FINRA and the Securities and Exchange Commission continue their concerted efforts to ensure financial firms’ compliance with cybersecurity regulations. Both regulators have indicated that one of their primary concerns for the coming year is cybersecurity. In particular, FINRA intends to review firms’ approaches to cybersecurity risk management, examining one or more of the following topics: governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training. In addition, FINRA will continue to examine firms’ ability to protect confidential client information, including compliance with SEC Regulation S-P. FINRA has continued its efforts to enforce cybersecurity requirements and will almost certainly increase efforts to hold firms accountable for violations in this regard moving forward.
Likewise, the SEC's Office of Compliance Inspections and Examinations (OCIE) has issued risk alerts for the past two years regarding the OCIE's launch and follow-up summary of OCIE's Cybersecurity Examination Initiative. As an example of the SEC's increased scrutiny of firms’ cybersecurity measures, in 2015 the SEC instituted its first enforcement proceeding against a registered investment advisor for violations of Rule 30(a) of Regulation S-P, based on a failure to adhere to reasonable cybersecurity measures. Like FINRA, the SEC has indicated it will continue to take registered firms to task over this issue.
As both FINRA and the SEC have made clear, cybersecurity is at the top of their to-do lists — it should be at the top of investment firms’ lists as well. This article will look at the enforcement measures taken by both FINRA and the SEC regarding cybersecurity, and discuss best practices to navigate the challenging regulatory environment ahead.
What Is “Cybersecurity”?
Generally, FINRA takes a broad view and defines cybersecurity as the protection of investor and firm information from being compromised through — in whole or in part — electronic digital media (e.g., computers, mobile devices or Internet protocol-based telephony systems). “Compromised” refers to a loss of data confidentiality, integrity or availability.
FINRA understands that not all member firms will view the universe of issues impacted by FINRA's definition of cybersecurity as within the scope of their respective cybersecurity programs. For example, some firms would address social engineering fraud (e.g., fraudulent wire transfers carried out through socially engineered phishing attacks) through their anti-fraud programs, rather than their cybersecurity programs. This article will focus on those issues commonly addressed through firms’ cybersecurity programs.
Underlying Rules and Regulations
FINRA's enforcement actions regarding cybersecurity to date have sought to enforce NASD Rules 3010, 3011 and 3012; FINRA Rules 3110, 3310 and 2010; as well as Rule 30(a) of SEC Regulation S-P. The SEC also utilized Rule 30(a) of Regulation S-P in its recent enforcement action against a registered investment advisor regarding the advisor's cybersecurity protocols. Thus, Rule 30(a) of Regulation S-P has become the rule of choice of regulators seeking to enforce cybersecurity requirements. Rule 30(a) of Regulation S-P states as follows:
(a) Every broker, dealer and investment company, and every investment advisor registered with the commission, must adopt written policies and procedures that address administrative, technical and physical safeguards for the protection of customer records and information. These written policies and procedures must be reasonably designed to:
Ensure the security and confidentiality of customer records and information;
Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.
Representative Enforcement Actions
FINRA has brought multiple enforcement actions related to cybersecurity, dating back as far as 2006. Here are some examples of enforcement actions brought by FINRA, which will serve to show the breadth of FINRA's power to enforce its cybersecurity agenda.
In each of the FINRA enforcement actions described herein, the respondent firms entered into acceptance, waiver and consent agreements with FINRA, in which the firms neither admit nor deny the allegations, but consent to the entry of findings of fact as described in the orders for the purpose of the proceedings.
Department of Enforcement v. VCA Securities
In this enforcement action, FINRA alleged violations of NASD Conduct Rules 3010(a) and (b), 3012(a)(2)(B)(i) and FINRA Rule 2010 in connection with the hack of a VCA customer email account, which resulted in unauthorized letters of authorization (LOAs) and wire transfers to an unauthorized third-party bank account. In June 2014, an unauthorized user hacked the customer's email account, impersonated the customer and emailed three unauthorized LOAs to VCA to transfer money to an unauthorized account. VCA completed the first two transfers before realizing that the third LOA was, in fact, unauthorized. VCA had trained its representatives to verbally confirm the authenticity of LOAs received by email before transmitting customer funds to third-party accounts; however, the firm did not incorporate this requirement into its written supervisory procedures. The VCA representative did not verbally confirm the first two LOAs, but did contact the customer regarding the third LOA. VCA reimbursed the customer and ultimately recovered $175,257.26 from the hacker's third-party account.
FINRA found that VCA failed to establish, maintain and enforce an adequate supervisory system and adequate written supervisory control procedures reasonably designed to monitor the transmission of funds from customer accounts to third-party accounts. FINRA censured and fined VCA $35,000.
Department of Enforcement v. Sterne Agee & Leach
Here, FINRA alleged violations of Rule 30 of Regulation S-P, NASD Conduct Rule 3010 and FINRA Rule 2010 in connection with the inadvertent placement of the personal and confidential information of 352,551 customers at risk. An employee of the firm inadvertently left an unencrypted laptop in a public restroom and it was lost. The laptop contained highly sensitive files with account numbers, tax identification numbers, names and addresses of customers from a period of 21 years. Sterne Agee's information security policy and standards did not require encryption of laptop hard drives, despite the fact that the firm had acknowledged the need for encryption of laptops years prior to the loss.
FINRA found that the firm's systems were inadequate in light of FINRA Regulatory Notice 05-49, including “whether the member's existing policies and procedures adequately address the technology currently in use” and “whether the member has taken appropriate technological precautions to protect customer information.” The firm had no written supervisory procedures to ensure that the firm's most sensitive customer and proprietary information stored on laptops was being adequately safeguarded.
FINRA found Sterne Agee violated Regulation S-P, censured and fined the firm $225,000, and required the firm to conduct an internal review of the adequacy of its policies relating to Regulation S-P, including cybersecurity. Importantly, there is no evidence of customer loss relating to this incident apparent from the AWC order.
Department of Enforcement v. Manhattan Beach Trading Financial Services
In this action, FINRA alleged Manhattan Beach Trading Financial Services (MB) failed to establish and implement anti-money laundering procedures adequately tailored to the firm's business and reasonably designed to verify customer identity, and to detect and report suspicious account transactions, in violation of FINRA Rules 3310 and 2010. Between May 2010 and September 2010, the firm opened accounts for four persons from an area known to regulators as one in which suspicious activity has occurred on a more frequent basis than other areas of the world. The four customers then engaged in a fraudulent scheme of improperly accessing accounts of unsuspecting customers with accounts at other broker-dealers, and engaged in short-sale transactions. The scheme guaranteed the four customers large profits in their MB accounts and was carried out entirely through MB's direct market access, or “DMA,” platform.
FINRA found that MB had inadequate written policies and procedures for opening new accounts and the firm did not adequately train its staff to review reports generated by a third-party vendor that MB retained to provide customer identification services (and which would have alerted MB to red flags concerning the four customers). FINRA also found MB failed to flag any trading activity for the four customers as suspicious or recognize that these four customers were on both sides of the trades (through their fraudulent access of unsuspecting customers’ accounts). FINRA censured and fined the firm $125,000.
Department of Enforcement v. D.A. Davidson & Co.
Here, FINRA alleged D.A. Davidson failed to protect certain confidential customer information when it utilized a database server containing account numbers, Social Security numbers, dates of birth, etc., but without adequate safeguards to protect the security of such information, in violation of Rule 30 of Regulation S-P and NASD Conduct Rules 2110 and 3010. The firm employed a public-facing computer Web server that hosted certain firm Web pages. The computer also housed confidential customer information, even though the Web pages were purely informational (and thus not capable of transactions). The database was therefore on a computer with a persistent Internet connection, leaving it vulnerable to attack. The database was compromised when an unidentified third party downloaded the confidential customer information and demanded money from the firm.
The firm took its website down and reported the incident to authorities. FINRA, however, found that the firm did not maintain adequate supervisory systems, including a failure to have finalized written supervisory procedures designed to safeguard customer records, in violation of Rule 30 of Regulation S-P. These failures contributed to the compromise of the confidential information of 192,000 customers. Despite the firm's remedial efforts, and the fact that no customer losses had been suffered at the time of the AWC, FINRA censured and fined the firm $375,000.
Securities and Exchange Commission v. R.T. Jones Capital Equities Management
The SEC has not pursued registered firms with respect to cybersecurity as frequently as FINRA, but last year instituted an enforcement proceeding against an RIA for violations of Rule 30 of Regulation S-P in connection with a data breach that compromised personal identification information (PII) of the firm's customers (and tens of thousands of other individuals). In an administrative proceeding against R.T. Jones Capital Equities Management, the SEC found the firm failed to adopt any written policies and procedures reasonably designed to safeguard its clients’ PII as required by Regulation S-P, while maintaining client PII on its third-party hosted Web server. Although no known customer losses have occurred as a result of the data breach, the SEC censured R.T. Jones, ordered the firm to cease and desist from committing or causing any violations or future violations of Regulation S-P, and fined the firm $75,000.
What FINRA Expects From Firms
FINRA has recently laid out its expectations for cybersecurity best practices into eight principles-based categories:
Governance and Risk Management for Cybersecurity. Firms should establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks. Effective practices include:
Defining a governance framework to support decision making based on risk appetite
Ensuring active senior management- and, as appropriate to the firm, board-level engagement with cybersecurity issues
Cybersecurity Risk Assessment. Firms should conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors, and prioritize their remediation. Effective practices include establishing and implementing governance frameworks to:
Identify and maintain an inventory of assets authorized to access the firm's network and, as a subset thereof, critical assets that should be accorded prioritized protection
Conduct comprehensive risk assessments
Technical Controls. Firms should implement technical controls to protect firm software and hardware that stores and processes data, as well as the data itself. Effective practices include:
Implementing a defense-in-depth strategy
Selecting controls appropriate to the firm's technology and threat environment
Incident Response Planning. Firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents. Effective practices for incident response include:
Preparation of incident responses for those types of incidents to which the firm is most likely to be subject, e.g., loss of customer PII, data corruption, DDoS attack, network intrusion, customer account intrusion or malware infection
Eradication and recovery plans for systems and data
Vendor Management. Firms should manage cybersecurity risk that can arise across the life cycle of vendor relationships using a risk-based approach to vendor management. Effective practices to manage vendor risk include:
Performing pre-contract due diligence on prospective service providers
Establishing contractual terms appropriate to the sensitivity of information and systems to which the vendor may have access, and that govern both the ongoing relationship with the vendor and the vendor's obligations after the relationship ends
Staff Training. Firms should provide cybersecurity training that is tailored to staff needs. Effective practices for cybersecurity training include:
Defining cybersecurity training needs requirements
Identifying appropriate cybersecurity training update cycles
Cyber Intelligence and Information Sharing. Firms should use cyber-threat intelligence to improve their ability to identify, detect and respond to cybersecurity threats. Effective practices include:
Assigning responsibility for cybersecurity intelligence gathering and analysis at the organizational and individual levels
Establishing mechanisms to disseminate threat intelligence and analysis rapidly to appropriate groups within the firm; for example, the firm's risk management and front-line information technology security staff
Cyber Insurance. Firms should evaluate the utility of cybersecurity insurance as a way to transfer some risk as part of their risk management processes. Effective practices include:
For firms that have cybersecurity coverage, conducting a periodic analysis of the adequacy of the coverage provided in connection with the firm's risk assessment process to determine if the policy and its coverage align with the firm's risk assessment and ability to bear losses
For firms that do not have cyber insurance, evaluating the cybersecurity insurance market to determine if coverage is available that would enhance the firm's ability to manage the financial impact of cybersecurity event
What to Do Now
It is clear that firms will need to make cybersecurity a focus, if they have not already, and contribute a large amount of human and monetary resources to ensuring the safety of customer and firm information. Not all firms are alike, however, in terms of their cybersecurity concerns. What is most important is that firms analyze their particular cybersecurity needs and develop principles-based supervisory procedures — in writing — to address those needs. When dealing with regulators (and customers alike), documentation of firms’ efforts to adhere to laws, rules and regulations governing the securities industry is absolutely crucial. Just as “location, location, location” may be the mantra of the real estate industry, “documentation, documentation, documentation” should be the mantra of investment firms with respect to cybersecurity. Firms will also need to continually re-evaluate their cybersecurity needs and measures, updating as necessary.
--- Read "6 Big Hack Attacks Targeting Financial Data: 2016" on ThinkAdvisor.