SEC, FINRA Want to Know Your Cybersecurity Plan
As regulators zero in on cybersecurity, they are expecting brokers and advisors to do the same.
When the SEC and FINRA released the results of a series of sweep exams looking at firms' cyber defenses, it was perhaps the clearest signal yet that information security is a top priority for the regulators, who increasingly are expecting brokers and advisors to establish some type of formal framework to deal with the mounting threats.
And as long as the attacks keep coming, the issue will stay at the forefront, regulators said this week at a broker-dealer compliance forum co-hosted by the SEC and FINRA.
Cybersecurity "is and will remain a key area of focus" for regulators and the firms they oversee, says Susan Axelrod, FINRA's executive vice president for regulatory operations.
The SEC offers a similar message. RIAs can expect examiners to take a close look at the policies and procedures they have in place to protect sensitive information and keep hackers and scam artists at bay.
Christopher Hetner, the cybersecurity lead in the Technology Controls Program at the SEC's Office of Compliance Inspections and Examinations, says the commission is calling on industry members to elevate security as an institutional priority, indicating that examiners will carry that message as they review brokerage and advisory practices.
The commission's "long-term vision is for the industry to develop a set of protocols and dedicate sufficient resources to make their firms an uninviting and hardened cybersecurity target, therefore shifting the threat actors' attention and efforts away from the securities market," Hetner says. "The plan is to conduct examinations, inform policy and achieve a heightened awareness throughout the industry through education and outreach."
Officials at both regulatory bodies acknowledge that cybersecurity can be a daunting challenge, particularly for small practices without a large technical staff and at a time when the threats are coming from a variety of increasingly sophisticated attackers. But they urge firms to view cybersecurity as a business priority, noting the extensive costs and reputational damage advisors can incur following a breach.
"The actors can range from nation-states to criminal organizations to insiders with privileged access to systems," Hetner says. "Yes, each actor may vary in capability and intent, however, the common denominator is the devastating impact that occurs when a cyberattack is successfully executed."
When FINRA announced the findings of its security exams in February, the industry regulator offered a detailed report providing guidance for firms developing a cybersecurity program. That report touched on a variety of topics, including conducting a risk assessment, staff training and evaluating the security posture of third-party vendors.
FINRA Executive Vice President Daniel Sibears stresses the connection between cybersecurity and a firm's overall governance structure.
"We've got to link cyber risks to the people that are running the organization from a governance perspective," he says.
Cybersecurity needs to be among the issues brought up in board meetings, Sibears says, taking care to note that regulators still expect smaller firms that might not have a board to elevate the issue to the highest levels of the practice.
"When I talk about governance and boards, it doesn't mean that if you're a small or a medium-sized that you shouldn't do the same thing," he says. "You might not do it in the context of a board, but you do it in the context of your senior or your executive management and you follow those same principles."
Kenneth Corbin is a Financial Planning contributing writer in Washington and Boston.