Cybersecurity was a hot topic in 2015, and will continue to be this year, with the regulatory agencies issuing guidance and notices relating to firms’ cybersecurity practices.
The National Futures Association (NFA) issued a cybersecurity notice in October 2015, which became effective on March 1, 2016. This requires NFA members to put in place supervisory practices “reasonably designed to diligently supervise the risks of unauthorized access to or attack of their information technology systems, and to respond appropriately should unauthorized access or attack occur.” The notice outlines key areas relating to Members’ Information Systems Security Programs (ISSPs), which includes a written program, security and risk analysis, deployment of protective measures against identified threats and vulnerabilities, incident response plan, and employee training.
In addition, firms must regularly monitor and review the effectiveness of their ISSP, agreements with third party service providers, and recordkeeping policies and procedures.
The NFA appears committed to taking a cooperative approach with firms implementing cybersecurity practices, looking to work with Members “to help move them towards compliance.” This stands in stark contrast to the punitive approach of other regulatory agencies.
OCIE will continue its efforts in examining cybersecurity controls, with its 2015 Cybersecurity Examination Initiative serving as a roadmap as to what aspects of cybersecurity they will focus on in 2016. These priorities are focused on the areas of governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. At the recent SEC Speaks Conference in February, Deputy Director of Enforcement, Stephanie Avakian noted that the SEC is focused on cases where there has been a failure to safeguard customers’ information, cases where material nonpublic information has been stolen for the purpose of illegal trading, and cybersecurity disclosure failures by public companies (although they have yet to bring a case charging this). There appears to be a trend in cybersecurity enforcement actions that mirrors what we have seen in AML enforcement actions; namely, that the SEC will commence actions against firms that have not adopted any written cybersecurity policies and procedures, as was the case in the SEC order against RT Jones Capital Equities Management.
In its 2016 Regulatory and Examination Priorities Letter, FINRA has stated that it will focus on firms’ supervision and risk management related to cybersecurity, technology management, and data quality and governance.
In reviewing firms’ approaches to cybersecurity risk management, they will examine governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training. These reviews will also involve consideration of the ability of firms to protect the confidentiality, integrity, and availability of sensitive customer information. With regard to technology management, FINRA will examine firms’ technology governance and change management practices. In examining data quality and governance, FINRA will assess firms’ data governance, quality control and reporting practices to ensure that firms can adequately monitor and report key information needed for effective risk management.