SEC and FINRA Release Cybersecurity Reports

March 03, 2015

The Securities and Exchange Commission (SEC) has been making cybersecurity a priority in 2015. As part of its cybersecurity oversight, the SEC released observations from recent cybersecurity examinations of broker-dealers and advisors conducted in 2013 and 2014. Likewise, the Financial Industry Regulatory Authority (FINRA) released its own Report on Cybersecurity Practices outlining current risks and best practices to approach cybersecurity in the financial industry.

In its Cybersecurity Roundtable held in 2014, SEC Commissioner Luis A. Aguilar expressed the devastating effect that cyber-attacks and data loss pose to financial institutions, to the economy, to consumers and to investors. The SEC, which was created to safeguard these stakeholders, affirmed its attention to “play a role” in the security of data. In an examination of a SEC sweep of broker-dealers and investment advisors, the SEC released a Risk Alert which provides summary observations from the examinations. Insights from the report include:

A majority of the broker-dealers (88%) and the advisers (74%) stated that they have experienced cyber-attacks directly or through one or more of their vendors. Many of these incidents are tied to malware or phishing.
A majority of broker-dealers (93%) and advisers (79%) conduct periodic risk assessments, on a firm-wide basis, to identify cybersecurity threats, vulnerabilities, and potential business consequences

FINRA’s much more comprehensive report details cybersecurity threats and how to address them. FINRA’s report looks at some of its findings, but overall spends more time on preparedness. Topics discussed include Governance and Risk Management for Cybersecurity, the importance of Board and Senior Involvement, Effective Cybersecurity Risk Assessment, and the outcome of a Failure to Address Risks.

Some of the top governance or management failures identified in the FINRA Report on Cybersecurity Practices include:

failure to safeguard confidential customer information
failure to establish an adequate system to protect the firm’s data, including inadequate user access restriction, inadequate vendor oversight or supervision of outsourcing arrangements, or inadequate responses to cybersecurity breaches
failure to conduct adequate, periodic cybersecurity assessments

The report continues with examples of frameworks and standards that can be followed in the financial industry and how these lead to appropriate controls in prevention, detection, correction and event prediction. Many changes were suggested, from employee training and access controls to device protection.

Right now, the financial industry is not subject to specific regulatory guidance, though regulatory bodies have quite a bit of leverage to investigate and fine organizations that do not adequately protect stakeholder data. Without specific written guidelines, financial organizations must take the initiative to ensure data security is made a priority. Organizations should perform a regular risk assessment, maintain a comprehensive data breach response plan, create an ongoing employee security awareness training program, and ensure layered technology solutions are in place to protect data.

FINRA’s report highlights the importance of a layered approach to security planning, one backed up by both policy and employee training and supported with persistence technology. To learn about how to build a layered defense against data breaches, we welcome you to watch our recent webinar on the topic. Contact us to learn how Absolute Software can help your organization navigate the choppy regulatory landscape and to mitigate the ever-increasing data security risks.

Compliance Endpoint Security News and Events