For Financial Service firms, the message is clear. Both FINRA and the SEC are looking over your shoulder to make sure that you are taking cyber security seriously.
And the fines are not small. From hundreds of thousands to millions of dollars, firms big and small are getting whacked with fines.
In 2014, the SEC office of Compliance Inspections and Examinations released a risk alert describing their new initiative designed to assess cybersecurity preparedness. Among the requirements outlined in the program are:
- Inventory of physical devices and systems
- Inventory of platforms and applications
- map of network resources, connections and data flows
- The map above to include locations where customer data is housed
- External connections are cataloged
- Resources are prioritized for protection based on their sensitivity and business value
- Logging capabilities and practices are assessed
- A written information security policy is available
- Periodic risk assessments conducted and findings mitigated
- Periodic physical security risk assessments are conducted
- Cyber security roles in the company are explicitly assigned and communicated
- A written cyber business continuity plan has been implemented
- The firm has a CISO or equivalent
This is only part of the list. The list goes on for 8 pages.
Check out the end of this post for a list of references to FINRA and SEC documents describing these programs.
John Stark Reed of Reed Consulting has come up with some recommendations. While paper is 12 pages long, here is the gist of the recommendations. A link to the paper appears below.
- Review overall cyber security policies for adequacy
- Eliminate red flags (DUH!)
- Create the team (Now, not after a breach)
- Protect against identity theft
- Get private (protect private data)
- Choose the right monitoring technology
- Watch out for insiders (Chase learned the hard way)
- Consider cyber insurance (Don’t consider it, buy it)
- At the first sign of trouble, investigate
There is a ton of information in the articles listed below.
If your head is swimming after reading the articles, contact outside experts (yes, that is self-serving; we do that for financial service companies, but it is very hard to do it yourself). I liken fixing cyber security in a running business like paving a road while you are driving on it. Not easy.
Each year the SEC and FINRA visit more businesses and each year their examiners get more knowledgeable about cyber, so don’t think you are going to fool them.
If you start early and have an active program, you are much more likely to get a friendly reception when the examiners come to visit.
It will take quite a while to put together an entire program, so we really do recommend starting early. It is much easier to put together a program over a year or two rather than trying to get it done in a couple of months after you get that examination report. If you wait, not only do you have to pay someone like us, but you also have to pay the fines.
LINKS to useful articles:
Cybersecurity and Financial Firms: Bracing for the Regulatory Onslaught by John Reed Stark
SEC National Exam Program risk alert.
SEC examination sweep results summary.
FINRA Report on cyber security practices.
FINRA cyber security report with small business checklist.