We have recently received many inquiries as to how firms should approach the growing focus on Cybersecurity. Unfortunately, the answer often is the dreaded – It depends. Neither FINRA nor the SEC has released any authoritative opinion or rule which would set a minimum standard for compliance. However, each has published reports on observed best practices, added cybersecurity to their annual priorities, and made firms aware that cybersecurity is under intense scrutiny.
In February of 2015, FINRA released its Report on Cybersecurity Practices, which detailed the results of recent sweeps conducted on Member Firms and FINRA’s observations of best practices. The report focused on:
|Cybersecurity governance and risk management||Vendor management|
|Cyber-security risk assessment||Staff training|
|Technical controls||Cyber intelligence and information Sharing|
|Incident response planning||Cyber insurance|
FINRA’s findings revealed that the highest reported threat is the cyber risk of hackers penetrating systems for the purpose of account manipulation, defacement, or data destruction. Firms can help mitigate this risk through preparedness. This can be accomplished through staying diligent with your cyber-security program. Firms should consider the following:
- An assessment of risk
- Penetration Testing – accomplished by a 3rd party compliance firm or through an internal technology team
- Development of a Plan – Develop Policies and Procedures to mitigate the risk and a Disaster Plan if there is an event
- Implementation of the Plan –
- Utilize Technology such as Anti-Virus Coverage, Path Coverage, and Encryption Coverage
- Train Employees on the most current cyber-attack techniques and how to escalate should they fall victim
- Review Vendor agreements and consider information-sharing relationships
- Insurance – Consider insurance for a potential breach
- Re-assessment and learning – continue to review program and enhance mitigation
The SEC also published a similar report on September 12, 2015 titled – OCIE’s 2015 Cybersecurity Examination Initiative. This report highlighted the same concerns as the earlier FINRA letter and put firms on notice that the SEC is currently conducting a review of firm practices.
It is important to remind yourself that there is no “one-size fits all” approach to cybersecurity, but that does not mean firms should remain idle. The cost of a cybersecurity breach can be significant both on an incident and reputational level.
Red Oak has the ability to assist firms in creating a cybersecurity plan and assessing risk. Please contact us with any questions or concerns.