Cybersecurity is one of the top risks of the financial services sector and the securities market more specifically, according to Christopher Hetner, senior cybersecurity advisor to the chairman of the Securities and Exchange Commission.
“With the cybersecurity landscape steadily evolving, it’s imperative that we as a collective community continue to strengthen our coordinated approach to cybersecurity policy,” Hetner said. “Both at the SEC and with market participants and government bodies.”
Hetner recently spoke on a panel at the 2018 FINRA Cybersecurity Conference addressing the cybersecurity regulatory landscape.
“On an increasing basis, we’re seeing the use of ransomware that encrypts files and certain programs, entire operating systems, across a suite of servers and computers [and] therefore disabling operations so it really has a business impact in terms of your ability to operate,” Hetner said.
Hetner explained that some some cyber incidents involve criminals looking for information such as mergers and acquisition activity, earnings information or product developments, with the intentions to use that information for illicit profits. Other cases, he added, involve broader sector intrusions by state-sponsored actors with a range of motivations and potential consequences.
“The threat landscape and the pervasiveness of this risk is not going away,” Hetner said. “In fact, it’s getting more sophisticated.”
The long-term approach for the SEC in terms of cybersecurity is for the markets to develop robust protocols and dedicate sufficient resources to make firms and the markets more broadly uninviting.
“Thus shifting the threat active’s attention from the securities market and make it go somewhere else,” Hetner added.
The SEC’s thinking on cybersecurity is anchored to a broad set of four principles, according to Hetner. The first is that cybersecurity should be aligned to the business strategy with support from the board all the way downstream to staff.
“Cybersecurity ultimately permeates the fabric of the company,” Hetner said. “It’s not strictly an IT issue.”
The next principle is risk management. According to Hetner, cybersecurity should be an integral “part of your enterprise risk management program.”
“This elevates cybersecurity outside of the information technology penalty box, and makes it an enterprise risk issue,” he said.
The third is related to operational capabilities. The SEC looks at firms in terms of their abilities to implement specific technology, policies, procedures and incident response capabilities.
The fourth principle is the “integration of cybersecurity into your business.”
“Be sure you have a well-created program to understand where your most critical assets are,” Hetner added.
Meanwhile, the Treasury Department is trying to be proactive in its approach to cybersecurity, according to Brian Peretti, director for the office of critical infrastructure protection and compliance policy at Treasury. Peretti was on the panel with Hetner.
“Rather than wait until a cyber event materializes, we’re exploring ways we can identify and eliminate the broader vulnerabilities before they can be exploited by a threat,” Peretti said. “This approach aims to prevent cyber incidents from happening in the first place.”
According to Peretti, the Treasury Department is working to do this through five different work streams.
First is harmonization among regulators. “In order to better reduce operational risks, we need to speak the same language,” Peretti explained. He added that the department is working to determine where there is overlap in the terminology use by regulators.
Second, the Treasury Department is working to assess sector vulnerabilities. According to Peretti, the department is “seeking to develop a baseline of existing vulnerabilities to determine if there are commonalities and areas of potential systemic risk.”
Third, the department is working to develop a way for regulators to “clearly receive” requests from the industry in order to enable assistance during cyber crises, according to Peretti.
“We’re also working to pre-identify what those requests could be and to allow for advance planning,” he added.
Another thing Treasury is doing is third-party risk management. “Financial institutions increasingly rely on third parties for a variety of products and services for the purposes of enhancing business operations, reducing costs and mitigating risks,” Peretti explained.
He added that the department is working with the industry to get a better understanding of third-party risk management processes, identify gaps and challenges, and develop techniques with the goal of reducing risks going forward.
Finally, Peretti said the Treasury Department is working on a series of cybersecurity exercises to prepare the financial sector for risks and challenges presented by cyber incidents.
— Check out 3 Types of Cyberattacks and How to Avoid Them: FINRA on ThinkAdvisor.