Twin reports provide a roadmap to best practices.
U.S. financial markets and participants, much like other segments of the U.S. economy, are prime targets for technological hacks, intrusions, and breaches that can occur in today’s tech-laden business environment. In the face of these threats, on February 3, the U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) each released materials addressing cybersecurity. Although FINRA’s report targeted its broker-dealer members, and the SEC’s report targeted broker-dealers and investment advisers, the reports deliver a message that could apply broadly to all financial market participants. In particular, when stripping away the reports’ financial undercurrent, general concepts are left that could apply to any business or organization that uses or is affected by technology.
Summary of SEC and FINRA Findings
SEC Risk Alert
The SEC’s Office of Compliance Inspections and Examinations (OCIE) released a Risk Alert (OCIE Cybersecurity Risk Alert) addressing cybersecurity for broker-dealers and investment advisers. The OCIE Cybersecurity Risk Alert presents the findings and recommendations associated with OCIE’s 2014 cybersecurity initiative. As part of that initiative, OCIE examined almost 60 registered broker-dealers and nearly 50 registered investment advisers last year to assess cybersecurity preparedness, compliance, and controls. OCIE staff reviewed related documents and conducted interviews with key personnel at the firms regarding their business and operations, detection and impact of cyber attacks, preparedness for cyber attacks, cybersecurity training and policies, and protocol for reporting cyber breaches. OCIE particularly focused on the following areas of concern:
Strikingly, OCIE found that 88% of broker-dealers and 74% of investment advisers examined had experienced a cyber attack, either directly or through a vendor. These attacks included fraudulent emails that sometimes led to losses (e.g., related to fraudulent fund transfer requests) as well as instances of employee misconduct that affected funds, securities, sensitive client or firm information, or the firms’ networks. Certain other OCIE findings related to firms’ adoption of policies and procedures regarding cybersecurity, firm-implemented risk assessments when establishing their cybersecurity policies and procedures, and firms’ use of encryption.
FINRA Cybersecurity Report
FINRA published its Report on Cybersecurity Practices (FINRA Cybersecurity Report) on the same day as the OCIE Cybersecurity Risk Alert. The details in the FINRA Cybersecurity Report are based on, at least in part, FINRA’s 2014 targeted exam of member firms, a 2011 FINRA cybersecurity survey of member firms, and interviews with other organizations involved in cybersecurity. The FINRA Cybersecurity Report cited examples, such as firms’ web-based activities, which can create opportunities for attackers to disrupt or gain access to firm and customer information and employee and customer use of mobile devices to access information at broker-dealers, which can create a variety of new avenues for attack.
The FINRA Cybersecurity Report outlined a risk management–based approach to address cybersecurity threats, but it did not suggest a one-size-fits-all regime for its members nor did it establish any new “per se” requirements. Key aspects include the following:
Practical Implications and Takeaways
Best Practices Evolving in the Face of Continuing Industry Examinations, Investigations, and Regulatory Reforms
SEC Chair Mary Jo White has emphasized the significance of combating cybersecurity challenges to ensure the stability and integrity of our market system as well as disclosing material information and protecting the market’s customer data. FINRA also clearly emphasized in its 2015 exam priorities that its examiners will review firms’ approaches to managing cybersecurity risk. SEC and FINRA examiners are likely to focus on firms’ governance structures; processes for conducting risk assessments (including follow up); use of frameworks, standards, and controls; and methods and processes for identifying critical assets (including firm and customer information and data). Firms may need to address some or all of the following areas of focus during upcoming exams and audits:
Recent SEC Enforcement Cases Pose Warnings for Industry Participants in Light of the SEC’s “Broken Window” Approach
FINRA’s and the SEC’s heightened concern regarding the integrity of the technology infrastructure generally and cybersecurity in particular is not surprising. Recent SEC enforcement actions involving large broker-dealers and exchanges exposed the vulnerability of the securities market to order-entry errors, disruptive practices, and manipulative trading magnified by today’s split-second, high-speed electronic trading. Notably, the SEC’s latest focus on cybersecurity risks and compliance enforcement is consistent with its underlying “broken window” policy and overall enforcement strategy. Under this policy, the SEC has undertaken to establish a strong compliance culture, even where it means targeting nonfraud violations, such as risk-management control and supervisory failure, and infractions of technical rules. OCIE’s cybersecurity initiative and FINRA’s surveys are two additional examples of this industrywide campaign by regulators to enforce compliance and data security.
As a result, look for the SEC to bring enforcement cases involving inadequate cybersecurity preparedness, particularly when broker-dealers and investment advisers fail to respond to “red flags” of cybersecurity deficiencies.
Building Momentum on the Heels of Recently Implemented Regulations
Although much of the scrutiny that broker-dealers and investment advisers can anticipate over the course of the next year related to cybersecurity is subject to speculation, formal requirements have already been mandated that are designed to prevent or minimize the impact of inadvertent or intentional failures in systems of exchanges and other trading centers as well as the systems of market participants with which they interface. For example, the SEC recently adopted Regulation Systems Compliance and Integrity (Regulation SCI) to address the capacity, integrity, resiliency, availability, and security of the computer, network, electronic, technical, and automated systems of securities exchanges and certain other market participants that directly support trading, clearance and settlement, order routing, market data, market regulation, or market surveillance.
Similarly, the SEC’s Market Access Rule requires, in part, that broker-dealers with market access, or that provide access to an exchange or alternative trading system, restrict access to trading systems to preapproved and authorized persons and accounts. The SEC has already brought and settled actions under the Market Access Rule for circumstances where firms were alleged to have failed to implement or maintain reasonable technology governance structures and system safeguards to mitigate the risk to the markets from the failure of a firm’s systems. At least one of these actions resulted in penalties against the firm’s executives.
Financial market participants tend to be ahead of the curve relative to other industries in terms of their emphasis on using technology and taking steps to secure those systems. The SEC and FINRA reports are the latest, but surely not the last, regulatory emphasis on safeguarding the technology underlying the financial markets. The SEC and FINRA can be expected to eventually identify formal cybersecurity standards or requirements for broker-dealers, investment advisers, and other market participants, including transfer agents, investment companies, and security-based swap dealers. In the meantime, financial firms should take a proactive stance to address internal and external cybersecurity risks.
. Office of Compliance Inspections and Examinations, Risk Alert: OCIE Cybersecurity Examination Sweep Summary (Feb. 3, 2015), available here.
. Office of Compliance Inspections and Examinations, Risk Alert: OCIE Cybersecurity Initiative (Apr. 15, 2014), available here.
. The examinations were key action items arising from the March 2014 SEC-sponsored Cybersecurity Roundtable.
. Chair Mary Jo White, Opening Statement at SEC Roundtable on Cybersecurity (Mar. 26, 2014), available here.
. Regulation Systems Compliance and Integrity, Exchange Act Release No. 73639 (Nov. 19, 2014), 79 Fed. Reg. 72252 (Dec. 5, 2014) (to be codified at 17 C.F.R. pts. 240, 242, and 249) (SCI Adopting Release). Aspects of compliance will be required beginning November 3, 2015. The SCI Adopting Release is available here, see also “SEC Adopts Regulation SCI,” Morgan Lewis White Paper, (Dec. 2014), available here.
. 17 CFR 240.15c3-5. Risk Management Controls for Brokers or Dealers With Market Access, Exchange Act Release No. 63241 (Nov. 3, 2010), 75 Fed. Reg. 69792 (Nov. 15, 2010) (Market Access Rule Adopting Release). The Market Access Rule Adopting Release is available here.