As Regulators Embark on New Industry Cyber Sweep, Tips to Tell if Your Firm is Ready for Review
By Guy Talarico, CEO and Founder, Alaric Compliance Services
According to compliance and cybersecurity experts, financial industry regulators are embarking on a new cyber-security sweep, with a focus on registrants’ 1) data loss prevention; 2) oversight of third-party service providers; and 3) incident response planning.
And with good reason. Cyber assailants continue to perpetrate increasingly sophisticated attacks on U.S financial institutions, including exploiting weaknesses to steal valuable data and breaching third-party information service provider systems. Yet many firms remain woefully ill-prepared to fend off the latest threats and lack actionable incident response plans to recover from a breach.
As outlined in their respective 2018 Examination Priorities notifications,1 2 both the U.S. Securities Exchange Commission (“SEC”) and Financial Industry Regulatory Authority (“FINRA”) are focusing their resources to examine the quality of registrants’ written cybersecurity policies and procedures, which must include testing the implementation of those procedures and having a formal response plan in place. The SEC is particularly interested in confirming that registrants adopt and enforce their cyber program to secure customer data access to their electronic systems, with a focus on personally identifiable information (PII).
In February, the SEC issued guidance to encourage companies to adopt a comprehensive cybersecurity plan and policies to assess compliance regularly, including the sufficiency of cyber controls and procedures to satisfy federal securities law disclosure obligations. One goal of the new guidance is to prevent insiders such as directors, officers, and other corporate insiders from making selective disclosures about cybersecurity risks or incidents and then trading on that inside information.3
A firm’s cybersecurity plan must:
- be developed and maintained by qualified professionals;
- be customized to the registrant;
- be approved and reviewed by an executive-level official (i.e., at least every 12 months);
- provide cybersecurity training that is appropriate to the security risks the firm faces;
- address risks posed by critical third-party service providers;
- include “Security Control Assessment” and “Risk Assessment” appropriate to the risks the firm faces;
- include an “Incident Response Plan”;
- be overseen by a designated principal who will be accountable for its implementation and updates in response to regulatory and business developments.
An important part of the cyber plan, vulnerability assessments and supporting penetration testing (“PenTests”) are regulatory requirements. These authorized simulated attacks aim to reveal security weaknesses a firm must subsequently mitigate. The SEC allows leeway as to how firms conduct cyber PenTests but expect registrants to engage third party experts to assist in this process this will ensure both the quality and independence of the testing results.
Following minor malware attacks just five years ago, a newer breed of cyber threats is a growing national concern. The latest of these include opportunistic phishing attacks, which are broad efforts to infect as many computers as possible. In contrast, more targeted “spear-fishing” attacks focus on specified individuals to perpetrate higher value crime that is much harder to trace. An example of the latter includes organized crime rings that search social media sites to identify financial industry executives such as hedge fund managers or quantitative analysts to compromise their accounts.
Equally as clever, criminals often create fake e-mail accounts that are very similar to their target, changing just one letter in the email address (an activity referred to as “typo-squatting”). Michael Brice, co-founder of BW Cyber Services, has seen multiple cases of fraudulent capital calls in which investors were duped into sending wire transfers to illicit accounts. And these activities are not insignificant, with wire transfers, ranging anywhere from hundreds of thousands to millions of dollars, irretrievably lost.
Brice believes the skill and sophistication of attackers are often outpacing registrants in their ability to protect themselves. But Brice says, “There are some simple security practices and operational precautions related to the collection and storage of Personally Identifiable Information (PII) that will go a long way to mitigating regulatory and even litigatory issues should a breach occur.”
However, firms that don’t understand or address the risks associated with a breach put themselves in the position to be on the receiving end of a regulatory action in the event of minor breach – especially if PII is involved. For crypto-currency funds, the cyber stakes are even higher. Not only are individual criminals involved, but global organizations and countries like Korea are being traced to crypto-cyber malfeasance.
Another focus area involves third-party service providers. When companies engage information technology (IT) service providers, they should review their cybersecurity policies and procedures, and not assume a provider is up to the task of protecting their data. “Firms should require that their vendor either has deep technical expertise or enhanced security protection for systems and data as there is a strong possibility they are not doing it or not doing it very well,” Brice explains.
Thus, even firms that are making their best effort to minimize cyber risk may be operating with a false sense of security because executives often make incorrect assumptions regarding the risks they are covering. For instance, cyber insurance policies rarely cover wire transfers, adds Brice. Yet this is one of the primary reasons organizations get cybersecurity policies in the first place.
As part of a firm’s overall compliance program, the cybersecurity plan must encompass a holistic approach to periodically assess, remediate and test the organization. Although regulators do not dictate the details of a cyber plan or supporting technologies, they expect registrants to 1) design and customize such a plan; 2) develop and implement policies that demonstrate supporting cyber controls; and 3) follow through with continued efforts of integrating, testing and monitoring the program for its effectiveness. Many firms engage cyber experts and compliance professionals to show that they are making a proactive effort to meet their regulatory obligation to effectively manage cyber threats.
Experienced professionals can ensure that a registrant’s compliance plan and cyber policy address regulators’ top focus areas — data loss prevention, third-party service providers, and response planning — and to that the technical testing matches the registrant’s risk profile. The costs of retaining experts entails cost up-front, but those costs could be far outweighed by the reputational and financial impact of a breach. Moreover, it will help firms maintain an audit-ready posture.