Cybersecurity is one of the top risks of the financial services sector and the securities market more specifically, according to Christopher Hetner, senior cybersecurity advisor to the chairman of the Securities and Exchange Commission.
“With the cybersecurity landscape steadily evolving, it’s imperative that we as a collective community continue to strengthen our coordinated approach to cybersecurity policy,” Hetner said. “Both at the SEC and with market participants and government bodies.”
Hetner recently spoke on a panel at the 2018 FINRA Cybersecurity Conference addressing the cybersecurity regulatory landscape.
“On an increasing basis, we’re seeing the use of ransomware that encrypts files and certain programs, entire operating systems, across a suite of servers and computers [and] therefore disabling operations so it really has a business impact in terms of your ability to operate,” Hetner said.
Hetner explained that some some cyber incidents involve criminals looking for information such as mergers and acquisition activity, earnings information or product developments, with the intentions to use that information for illicit profits. Other cases, he added, involve broader sector intrusions by state-sponsored actors with a range of motivations and potential consequences.
“The threat landscape and the pervasiveness of this risk is not going away,” Hetner said. “In fact, it’s getting more sophisticated.”
The long-term approach for the SEC in terms of cybersecurity is for the markets to develop robust protocols and dedicate sufficient resources to make firms and the markets more broadly uninviting.
“Thus shifting the threat active’s attention from the securities market and make it go somewhere else,” Hetner added.
The SEC’s thinking on cybersecurity is anchored to a broad set of four principles, according to Hetner. The first is that cybersecurity should be aligned to the business strategy with support from the board all the way downstream to staff.
“Cybersecurity ultimately permeates the fabric of the company,” Hetner said. “It’s not strictly an IT issue.”
The next principle is risk management. According to Hetner, cybersecurity should be an integral “part of your enterprise risk management program.”
“This elevates cybersecurity outside of the information technology penalty box, and makes it an enterprise risk issue,” he said.
The third is related to operational capabilities. The SEC looks at firms in terms of their abilities to implement specific technology, policies, procedures and incident response capabilities.