Does anyone disagree?
We have ample evidence that hackers have successfully hacked banks, broker-dealers, investment advisers, governments, and corporations of all types.
Relevant laws and regulations make it clear that registered representatives and investment adviser representatives have a duty to protect customer/client data, and although the word “cybersecurity” does not appear in Rule 30 of SEC Regulation S-P, Rule 30 is clearly a cybersecurity mandate.
Regulation S-ID, Identity Theft Red Flags Rules (“Reg S-ID”), approved April 10, 2013, requires firms to develop and implement an ongoing written program to detect, prevent and mitigate identity theft in connection with any covered accounts. Identity theft is only one form of cybercrime and Reg S-ID has significant overlap with the provision of Rule 30 of Reg S-P.
Two critical aspects of cybersecurity are incident management and recovery, so it is clear that cybersecurity has significant overlap with business continuity planning.
FINRA has adopted Rule 4370 – the emergency preparedness rule. Rule 4370 requires broker-dealers to create and maintain business continuity plans appropriate to the scale and scope of their businesses, and to provide FINRA with emergency contact information.
47 states as well as the District of Columbia, Guam, Puerto Rico and the U.S. Virgin Islands have adopted state data security / breach notification laws. The only states that have yet to do so are Alabama, New Mexico and South Dakota.
By the time you hear thunder, it’s too late to build the ark!
The SEC’s recent cybersecurity sweep exam letter showed the following results:
- 79% of investment advisers conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities, and use these assessments to establish their cybersecurity policies and procedures.
- 32% of investment advisers require cybersecurity risk assessments of vendors with access to their firms’ networks.
- 74% of investment advisers have experienced cyber-attacks directly or through one or more of their vendors.
- 4% of investment advisers reported incidents in which a firm employee engaged in cybersecurity-related misconduct.
- 30% of investment advisers have specifically designated a "Chief Information Security Officer" for the firm.
- 21% of investment advisers maintain insurance for cybersecurity incidents.
Cybersecurity may appear to be a daunting objective; however, there are resources that may arm us with the knowledge and tools to implement a robust cybersecurity program. The SEC sweep exam letter incorporates the NIST Cybersecurity Framework (identify, protect, detect, respond, recover) and applies it to the financial services industry. The sweep letter poses twenty-eight questions which could lead a thoughtful reader towards actionable guidance on how to create and implement a cybersecurity program.
Whether we read materials from the SEC, FINRA, NIST, or seek expert help from others, we realize that an essential element of a cybersecurity program is the prioritization of resources and risks. While every firm is different, for most firms the top priority should be securing data – in other words, data backup and data encryption.
Cybersecurity touches upon human elements as well as technical elements so user awareness training is essential. Training topics should include the safe use of email, websites, mobile devices, home computers and public Wi-Fi, among others. As those in the know say, “passwords are so 20th century – multi-factor authentication is where it’s at today…”
Let’s Do Something Constructive Today To Secure Customer/Client Data
Superintendent of Financial Services for the New York State Department of Financial Services Benjamin Lawsky recently commented about his cybersecurity concerns for the agency:
“I am deeply worried that we are soon going to see a major cyber attack aimed at the financial system that is going to make all of us to shudder. Cyber hacking could represent a systemic risk to our financial markets by creating a run or panic that spills over into the broader economy. Indeed, we are concerned that within the next decade (or perhaps sooner), we will experience an Armageddon‐type cyber event that causes a significant disruption in the financial system for a period of time—what some have termed a ‘cyber 9/11'."