The chief compliance officer should have an “active role” in discussing a firm’s cybersecurity threats not only with technology personnel but also with management, outside vendors and even fund boards, David Joire, senior counsel in the Securities and Exchange Commission’s Division of Investment Management, said Thursday.
Speaking on a cybersecurity panel discussion at the Investment Company Institute’s annual conference in Washington, Joire said that the SEC’s Office of Compliance Inspections and Examinations isn’t the only division providing guidance to firms on cybersecurity, pointing to the IM division’s recently released guidance to help advisors and funds address their cyber risks.
The guidance provides “high-level advice on risk management, but more importantly around the compliance aspect,” he said, noting the three rules addressed in the guidance: Regulation S-P (Privacy of Consumer Financial Information); Regulation S-ID (identity theft), and Rule 38a-1, which includes business continuity requirements.
The Department of Justice’s Cyber Unit released its own guidance detailing best practices for response to and reporting of cyber incidents.
Ronald Rowe, senior advisor to the National Intelligence Officer of Cyber Issues, Office of the Director of National Intelligence for the National Intelligence Council, who sat on the panel with Joire, repeated the oft-heard warning that it’s not a matter of “if” a cyberattack will occur, but “when,” and noted that JPMorgan’s handling of its cyberattack last year should be a model for all firms.
JPMorgan “did a good job last year,” and “got out in front” of the attack from a public-relations standpoint. Hackers in Russia tried to compromise data of 83 million households during an attack on the megabank last summer.
When an attack happens, “you want to have the public relations people ready because your brand matters,” Rowe said. “You want to be able to have your messaging ready to go. JPMorgan CEO “Jamie Dimon knew everything that was going on in that investigation, and was in the weeds on it.”