The SEC and FINRA both released reports this week on their findings from recent sweeps and data analyses of broker-dealers and investment advisers’ cybersecurity protocols. Both reports were issued on the same day, signaling a coordinated release. However, the similarities end there. The SEC’s report is very broad and covers a macro-perspective of the issue, whereas, the FINRA report is much more detailed and technical in nature. We’ve summarized here the SEC’s report for adviser findings and the FINRA report for broker-dealer findings.
OCIE’s Sweep Summary
Key takeaways for advisory firms include:
- All findings and analysis were based upon limited testing of firm responses to document requests and did not include any reviews of technical adequacy. This makes it difficult to draw any solid conclusions from the report.
- Generally, OCIE found more weaknesses within adviser cybersecurity programs than they did with broker-dealer programs. Examples include:
- Majority of advisory procedures reviewed did not address how the firms determine if cybersecurity breaches result in any client losses.
- Only a third of the advisers visited required risk assessments of their third party vendors with network access.
- Contracts with vendors and business partners typically do not address cybersecurity risks.
- Most Advisory firms examined did not have a Chief Information Security Officer, but rather some other person responsible for cysbersecurity oversight.
Key takeaways for broker-dealers include:
- The report includes findings based upon a compilation of its 2014 Targeted Sweep, data from other cybersecurity organizations, previous FINRA studies (2011 Survey), and other publicly available information. It is technical in nature and goes into detail regarding the various ways firms can protect their data.
- In summary, FINRA’s report recommends:
- A good cybersecurity program begins with a cybersecurity risk assessment which is well documented.
- Technical controls must be implemented to protect both hardware and software utilizing a defense-in-depth strategy (layering technique).
- Firms should have a written incident response plan that outlines the steps the firm will take if subject to a breach including eradication, mitigation, recovery, and client communication.
- Vendor management procedures should be risk-based and include due diligence both at the beginning of the relationship as well as throughout the vendor lifecycle
- Staff training is crucial to an effective cybersecurity program in order to ensure its implemented effectively.
- Information sharing in the cybersecurity arena is important to ensure threats are identified and responded to appropriately. The sharing of cyber intelligence with specific organizations such as the Financial Services Information Sharing Intelligence Center (FS-ISAC) is encouraged.
- Cyber Insurance should be reviewed and evaluated to determine if it makes sense for firm from a cost/benefit perspective. The policy must be able to cover the specific risk types that may be exposed within a firm.
View the full SEC report, “Cybersecurity Examination Sweep Summary”
View the full FINRA report, “Report on Cybersecurity Practices”