In assessing firms’ cyber preparedness, the Securities and Exchange Commission is “looking for firms that have significant risks that they aren’t disclosing,” Robert Cohen, head of the agency’s cyber unit, said Monday.
Speaking on a panel at the North American Securities Administrators Association’s cyber roundtable in Washington, Cohen stated that it’s not the “SEC’s approach to dictate specific [cyber] controls” on regulated entities. “I don’t know that that’s the most effective way to ensure compliance. We do more, especially for the financial industry, through exams, to see what they’re doing and see if they’re prepared.”
“For the commission to dictate you must do this, you must do that, sometimes we’ll publicize best-practice issues … but generally, if the commission dictated something, I’d be concerned that it gets out of date really quickly.”
The best source of expertise in the cyber realm, he added, “is within the industry and the consultants they employ.”
What does the SEC look for when assessing firms’ preparedness?
“Really you can learn a lot just by asking firms what they do to prepare” for cyber breaches, Cohen said.
Cohen cited the recent charge against Voya Financial Advisors Inc. for violating Regulation S-P or the Safeguards Rule and the Identity Theft Red Flags Rule, as “a classic mistake that we see.”
Des Moines-based broker-dealer and investment advisor Voya, which agreed to pay $1 million to settle charges for cybersecurity failures that led to a cyber intrusion that compromised thousands of customers’ personal information, “had policies and procedures and controls, but really didn’t enforce it across the board,” Cohen said.
The Voya case was the first SEC enforcement action charging violations of the Identity Theft Red Flags Rule. “This case is a reminder to brokers and investment advisors that cybersecurity procedures must be reasonably designed to fit their specific business models,” said Cohen, when the complaint was filed in late September. “They also must review and update the procedures regularly to respond to changes in the risks they face.”
FBI Has Doubled Agents in Cyber Program
Meanwhile, Supervisory Special Agent Matthew Floyd of the FBI stated at the roundtable that cybercrime causes “billions of dollars of losses every year,” and is the FBI’s third priority behind counterterrorism and counterintelligence.
“We’re continually banging our heads against a wall to try to figure out how we can better combat this,” he said, adding that over the last several years the FBI has doubled the number of agents in its cyber program.
“As we look into cybercrime, very rarely does it not cross international borders,” he added.
Business email compromise continues to be one of the top scams, with an average loss of $130,000.