Today’s independent financial advisors wear many hats, from portfolio manager to behavioral coach to chief financial officer of their own businesses. But there’s another responsibility that has become increasingly critical in recent years—that of identity protector. With major security breaches and other smaller-scale hacks on the rise, advisors need to understand where they may be vulnerable and what steps they should take to close any open doors to their clients’ sensitive information. It’s a big job, and it’s hard to know where to begin.
With this in mind, let’s look at some of the cybersecurity issues regulators are focusing on, as well as considerations for protecting your clients and your business.
FINRA’s Meeting of the Minds
Earlier this year, we attended the 2016 FINRA Cybersecurity Conference, which was a great opportunity to gather with industry peers and regulators and discuss the cybersecurity challenges and risks we face on a daily basis. One theme was abundantly clear. That is, we are all in this together and have a common goal: to protect clients from the constant onslaught of scams and the bad actors that perpetrate them. Being successful at this? Well, that’s a different and much larger story.
Cybersecurity blueprints. As you might expect, the presenters and panelists at the FINRA conference highlighted the scams that financial professionals are seeing now or eventually will see. Perhaps the most valuable takeaway was how financial companies can approach implementing a cyber-risk program using the plethora of best practices and resources that are publicly available. There was a lot of discussion and guidance regarding cybersecurity frameworks—in particular NIST or ISO2 7001—and how advisors can use these frameworks as “blueprints” to identify and mitigate risk exposure throughout their organizations.
Information sharing. Another key topic was cyber-threat information sharing, which is quickly becoming an invaluable and necessary lifeline that enables us to proactively protect our most important assets. The Financial Services Information Sharing and Analysis Centeris one resource that financial institutions, broker/dealers, and regulators can use to share intelligence about threats and the actors associated with them.
Preventing common attacks is very much possible when you have the vital intelligence. Understanding the importance of this, the Department of Homeland Security is moving forward with the Cybersecurity Information Sharing Act. The biggest piece of cybersecurity legislation we've seen, it was passed just last year and includes preliminary guidance on how the private sector and government will communicate threat data. (To learn more, check out this post on the Data Protection Report.)
The SEC’s Focus on Cybersecurity
The SEC is another agency that has given cybersecurity special attention.
- In 2014, the SEC held a Cybersecurity Roundtable with industry representatives to discuss the importance of cybersecurity to the financial services industry.
- Shortly after this, the SEC conducted a Cybersecurity Examination Sweep, which involved targeted exams of more than 100 broker/dealers and investment advisers that assessed firms’ overall preparedness to deal with cyber attacks. The sweep exams requested information and documentation on how firms addressed risks related to cybersecurity, including governance, policies and procedures, network security, remote access to client information and fund transfers, vendors and due diligence, and detecting unauthorized third-party activity.
- In February 2015, the Cybersecurity Examination Sweep Summary was released.
- In September 2015, the SEC announced a second round of cybersecurity exams involving more testing of firm procedures and cybersecurity controls.
- In its Examination Priorities for 2016, the SEC announced that it will continue to focus on cybersecurity as a high-priority marketwide risk.
This activity makes it clear that the SEC will be including cybersecurity as a component of its broker/dealer and investment adviser exams for the foreseeable future. Further, it expects broker/dealers, investment advisers, and other financial firms to implement information security programs based on a framework of industry standards, practices, and guidelines. In fact, many of the questions in the first Cybersecurity Examination Sweep came directly from the National Institute of Standards and Technology's Framework for Improving Critical Infrastructure Cybersecurity. But what does this mean for you?
Preparation is critical. The SEC is currently conducting exams of broker/dealers and investment advisers of all shapes and sizes. During the exams, the SEC will ask to see your firm’s information security policies and procedures, interview staff, and request information on security incidents the firm has experienced. To prepare, you should review the SEC’s releases, including:
- The Office of Compliance Inspections and Examinations (OCIE) Cybersecurity Initiative
- OCIE’s 2015 Cybersecurity Examination Initiative
Be ready to answer all of the questions contained therein. Also, expect a more in-depth exam experience, as the SEC has started asking much more technical and detailed questions than ever before.