The SEC has expanded considerably its efforts relating to cyber-security, beefing up its regulatory examinations with targeted sweeps for cyber-security, as well as maintaining an active cyber-security enforcement program.
The SEC began its cyber-security initiative in April 2014, announcing its first cyber-security sweep of brokerage and investment advisory examinations in an SEC Risk Alert, which also published its so-called examination module (i.e., questionnaire) for use on targets of the sweep. About a year after sweep, the SEC then published a reportcontaining some strong sentiments about cyber-security and then, on September 15, 2015, announced its second cyber-security sweep, doubling down on its efforts, and once again providing an extensive examination module as a resource for regulated entities.
FINRA has concomitantly increased its cyber-security focus as well, releasing in February 2015 its Report on Cyber-security Practices,which provides an in-depth analysis on cyber-security at broker-dealers. Therein, FINRA proffered its expectations of cyber-security risk management practices at its member firms and followed-up by publishing its own cyber-security checklist for small firms.
Given the intensifying scrutiny of the SEC and of FINRA, financial firms should consider re-doubling data security efforts, and launching a preemptive strike to counter future allegations of lackluster cyber-security—below are some suggestions on how.
Hire a CISO or form a data security committee (DSC). A CISO or DSC at a financial firm can impress SEC and FINRA examiners by centrally controlling all data security standards, auditing, and monitoring, thereby implementing a consistent paradigm of cyber-security oversight. A CISO or DSC can also provide a standard to baseline information security maturity—to determine levels of audit intrusiveness, oversight, remediation, independent verification, allocation of resources, and overall risk management.
The CISO and DSC can also centrally develop, coordinate, dictate, and enforce cyber-security practices, policies, and procedures, including:
- Constructing a cyber-security risk matrix and creating an internal data security audit team, which can conduct on-site and telephonic examinations based upon that risk matrix;
- Renovating and revising incident response and disaster recovery plans;
- Establishing master service agreements with data breach response firms;
- Establishing settings and alert procedures for technical solutions;
- Holding quarterly conference calls for management regarding emerging cyber-threats, trends, etc.;
- Providing active alerts to all employees about trends in cyber-threats;
- Accompanying compliance teams on audits of branch offices; and
- Leading a financial firm’s compliance/response during any SEC or FINRA examination, meeting, or other communication concerning cyber-security.
The CISO or DSC should report to the general counsel. Just like any other independent and thorough investigation, incident response workflow requires careful legal navigation because, among other things, the legal ramifications of any failure can be calamitous or even fatal for any company.
In addition to the governmental investigations and litigation, the list of civil liabilities after a cyber-attack is almost endless, including shareholder lawsuits for cyber-security failures; declines in a company’s stock price; and management negligence. There may also be consumer-/customer-driven class-action lawsuits against companies falling victim to cyber-attacks, alleging a failure to adhere to cyber-security “best practices.”
By incorporating some of the commonsense recommendations in this article, financial firms can present SEC and FINRA examiners with clear and convincing evidence of robust cyber-security governance and, most importantly, reasonable data security practices, policies, and procedures.
With respect to cyber-attack investigations, attorney-client privilege can arguably apply to the work product of the CISO or DSC. The privilege helps protect against inaccurate information getting released in an uncontrolled fashion and allows for more careful contemplation and preparation for litigation or government investigation/prosecution, two scenarios more and more likely to occur.
Improve vendor due diligence. Given that cyber-attackers will often traverse a company’s network and gain entry into the networks of its vendors or vice versa, third-party vendors have become one of the more prevalent attack vectors in the most recent cyber-attacks, as cyber-security shortcomings of third-party vendors have become a cyber-criminal’s dream.
Along those lines, vendor due diligence is emerging as one of the most important areas of SEC and FINRA concern for financial firms. Both SEC cyber-security examination modules contain sections concerning due diligence of third-party vendors. For instance, the second SEC module (from the September 2015 SEC Risk Alert) states:
Vendor Management. Some of the largest data breaches over the last few years may have resulted from the hacking of third-party vendor platforms. Thus, examiners may focus on firm practices and controls related to vendor management, such as due diligence regarding vendor selection, monitoring and oversight of vendors, and contract terms. Examiners may assess how vendor relationships are considered as part of the firm’s ongoing risk assessment process as well as how the firm determines the appropriate level of due diligence to conduct on a vendor.
FINRA’s report similarly states, “Firms should manage cyber-security risk that can arise across the lifecycle of vendor relationships using a risk-based approach to vendor management” and then goes on to list a slew of recommended effective practices of vendor due diligence.
The CISO or DSC should establish a vendor management sub-committee for governance and guidance of vendor issues. The sub-committee can field questions; research and recommend vendors; set up favorable pricing models and relationships; and issue vendor threat alerts.
Improve training and orientation. Financial firms should consider engaging an outside consulting firm to provide module cyber-security educational training; conduct routine employee testing; and collect attestations of compliance. Financial firms should also encourage mandatory webcasts and other educational efforts on cyber-security governance, emerging threats, and other relevant cyber-security threats and issues.
Tabletop exercises. Most cyber-security firms and pen-testing firms offer table-top exercise programs, which should, in order to be successful, involve detailed preparation; include multiple parties throughout the firm; leverage resources from within the financial industry and government; and be timely and realistic.
Financial firms (after consulting with counsel) should reach out to law enforcement agencies such as the FBI and request that a federal agent participate in the table-top drill or exercise. The FBI supports participation and collaboration with U.S. companies, and can provide valuable insight throughout the drill.
Send customer alerts in plain English. Data breaches and cyber-attacks are inevitable. Thus, how a financial firm responds to any cyber-attack matters most—and will be scrutinized by both FINRA and the SEC. At the top of any regulator’s list will be how a financial firm communicates information (especially alerts and warnings) to its customers. Alerts and warnings to customers should be candid, 100 percent accurate, complete and, above all else, written in plain English. So many firms neglect this critical aspect of incident response and send communications to customers that beg too many questions; create confusion; and (ironically) exacerbate damage done during an incident.
Take Vanguard for instance. Vanguard is a terrific mutual fund family with a unique consumer-oriented approach; a large cadre of top flight money managers with stellar credentials and track records; and a lengthy and proud history of customer service—except, unfortunately, when it comes to cyber.
Case in point is an actual customer alert sent from Vanguard to one of its investors on a Saturday, involving a mutual fund retirement account that the investor never used for any transactions. When the investor logged into his account, the transaction could not be found anywhere and when the investor called the phone number on the alert, he reached a voicemail recording from Vanguard’s web service team. The confusing alert raised alarms with the investor who became suspicious of its origin, especially the opaque language concerning “money movement,” which does not clearly indicate a deposit, withdrawal, or other kind of transaction.
Given that Vanguard fails to staff its call-in centers on weekends, the investor could not speak to anyone at Vanguard until the following Monday. Leave it to Vanguard to send out a customer security alert on a weekend—but then have no one available to manage any customer question about that alert. On the following Monday, the investor sought to speak directly with a Vanguard compliance official, but his request was denied by the Vanguard customer service representative—a very frustrating and scary situation for any investor.