With major data breaches making headlines on a near-weekly basis, many in the securities industry have wisely begun to focus on developing an effective approach to cybersecurity. Although cybersecurity plans can vary widely among firms depending upon their business, clientele and technical architecture, among other things, effective plans include the following features.
1. Build a Strong Cybersecurity Team
The first step in developing an effective approach to data security is choosing the right information security team. Effective teams are cross-sectional and include personnel from legal, information technology, human resources, and communications or public relations departments. The team should also include at least one member of senior management.
2. Conduct a Privacy Survey
Companies should conduct a privacy survey, which is the process of identifying the legal and regulatory landscape that applies to companies in the industry and to the types of data that the company collects and maintains. Firms in the securities industry should consider:
— Regulatory regime. SEC and FINRA scrutiny of industry cybersecurity measures is based on two SEC regulations. Regulation S-P requires firms to establish written policies and procedures to ensure the security and confidentiality of customer records and information. Regulation S-ID focuses on preventing identity theft. Under Regulation S-ID, companies are required to create and maintain reasonable policies and procedures to promote identification, detection and responses to red flags for identity theft.
— Federal and state laws. For example, the Gramm-Leach-Bliley Act (GLBA) requires organizations to protect banking and financial information, and has direct application to the securities industry. Additionally, many states have laws that require companies to protect personally identifiable information (PII) of customers and employees, and to notify individuals if their PII is breached. Although the definition of PII varies from state to state, PII generally covers data that can be used to identify a specific individual including Social Security numbers, driver’s license numbers, financial account information and other identifying information.
— Contractual obligations. When the company will be responsible for maintaining a third party’s data, the company should consider whether the contract creates additional cybersecurity obligations or cybersecurity liability in the event of a breach. When the company’s data will be maintained by a third party, the company should take care to enter contracts that ensure the company’s data will be protected.
— Industry standards, audit protocols and internal policies related to privacy and security
3. Understand Technical Systems
The information security team should develop a specific and detailed understanding of its own network and identify where sensitive data is stored. Sensitive data includes data protected by law, data protected by contract, personally identifiable information and proprietary data.
Next, the team should ensure that sensitive data is segregated from regular data and subject to additional physical, technical or procedural protections, such as:
Segmenting the network to separate sensitive data from non-sensitive or public data and using technical protections, such as firewalls, to protect the sensitive segments
Using password protection and encryption on sensitive data
Restricting physical access to hardware (including servers and computers) and physical files
4. Implement “Privacy by Design”
The company should take a “privacy by design” approach when developing cybersecurity solutions. This means that the company should create policies and procedures that account for customer privacy, legal compliance and data protection throughout the data life cycle (i.e., collection, processing, storage and destruction). As part of this effort, the company should develop comprehensive policies to address privacy and data security, including:
A “bring your own device” (BYOD) policy governing whether, and under what circumstances, employees can use their own devices to conduct company business
A password policy requiring the use of strong, complex, unique passwords
Personnel policies (including onboarding and off-boarding policies) that enhance security
A network tracking policy requiring regular monitoring of network traffic for evidence of suspicious access
5. Train Employees
Regardless of the industry, employees are a frequent source of data breaches. To combat this, the company should clearly establish that it takes data security and unauthorized computer access seriously. Many cyberattack techniques exploit employees’ inattention and lack of technical expertise. Employees need regular training on how to identify and prevent attempted cyberattacks.
6. Manage Vendors
Relationships with third-party vendors can pose substantial cyber-risks that should be mitigated to the extent possible. Vendors should only receive the network access and data necessary to perform their role. The company should scrutinize the adequacy of a third party’s cybersecurity policies and procedures before entering into a business relationship with that company. Contractual safeguards should be taken to minimize risk, including requiring safeguards to protect sensitive data, providing rights to audit the vendors’ security practices and requiring vendors to notify the company if a breach occurs. The contract should allocate risk in the event that a breach at the vendor harms the company. (Among other things, companies should consider requiring vendors to carry cyber insurance and to name the companies as additional insureds.)
7. Engage in Information Sharing
One way for companies to ensure that their data security solutions remain up to date is by participating in industry cybersecurity information sharing through, for example, Information Sharing and Analysis Organizations (ISAOs). ISAOs allow industry players to keep abreast of evolving cyberattack tactics and industry security standards. Companies that do not actively participate in industry information sharing risk falling behind in their cybersecurity initiatives and may miss critical information that could prevent or mitigate the consequences of a cyberevent.
8. Consider Cybersecurity Insurance
The company may also benefit from cybersecurity insurance coverage. Depending on the policy, cyber insurance may cover forensic investigation and system restoration costs; defense and indemnity costs associated with litigation resulting from the loss of personal information or other sensitive data; defense costs and penalties associated with regulatory investigations; notification costs and credit monitoring for affected customers and employees; losses attributable to the theft of the policyholder-company’s own data (including transfer of funds); business interruption costs attributable to a cyberattack; costs required to investigate threats of cyberextortion and payments to extortionists; and crisis management costs, such as the hiring of public relations firms.