The chief compliance officer should have an “active role” in discussing a firm’s cybersecurity threats not only with technology personnel but also with management, outside vendors and even fund boards, David Joire, senior counsel in the Securities and Exchange Commission’s Division of Investment Management, said Thursday.
Speaking on a cybersecurity panel discussion at the Investment Company Institute’s annual conference in Washington, Joire said that the SEC’s Office of Compliance Inspections and Examinations isn’t the only division providing guidance to firms on cybersecurity, pointing to the IM division’s recently released guidance to help advisors and funds address their cyber risks.
The guidance provides “high-level advice on risk management, but more importantly around the compliance aspect,” he said, noting the three rules addressed in the guidance: Regulation S-P (Privacy of Consumer Financial Information); Regulation S-ID (identity theft), and Rule 38a-1, which includes business continuity requirements.
The Department of Justice’s Cyber Unit released its own guidance detailing best practices for response to and reporting of cyber incidents.
Ronald Rowe, senior advisor to the National Intelligence Officer of Cyber Issues, Office of the Director of National Intelligence for the National Intelligence Council, who sat on the panel with Joire, repeated the oft-heard warning that it’s not a matter of “if” a cyberattack will occur, but “when,” and noted that JPMorgan’s handling of its cyberattack last year should be a model for all firms.
JPMorgan “did a good job last year,” and “got out in front” of the attack from a public-relations standpoint. Hackers in Russia tried to compromise data of 83 million households during an attack on the megabank last summer.
When an attack happens, “you want to have the public relations people ready because your brand matters,” Rowe said. “You want to be able to have your messaging ready to go. JPMorgan CEO “Jamie Dimon knew everything that was going on in that investigation, and was in the weeds on it.”
Rowe noted that “no one agency can solve” the cybersecurity threat issue, noting that there has “to be collaboration between the government and the private sector.” JPMorgan, he added, “saw threat indicators and put it out to others” as a warning.
But Rowe stated that a “catastrophic” cyberattack is “unlikely,” noting that what’s more likely are “lower or moderate level” attacks that inflict harm on segments of the government and private sectors. A “catastrophic event deserves to stay in a Hollywood script.” Mark Nicholson, principal at Deloitte & Touche, another panelist, said that firms must “establish a culture of awareness” around cybersecurity, adding the Deloitte performs “fake [email] phishing campaigns” internally to assess who’s falling for them.
At the least, he said, firms should be following the Cybersecurity Framework issued by the National Institute of Standards and Technology (NIST) to provide a “framework” and use as a “baseline” on how they’re doing.
Joire added that whether it’s NIST or another standard that firms are following, “we think that should be fine.”
Nicholson added that even small firms can “have interactions that make you a [cyber] target,” stating that firms of all sizes must tailor their cybersecurity policies based on their firm’s risks.
SEC’s Joire added that “a lot of small firms have outside vendors, and they must do some due diligence” on those vendors’ cyber practices and readiness.
— Check out SEC Releases Cybersecurity Guidance for RIAs on ThinkAdvisor.