The top risks broker-dealers face in dealing with cybersecurity threats are operational risk, “insider” risks posed by rogue employees and hackers penetrating BD systems, Daniel Sibears of FINRA said at the Securities and Exchange Commission's cybersecurity roundtable.
Sibears, executive vice president of regulatory operations and shared services at FINRA, said those key threats were found in FINRA's recently launched cybersecurity exam sweep of BDs. “We have just started to get the results in of the sweep,” Sibears said, stressing that only a cross section of BDs had been analyzed and results were preliminary.
Sibears noted that beyond the top three threats mentioned above, BDs are also concerned about “phishing attacks” where customer information is misappropriated, trades are made and money is transferred out of a client's account.
John Denning, senior vice president of operational policy integration, development and strategy at Bank of America Merrill Lynch, who sat on the panel with Sibears, said that “firms must have robust information sharing systems” with law enforcement and regulators. “It's the only way we’re going to be able to reduce risk to the sector, to start the information sharing.”
Craig Thomas, chief information security officer at Computershare, said that firms must “believe that you are going to get attacked. You have to be thinking ahead of the game; security is always trying to catch up with technology.”
What Should the SEC Do?
The “SEC should provide principles-based guidance due to the constantly changing landscape,” said Marcus Prendergast, director and corporate information security officer of ITG.
Sibears added that it was likely FINRA would “push out some effective practices,” but whether guidance would be rules-based or principles-based, he “can't say.”
However, he said, “we recognize this is a rapidly changing environment, so there has to be a component that allows the industry to adapt.”
Indeed, Cyrus Amir-Mokri, assistant secretary for financial institutions at the Treasury Department, noted during the first panel at the roundtable that while the financial services industry is likely the “most advanced in terms of thinking about cybersecurity” as they have “become technology firms,” they should exert a constant effort “to stay ahead” of potential threats.
“You can never say you are completely prepared,” he said.
Larry Zelvin, director of the National Cybersecurity and Communications Integration Center at the U.S. Department of Homeland Security, added that “finance wins the cybersecurity threat award.” The sector is a “massive target” and those who want to attack the sector are “looking for an opening every day,” are “getting creative” and are multiplying quickly, he said.
SEC Commissioner Luis Aguilar said that the commission should establish a cybersecurity task force with members from each division.
Both the SEC and FINRA listed cybersecurity as one of their top exam issues for this year. FINRA issued in early February its targeted exam letter to firms stating that the self-regulator was assessing how firms manage cybersecurity threats.
The House Committee on Homeland Security unanimously approved in early February H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013.
The bill was sent to the full House for consideration.
The committee said in a statement that the Act “addresses the cyberthreat by giving the Department of Homeland Security (DHS) the tools to secure our nation in cyberspace, while protecting privacy and civil liberties and prohibiting any new regulations at DHS.”
The bill codifies several cybersecurity efforts already in progress; beefs up others, like the National Cybersecurity and Communications Integration Center; and focuses on partnerships with the private sector. It is intended to be budget neutral.
As for the SEC, Jane Jarcho, national associate director of OCIE's National Exam Program, told chief compliance officers in late January that OCIE's exams will include assessing firms’ cybersecurity policies—and noted in early March that small firms won't get a “pass” on being required to have such policies.
The SEC announced in mid-April that is has started cybersecurity-related exams of more than 50 registered BDs and RIAs.