JPMorgan Chase & Co. Chief Executive Jamie Dimon fired one of the first shots in the financial services industry’s war on computer hackers after a 2014 cyberattack on his bank compromised the accounts of 7 million small businesses and 76 million households.
In a letter to shareholders that year, Dimon spoke of the “absolute, critical and immediate” need to combat cybersecurity threats along with related fraud issues and privacy protection.
Notably, Dimon followed up those words with an acknowledgment that businesses will have to work hand in hand with regulators to restrict use of the bank’s data by third parties and ensure that customers’ money and identities remain safe.
“I do not believe that most people fully understand what no longer is private and how their information is being bought, sold and used,” Dimon wrote. “It is critical that government and business and regulators collaborate effectively and in real time. Cybersecurity is an area where government and business have been working well together, but there is much more to be done. And if it is not done in a concerted way, we all will pay a terrible price.”
To be sure, the price that JPMorgan is willing to pay to protect its accounts and data keeps growing by astronomical levels. In its 2014 annual report, the bank said it spent $250 million that year in its cyber-strengthening efforts.
Since then, JPMorgan has said it expects to double that amount in both 2015 and 2016, bringing its cybersecurity spending to $1 billion over the course of just two years.
Broker-dealers are engaged in a joint effort to advise each other when their computers have fallen victim to hacking attempts. Their primary source for reporting such threats takes place via the Financial Services Information Sharing and Analysis Center, or FS-ISAC, a worldwide network of regulated financial services firms and government agencies that allows members to collaborate and take action to avert security threats.
Andy Zolper, chief information technology officer for Raymond James, said the company is an active FS-ISAC member, which currently comprises 7,000 member firms.
“We share threat intelligence on a daily basis with other FS-ISAC members about attack attempts,” Zolper. “It’s anonymous. I don’t need to know whether it was Citibank or LPL Financial, but I know what the attack looked like on the day it happened. ‘Indicators of compromise’ is the trade term. We can then tune our defenses to stop that attack if it’s directed at Raymond James.”
As for Raymond James’ involvement with the regulatory issues around cybersecurity, Zolper said the company’s corporate structure requires oversight by a number of agencies, including the Federal Reserve, the Office of the Comptroller of the Currency, the Securities and Exchange Commission and the Financial Industry Regulatory Authority.
Zolper described a complex regulatory pathway that extends Raymond James’ cybersecurity supervision across the Fed, the OCC, the SEC, FINRA and the interagency Federal Financial Institutions Examination Council (FFIEC).
Even before the SEC and FINRA became involved in 2015, he said, Raymond James was operating under a cybersecurity framework launched in 2014 by the Obama administration and the Commerce Department’s National Institute of Standards and Technology (NIST).
While complicated, this regulatory pathway offers uniform cybersecurity standards and practices for broker-dealers, Zolper said.
“The SEC and FINRA have compared regulatory notes with other organizations. We have seen very good alignment between the SEC, NIST and FFIEC,” he said. “We haven’t seen anything in their emphasis that is materially different from what other regulators expect. We map points of focus to the existing framework on NIST to assure ourselves there are no gaps between what the SEC is expecting and what we already expect of ourselves based on our implementation of the NIST framework.”
The advisory industry, government and consumers all have the same goal of mitigating cyber threats, said Tom Price, managing director and head of technology and operations within the Securities Industry and Financial Markets Association, a trade group. SIFMA is an FS-ISAC supporter and has set a goal for 100% of its members to join FS-ISAC’s collaborative cybersecurity forum.
“Given the multitude of regulators that oversee the financial services industry, it is critical that cybersecurity rules be coordinated across agencies to avoid conflicting or divergent rules that would be counterproductive to our collective cyber defense efforts,” Price said in a statement.
Yet with FINRA and the SEC’s determined entry into the cybersecurity debate, it’s clear that these two heavyweight regulators are stepping up their game among broker-dealers.
Brian Edelman, chief executive of Financial Computer Services, a company with an expertise in cybersecurity for broker-dealers, points to certain recent communications as “the two most important documents to come out in the cybersecurity space ever.”
The first, which Edelman describes as “the instruction manual on what every firm has to do” is a September 2015 cybersecurity examination initiative from the SEC’s Office of Compliance Inspections and Examinations (OCIE) based on cybersecurity sweeps that it conducted in 2014 at 57 registered BDs and 49 registered investment advisory (RIA) firms.
The second is a January 2016 FINRA priorities letter to member firms based on those OCIE cybersecurity sweeps. The key word in this year’s priorities letter is culture, Edelman said.
Edelman added: “FINRA is expecting a firm ‘culture’ of cybersecurity. Cybersecurity requires a lot more updating than a firm may require in its own culture, and it’s much harder for a larger organization to make changes. Say you’ve got thousands of employees where you’re buying a lot of software licenses. It creates complexity for broker-dealers and wirehouses.”
Neal Quon, partner and chief financial officer of QuonWarrene, which provides technology advice to financial advisors and institutions, agreed that those two letters sum up the inherent risks in today’s business climate.
“It’s not just about the hardware or software anymore. It’s also about behavior,” said Quon, who noted that the massive Target data breach in 2013 happened when hackers stole a third-party vendor’s password to Target’s data network.
As an example of cultural complexity, Edelman noted that hybrid advisors who maintain an affiliation with a BD and an RIA can create regulatory headaches for firms that are responsible for cybersecurity but have no control over the advisor’s workspace or the multiple custodians the advisors might use.
“The advisor is both a registered rep salesperson of the broker-dealer and an investment advisor of the RIA,” Edelman said. “The broker-dealer has rights to dictate what the registered rep has on their computer, but the advisor views themselves as independent. And guess who the advisor does not want to have access to their computer? The broker-dealer.”
At the same time, this puts the onus on advisors to better safeguard their client accounts, Quon said.
“The home office can distribute the policies provided by regulators and enforce them, but the responsibility to secure mobile devices ultimately rests with the advisor, especially in a ‘bring your own device’ scenario, where the device has not been furnished by the sponsoring firm,” he said.
Wes Stillman, CEO of RightSize Solutions, a tech provider to advisory firms, said the move to Web-based applications for advisors, broker-dealer reps, end investors and third-party vendors has further increased cybersecurity challenges, especially as more people use digital devices to conduct business outside of a traditional workplace.
For example, if an advisor fills out an account form while meeting a new client in a coffee shop, the form will likely get downloaded to a mobile device and then eventually get stored on another computer at a home office somewhere. Wherever the new account form is, whether it’s at rest or in transmission, its safety is subject to risk, Stillman said.
“The more technology evolves, the more it poses challenges to how safe information is if it’s stored outside of the solution that the broker-dealer has put into place,” he said. “But if the broker-dealer says ‘you must use our platform,’ that may rub people the wrong way.”
In a letter introducing the 2016 priorities, FINRA Chairman and CEO Richard Ketchum said a more formalized assessment of firm culture will help FINRA “better understand how culture affects a firm’s compliance and risk management practices.”
While FINRA’s priorities letter says the authority “does not seek to dictate firm culture,” it does want to evaluate individual firms and the regulatory resources devoted to them.
FINRA plans to assess five indicators of a firm’s culture: whether control functions are valued within the organization; whether breaches are tolerated; whether the organization seeks to identify risk and compliance events; whether supervisors are effective role models of firm culture; and whether sub-cultures at branch offices and trading desks conform to overall corporate culture.
A January legal update from law firm Dechert LLP underlines how seriously regulators are now taking cybersecurity in their exams of broker-dealers and investment advisors. The law firm said that one week after the SEC issued its OCIE cybersecurity examination initiative in September 2015, the agency announced the settlement of an enforcement proceeding against an advisor for failing to establish cybersecurity policies and procedures, in violation of a rule designed to protect the privacy of consumer financial information.
The advisor, St. Louis-based R.T. Jones Capital Equities Management, agreed to settle charges that it failed to establish required cybersecurity policies and procedures prior to a breach that compromised the personally identifiable information of about 100,000 individuals, the SEC charged. R.T. Jones agreed to pay a $75,000 penalty for the July 2013 attack on its Web server by an unknown hacker who gained access and thus made thousands of the firm’s clients vulnerable to theft.
For Darren Tedesco, managing principal of technology for Commonwealth Financial Network, whose large independent broker-dealer received and responded to the OCIE cybersecurity exam initiative, his firm never got a reply from the SEC.
“Sometimes no news is good news,” Tedesco said. “What was impressive was that the SEC was asking intelligent questions that no one had asked before about how data is secured. It’s refreshing to see the regulators are asking the right questions about cybersecurity. They want to make sure data is protected appropriately.”