employees and vendors may place a firm’s data at risk. Some data breaches may result from unintentional employee actions such as a misplaced laptop, accessing a client account through an unsecured internet connection or opening messages or downloading attachments from an unknown source. With proper training, however, employees and vendors can be the firm’s first line of defense, such as by alerting firm IT professionals to suspicious activity and understanding and following firm protocols with respect to technology. Examiners may focus on how training is tailored to specific job functions and how training is designed to encourage responsible employee and vendor behavior. Examiners also may review how procedures for responding to cyber incidents under an incident response plan are integrated into regular personnel and vendor training.
Firms generally acknowledge the increased risks related to cybersecurity attacks and future breaches. Examiners may assess whether firms have established policies, assigned roles, assessed system vulnerabilities and developed plans to address possible future events. This includes determining which firm data, assets and services warrant the most protection to help prevent attacks from causing significant harm.
“In sharing the key focus areas for the Cybersecurity Examination Initiative and the attached document request, the National Exam Program (NEP) hopes to encourage registered broker-dealers and investment advisers to reflect upon their own practices, policies, and procedures with respect to cybersecurity,” the SEC notes.
The SEC’s Office of Compliance Inspections and Examinations (OCIE) may review the areas mentioned above in examining registered entities regarding cybersecurity matters. Accordingly, OCIE will alter its requests for information it reviews, as well as whether it asks for production of information in advance of an examination or reviews certain information on site, as it considers the specific circumstances presented by each firm’s business model, systems, and information technology environment.
Financial companies should be able to provide information regarding the firms’:
- Chief Information Security Officer;
- organizational structure, particularly information regarding the positions and departments responsible for cybersecurity-related matters;
- board minutes and briefing materials, if applicable, regarding: cyber-related risks; cybersecurity incident response planning; actual cybersecurity incidents; and cybersecurity-related matters involving vendors;
- periodic risk assessments to identify cybersecurity threats, vulnerabilities and potential business and compliance consequences;
- policies related to penetration testing, whether conducted by or on behalf of the firm, and any related findings and responsive remediation efforts taken;
- vulnerability scans and any related findings and responsive remediation efforts taken.
“The SFC published a circular that supported the SEC’s alerts on cyber security, highlighting that registered entities desperately need to address the matters flagged by the regulators for priority review”, according to Duff & Phelps’ David Copland. “As the number of cyber threats continues to grow, failure to do so is a dangerous strategy. It is not enough to simply defend against yesterday’s attacks. Businesses now need to shift their focus to the proactive identification and management of security threats and vulnerabilities that relate to their particular business. Ill-informed firms risk overspending – often in the wrong areas – leaving both their finances and security destabilized, since certain facets of their company remain exposed to cybercrime. As such, firms must implement and enforce appropriate security procedures and policies, as well as the right security technology, to mitigate these threats in a financially reasonable manner.”
OCIE staff will continue its focus on cybersecurity by examining registered broker-dealers and investment advisers. The examinations will focus on key topics including governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.