Cybersecurity is an “an operational risk issue, not generally owned” by a firm’s chief compliance officer and legal department, Daniel Sibears, FINRA’s EVP of regulatory operations said Tuesday at the joint FINRA and Securities and Exchange Commission Broker-Dealer Compliance Outreach Seminar in Washington.
However, while cybersecurity isn’t “owned by the CCO community,” the partnership between compliance and operational risk personnel should be “strong,” and compliance should be “an advocate and understanding risks to the business,” Sibears told attendees at the seminar held at SEC headquarters in Washington. For instance, compliance can help the BD “understand how to convert a [cyber] threat or intrusion into dollars” that it could cost a firm.
Jenny Menna, Cybersecurity Partnership Executive at U.S. Bank, who spoke on the cybersecurity panel with Sibears at the BD Outreach Seminar, stated that cybersecurity is a “growth industry with job security as adversaries are getting more sophisticated” and they have “more tools” at their disposal. Cybercrime, she said, is “the biggest issue” for compliance and risk management professionals.
(Check out: Shedding a Light on Shadow IT)
Lon Dolber, CEO of American Portfolio Financial Services, another panel member, stated that among the cyberattacks his BD has seen includes 20 different instances where someone impersonating a client has emailed one of the BD’s advisors asking them to perform a certain transaction, such as a wire transfer.
Menna added that there are also incidences of extortion, where cyber criminals will threaten a certain action if their request isn’t honored.
FINRA’s Sibears added that “ransoms” are “getting more sophisticated,” with cyber criminals willing to show the harm they can do.
SEC Chairwoman Mary Jo White told compliance officers at the seminar that it’s not the SEC’s “intention to use our enforcement program to target compliance professionals,” however the agency ”must, of course, take enforcement action against compliance professionals if we see significant misconduct or failures by them.”
Being a CCO “obviously does not provide immunity from liability, but neither should our enforcement actions be seen by conscientious and diligent compliance professionals as a threat,” White said. “We do not bring cases based on second guessing compliance officers’ good faith judgments, but rather when their actions or inactions cross a clear line that deserve sanction.”