What little difference a year makes.
As 2016 begins, the U.S. Securities and Exchange Commission and Finra have again placed cybersecurity at or near the top of their areas of emphasis, which could lead to a new round of enforcement activity, say compliance experts.
“The prudence of the industry demands that cybersecurity be made a top priority, if not the No. 1 priority for financial firms in 2016,” says Michelle Jacko, CEO of San Diego-based compliance consultant Core Compliance and Legal Services. “It’s important that firms be mindful of the regulatory and the business risk that cybersecurity concerns entail.”
This year, the SEC’s Office of Compliance Inspections and Examinations will look again at firms’ information security controls through testing and assessments. The announcement mirrors Finra’s guidance to brokers, which listed technology practices and cybersecurity as areas for examination in 2016.
“I believe that this year, these examinations will result in enforcement actions,” says Craig Watanabe, Core Compliance’s senior compliance consultant. “The volume is being turned up on cybersecurity.”
Financial regulators are focusing on a few main areas of vulnerability, like protecting access to clients’ personally identifiable information.
“There are small things that even a small firm can do that don’t cost very much,” Watanabe says. “Data encryption, for example, is very robust and free or economical for the most part, and offers firms a level of protection for client data.
In its autumn guidance, the OCIE focused on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. Jacko expects the agency to retain a similar focus this year.
“For compliance professionals and firms, the starting point should be identifying and addressing vulnerabilities,” Jacko says. “In a way, we’re just applying the processes firms use for their other compliance controls to another area.”
Finra’s guidance says it will review cybersecurity policies with respect to governance, risk assessment, technical controls, incident response, vendor management, confidentiality, data loss prevention, trading system accessibility and staff training.
“Folks generally know what to do if there is a disaster, but don’t know what to do if there is a breach,” Jacko says. “The most important safeguards are that employees have a conscious awareness of what creates a vulnerability and how to mitigate that. Firms need to take a tactical approach to security.”
New York-based cloud IT provider ExternalIT helps clients prepare for potential hacking attempts by engaging their employees in dry runs — a tactic that might also prepare them for the OCIE.
“Training is more about developing good habits than it is about where and hackers will breach,” ExternalIT president Sam Attias says. ”Over 60 percent of breaches occur just because employees are making mistakes.”
Last year, ExternalIT released a white paper identifying some of the more common cybersecurity deficiencies in the financial advising industry.
According to the whitepaper, firms are failing to control the internal movement of private or personal data.
“Most vulnerabilities we’re finding are a result of the end user not being aware and not taking steps to protect things like their mobile phone,” Jacko says. “While firms often have good security policies in the office, when they have a bring your own device policy with their employees a lot of vulnerabilities occur, and these are often unaccounted for.”
Part of the difficulty, Jacko says, is that it’s taken the financial services industry so long to catch up to modern innovations that allow clients to interact digitally with their accounts and financial information, and allow advisors to work from home.
“As we deploy new technology, we’re going to have to take additional steps to remain protected and compliant,” Jacko says. “Five years ago firms were worried about making sure they could keep going through a snow storm or an earthquake, and they were struggling with it. Now they have to protect information accessible through web servers and mobile devices, it’s like a Pandora’s box.”
Internal risks are most often caused by negligence, Attias says, as employees and vendors accidentally expose their networks to threats via malware and phishing.
Core Compliance and Legal Services teaches individual employees about cybersecurity best practices by having them first protect their personal devices, then apply those lessons to their office computers and networks.
“We’ve found that when presenting training in context of the home computer and personal devices, it resonates much better,” Watanabe says. “They’re thinking about their own activities and using their personal devices on a daily basis.”
Financial firms are behind in implementing and updating their data protection, disaster recovery and business continuity plans, Attias says.
“It’s more than making sure that you have a backup for your systems or that information is stored in a secondary location,” Attias says. “Data protection means that you’re making sure information isn’t being misused or accessed by the wrong people. People everywhere are transferring information that they shouldn’t be transferring via email or attachments. The SEC wants to see a sectioning off of certain classes of data. Firms are going to have to monitor e-mails and track the way files are shared.”
Third party software and technology vendors are also an area of concern, says Attias: they must be properly vetted for their background and to make sure they are using technology that is secure and up-to-date. Regulators may examine a firm’s vendor relationships, Attias says.
“We’re at the point where financial services IT providers are going to have to have some sort of certification that they have done their due diligence in compliance and security,” Attias says. “Really, not just the IT providers, but the application providers, the janitorial service providers, the painters — to some extent, everyone should be vetted, and there has to be some plan to separate them from the client data.”
Regulators are prepared to enforce these expectations. In September, the SEC fined St. Louis-based registered investment advisor R.T. Jones & Co. $75,000 for a breach that exposed private information of around 100,000 individuals, after it was found to have lax cybersecurity oversight.
“That case was a game changer,” Watanabe says.”After the case, RT Jones Capital suggested that firms need to have specific cybersecurity procedures, a response plan, oversight and review. That took the SEC’s language from guidance to mandate.”
Like financial technology, cybersecurity solutions are also rather young and fragmented, which can lead to vulnerabilities as disparate pieces of software and hardware like firewalls, malware and virus detection, and multi-factor user identification are used in conjunction without being centrally planned and implemented.
“This is all kind of new territory for advisors, they aren’t in the security or compliance business,” Attias says. “Tech is evolving very rapidly, there are more types of devices, and in response firms are locking things down. They’re limiting the applications and devices their employees are using because that’s the path of least resistance. That’s not a good solution because younger clients and advisors want to access the technology. IT providers, ideally, are all about unlocking the potential of advisors through technology in a secure and controlled manner.”