Why is there a sudden increase interest in cybersecurity among regulatory agencies? The answer is in the recent cyber attacks on Main Street, which have prompted Wall Street regulators to assess whether their market participants are vulnerable to such attacks, and if so, what they are doing to protect their client’s information.
On January 30, 2014, the Securities and Exchange Commission (SEC) informed a group of compliance professionals that the agency will assess how asset managers are protecting clients’ non-public information. In the same month, the Financial Industry Regulatory Authority (FINRA) issued a targeted examination letter (also known as sweep examination) to assess broker-dealers’ approaches to managing cybersecurity threats, with a goal of better understanding the following:
- Types of threats firms face
- Exposure and major areas of vulnerability
- Each firm’s approach to managing cybersecurity threats (i.e., risk assessment process, IT protocol and supervision)
SEC to review vendor due diligence process
The Securities and Exchange Commission’s assessment will include reviewing the financial institution’s IT policies, IT training and due diligence efforts on their vendors. Based on the comments made by the SEC during the January 30th meeting, the SEC appears to be particularly interested in financial institutions’ due diligence on vendors and those vendors who have access to sensitive client information. The interest in vendors may be due to the ongoing investigation into intrusion of Target Corp., which investigators have reportedly traced back to a heating, ventilation and air conditioning vendor whose network credentials may have been stolen by the attackers.
FINRA to assess broker-dealers’ cybersecurity
FINRA’s sweep examination will address a number of areas related to cybersecurity at broker-dealers, including:
- Risk assessment of the firm’s information technology
- Business continuity plans in case of a cyber attack
- Organizational structure and reporting lines
- Process of sharing and obtaining information about cybersecurity threats
- Industry threats and concerns
- Cybersecurity impact on the firm over the last 12 months
- Approaches to handling distributed denials of service attacks
- Training programs
- Insurance coverage for cybersecurity-related events
- Contractual arrangements with third-party service providers
Customer information protection requirement
Financial institutions, including broker-dealers, investment advisers and asset managers, and investment companies registered with the SEC, are required to comply with Regulation S-P. Section 248.30 of Regulation S-P requires that firms have policies and procedures reasonably designed to safeguard customer information against any anticipated threats and unauthorized access.
Although Regulation S-P has been in effect since November 13, 2000, financial institutions should have an ongoing program to review their policies and procedures to ensure they are reasonably designed to comply with the rule. In addition, financial institutions should conduct a robust IT risk assessment and penetration test of their existing IT infrastructure to identify weaknesses and mitigate risks.
SEC roundtable on cybersecurity
The recent cyber attacks on Main Street have prompted Wall Street regulatory agencies to take a hard look at financial institutions’ cybersecurity policies and procedures.
On March 26, 2014, the SEC will host a roundtable to discuss cybersecurity with market participants and public companies in Washington, D.C. The roundtable will be divided into four panels:
- Overall cybersecurity landscape
- Public company disclosure issues
- Cybersecurity for exchanges and other key market systems
- How broker-dealers, investment advisers, and transfer agents address cybersecurity issues, including identity theft and data protection
Broker-dealers can also expect FINRA to share its findings from cybersecurity sweep examinations in the coming year.