Regulators agree that cybersecurity threats pose significant risks to financial firms, investors and the markets. As a result, cybersecurity practices are a key focus for regulatory examinations this year for both the Financial Industry Regulatory Authority (FINRA) and the U.S. Securities and Exchange Commission (SEC).
At the recent 2017 FINRA Annual Conference, David Kelley, Surveillance Director, Kansas City District Office, FINRA, moderated a panel of Richard Hannibal, Assistant Director, Office of Compliance Inspections and Examinations, U.S. Securities and Exchange Commission (SEC), Stephanie Mumford, Chief Compliance Officer and Senior Legal Counsel, T. Rowe Price Investment Services, Inc., and Andy Zolper, Senior Vice President and Chief Information Security Officer, Raymond James Financial, Inc. to provide guidance on cybersecurity practices for the financial services industry.
What Cybersecurity Lapses Are Regulators Finding During Exams?
“Cybersecurity is a huge priority for the SEC” said Hannibal. About one third of examined firms had client losses that were cyber-related, but fortunately, they were not large amounts. The SEC is also seeing problems with third-party wires where employees fail to properly authenticate customers’ requests. The majority of the firms examined by the SEC had unauthorized external distributions of Personally Identifiable Information (PII) such as deliveries of information to the wrong customer, or to the wrong persons within the firm. As of exams conducted through May, the SEC had not identified ransomware as a problem, but that could change at any time. The SEC has also has seen issues with phish emails and spear phishing. They also have heard that firms’ employees are clicking on problematic attachments in more than 20 percent of time. “There is work to be done to better protect firms” concluded Hannibal.
Mitigate the risk of cyber-attacks at your firm through these five best practices:
“Our first job was educating the Board and different committees about cyber on what can happen and identifying all the risks associated with it” said Mumford. Zolper agreed, “We have tightly integrated our cybersecurity risk with our overall risk management. We don’t want to add a different language and a different process and different reporting channel for cyber-related risks.” He said that depending on your cybersecurity maturity, your firm may need to place extra focus to level-set the risk. However, your goal is the Board embraces cyber as another risk that needs to be managed.
FINRA has found that Boards are actively engaged around cybersecurity . In fact, some are trying to increase their expertise in this area by attracting new Board members, particularly for Boards that don’t have anybody with background in the IT space. They recognize the need, said Kelley. However, FINRA saw that two-thirds of firms had deficiencies or weakness in their policies and procedures during their exams. Some policies weren’t specific. Other failed to articulate the procedures for implementing some of the policies. “There’s still more work to be done” said Kelley.
2. Risk Assessment
Risk assessment should be an ongoing process as opposed to a single point in time. Firms should gather and evaluate indicators of potential risks on a monthly, quarterly and annually basis. Firms should also look to what’s happening at other firms and other industries said Zolper. “I’m a huge advocate of collaborating with other firms” he continued. In fact, he said that FINRA has been helpful bringing CISOs together to talk about cybersecurity and other issues. Zolper also suggested tapping Financial Services Information Sharing and Analysis Center (FS-ISAC) for daily strategic threat intelligence on what’s going around in cyber. Real-time communication between firms “turns the tide on attackers” because they can tune their defenses accordingly, concluded Zolper. In addition to belonging to FS-ISAC, FINRA has also seen firms get together with other firms, not just broker dealers, to talk about the issues that they’re seeing. “ The more you can learn about what’s going on, the better ” Kelley added.
3. Cybersecurity Training
“Employees are the biggest risk for firms” Hannibal said. Based on what the SEC is seeing during exams, he provided some tips. Training needs to be conducted regularly, not just once a year. It also needs to be varied, both in method (such as in-person, email, blogs) and with different topics (such as passwords or visitor access) to engage your employees. Tailor the training by staff role, and include both registered and non-registered persons. Make training practical and relevant. Use prior mistakes as examples. Show employees what good cyber hygiene looks like so they may bring those practices home with them to protect their families and home systems. Training also needs to be engaging and interactive. Some firms have interactive approaches to help employees really understand. Don't just say “don’t click on a suspicious email”. Everybody nods their head, but that doesn’t mean they get it. You need to provide a whole lot more detail to educate employees. Some firms test their employees by sending phishing emails to see if they will click on links. The employees who click are then required to take additional training. If they don’t change their behavior, their supervisor may need to sit down with them at some point to explain the importance of cybersecurity said Hannibal.
4. Access Management
Regulators are interested in how people gain access to data, systems and facilities . The SEC is seeing that firms are conducting reviews of access rights periodically, said Hannibal. But probably half the firms did not follow policies and procedures for terminating access rights or they inadvertently provided unauthorized system access to users contrary to firm policy. He also said that a surprising number of firms were working on multifactor authentication (“something you know and something that you have”) but had not addressed that fully. FINRA also sees firms, large and small, struggle with access management, said Kelley. When FINRA conducts exams, firms are asked how people get granted access to systems and data. How is that being monitored on an ongoing basis? When employees change jobs, how quickly is their access changed? What are the processes? Firms are asked about whether they are using multifactor authentication from outside, or even internally. “The absolute best practice is any remote access to your core network should be protected by two-factor authentication” said Zolper. Also, educate people about personal protections. Train them to turn on two-factor authentication everywhere they can, including personal email, Twitter, LinkedIn, and Facebook. Although it works on those platforms, very few people use it, in spite of anxiety around cyber security, said Zolper. MORE