Cybersecurity is the CCO’s Monkey. A Lookback at a Landmark Year for Cybersecurity
If 2013 represented a flashpoint for Cybersecurity, the year in which front-page breach, Advanced Persistent Threats, and the Presidential Executive Order (13636) ignited public awareness, 2015 is the year in which Regulatory response has fueled the fully engulfed fire. At Artemis we agree with the well-worn notion that that the Compliance tail should not wag the IT Security dog or that Compliance does not equal Security. There is no question, however, that regulatory expectations have been clarified in 2015, that regulatory risk has been quantified, and that investment firms must address IT Security and Cybersecurity.
The Compliance Function of investment advisory firms and broker-dealers are already heavily burdened, and with the Cybersecurity Initiative quite literally in full swing with a second sweep (2015 Cybersecurity Exam Initiative) underway, what are the critical points and practical steps that firms should take way from 2015?
Regrettably, the Cybersecurity Initiative of the SEC and FINRA are aimed squarely at the Compliance Function and CCOs. The various Alerts and Guidance and apparently the responsibility for building Cybersecurity risk consideration into your firm’s Risk Management Program fall upon Compliance. This does not mean that Accountability for incorporating IT security practices will fall fully upon Compliance. In fact, Executive Management and Board Members need to fully understand that they remain in the line of fire, as first defined in Commissioner Luis Aguilar’s seminal speech at the New York Stock Exchange in 2014: “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus.”
Before steamrolling into critical takeaways from 2015 guidance, I want to suggest that all is not woe via the Cybersecurity initiative. While IT Security will place heavy demands on investment advisers and broker-dealers in the future, there will be a substantial reward for those firms who devote time and resources to this effort. The Value-Add of IT Security will become more apparent to firms with strong programs as institutional investors seek validation of cybersecurity practices in future due diligence requests. Embracing a culture of security at your firm through Training with Executive level participation can improve the safety, well-being, and morale of employees and your firm. A deeper understanding of IT Security means increased IT competence and efficiency at your business. The dreaded regulatory initiative can provide impetus for devoting appropriate resources to IT Security which will ultimately assist in safeguarding the reputation of your firm.
The 2015 Highlight Reel
Many of the points mentioned below are examined in greater detail in both blog posts and white papers. We do believe that key guidance should be in the Compliance/Firm lexicon and represents good material to be put on the table at the Information Security Committee or corresponding Risk Committee mechanism.
- The SEC’s Cybersecurity Examination Sweep Summary, February 2015: We found this statistical document to be of limited value, but relayed areas of percentage weakness may offer hints for Exam inquiries. Only 51% of advisers surveyed considered cyber-attacks or intrusions within continuity plans. This number also likely reflects that roughly half of advisers surveyed at the time had well-defined Incident Response and Recovery plans in place. All firms must have a Plan to address IT Security/Cybersecurity incidents.
- FINRA’s Report on Cybersecurity Practices, February 2015: FINRA has provided substantive guidance on critical subjects for both broker-dealers and advisers. Sections of this guidance can be used to assist with WSP creation. See the section on Vendor Management as a good starting point for your program.
- The Division of Investment Management’s Cybersecurity Guidance, April 2015: Perhaps the most significant regulatory release of the year, the Guidance Alert reaffirmed the need for policies and procedures and tied cybersecurity failures to the existing Rules framework. The DIM recommended 5 periodic assessments with which all firms should be versant.
- DOJ Guidance: Best Practices for Victim Response and Reporting of Cyber Incidents, April 2015: Another seminal release which provides a roadmap for pre- and post-breach considerations. This document will help if you are considering making concrete or enhancing your Incident Response and Recovery Plan.
- OCIE’s 2015 Cybersecurity Examination Initiative, September 2015: Round two of the sweep process chose six constructive areas of focus with which all firms should be familiar: Governance; Access Rights and Controls; Data Loss Prevention; Vendor Management; Employee and Vendor Training; and Incident Response. The current initiative assures that we will be talking about cybersecurity as future results are rolled out and eventually baked into the standard examination process.
- NFA Adopts Interpretive Notice Regarding Information Systems Security Programs—Cybersecurity, October 2015: The effective date for these requirements is March 1, 2016 and the Notice is built largely from well-understood standards like the NIST Framework for Improving Critical Infrastructure Cybersecurity. The notice states: “The Member’s ISSP should be approved, in writing, by the Member’s Chief Executive Officer, Chief Technology Officer, or other executive level official. Additionally, if applicable, the Member’s senior management should periodically provide sufficient information about the Member’s ISSP to the Member’s board of directors or similar governing body, the board’s or governing body’s delegate or a committee of the board or body to enable it to monitor the Member’s information security efforts.” The NFA is looking for certified accountability at the top of firm’s subject to the Notice; this could well be a precursor to similar Rules efforts at SEC and FINRA governed firms.
- The SEC Brings an Enforcement Tied to Cybersecurity implicating News Wire Services, August 2015: Commissioner Aguilar and his Chief of Staff had prepped the public for this large-scale enforcement with discussions of the activities of the FIN4 group and attempts to gain material non-public information by hackers. This insider trading-related case involved charges against 17 individuals and 15 entities. Two insider trading groups netted over $100 million in illegal profits over a 5-year period. While we can expect more enforcement activities tied to cybersecurity, the real takeaway is that companies and investment firms must be proactive in protecting MNPI.
- SEC Brings Enforcement against R.T. Jones, September 2015: The SEC’s Order referenced R.T. Jones’s failure “to adopt any written policies and procedures reasonably designed to safeguard its clients’ PII as required by the Safeguards Rule.” While many view failures related to R.T. Jones management of a third-party webserver as egregious, the SEC has stated these missteps in terms of policy and procedure shortcomings. The primary lesson here is that firms need to get practices into documentation, the lens through which the SEC views the world.
- Wyndham Hotels and Resorts agrees to settle with the FTC, December 2015: While no formative law resulted from this significant case, the settlement itself carries substantial implications for Wyndham and perhaps some prescriptive lessons and guidance for all firms protecting customer and client data. Wyndham is required to obtain annual security audits that conform to Payment Card Industry Data Security Standard. Wyndham must conform to this and other requirements for 20 years. With the FTC viewing security audits as a remedial measure, it makes sense for all firms, especially those considered critical infrastructure providers, like investment management companies, to consider security audits as means of reducing business, regulatory, and legal risk.
You are going to have to go deeper than the 2015 CliffsNotes version of IT Security and Cybersecurity to effectively understand and participate in the management of related risks. One important observation, however, is that the NIST Cybersecurity Framework is referenced in every piece of guidance mentioned in this post. We are arriving at a fairly obvious recommendation point that the NIST CSF should be seriously considered as a solution to reasonable documentation of Framework subcategories. We have already seen that the Framework is serving as a validation of cybersecurity practices for investor due diligence requests, the previously-mentioned Value-Add.
Aguilar: Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus
SEC’s Cybersecurity Examination Sweep Summary
FINRA’s Report on Cybersecurity Practices
Division of Investment Management’s Cybersecurity Guidance Update
DOJ’s Guidance For Victim Response and Breach Reporting
OCIE’s 2015 Cybersecurity Examination Initiative
NFA Adopts Interpretive Notice Regarding Information Systems Security Programs—Cybersecurity
SEC Charges 32 Defendants in Scheme to Trade on Hacked News Releases
SEC’s Order and Offer of Settlement Regarding R.T. Jones
FTC/Wyndham Settlement Announcement