Continuing their heightened focus on the information security practices of regulated firms, both the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) released reports Tuesday summarizing the results of their cybersecurity sweeps.1 Speaking at the SIFMA/FINRA Cybersecurity Conference the following day in New York, Vincente Martinez, the Chief of the Office of Market Intelligence in the SEC’s Enforcement Division confirmed that, relying in part on the information in the reports, the SEC is actively examining both how its existing authorities can be used in this area and how those authorities might be broadened and strengthened.
SEC Risk Alert
The SEC risk alert reports the results of examinations of 57 registered broker-dealers and 49 registered investment advisers undertaken since April 2014. The examinations were based on a long questionnaire addressing topics such as risk assessment, corporate governance, intrusion detection, vendor management, and funds transfer fraud detection.2 At the SIFMA/FINRA Cybersecurity Conference, Martinez stressed that the alert is not intended as a best practices guide, but instead as a resource for the Commission to inform its enforcement efforts and policy development. It therefore may provide some insight into SEC priorities. Martinez identified as particularly notable the variation seen in policies and practices concerning vendor management and other third-party relationships and in fraud avoidance and loss allocation policies with respect to funds transfers. On many of the areas scrutinized in the sweep, higher percentages of broker-dealers than investment advisers had policies in place.
The FINRA report, unlike the SEC risk alert, not only reports the results of FINRA’s sweep (as well as a sweep undertaken in 2011) but also offers an array of “principles and effective practices” for firms to use as guides. Those include: (i) engaging the board and senior management; (ii) undertaking enterprise-wide risk assessments; (iii) establishing a defense-in-depth strategy; (iv) developing an incident response plan and testing it through role-playing exercises; (v) ensuring careful lifecycle scrutiny of vendors’ cybersecurity practices; (vi) regular training of staff on cybersecurity “hygiene,” i.e., day-to-day habits that are essential to protecting information systems; and (vii) participating in information-sharing forums such as the Financial Services Information Sharing and Analysis Center (FS-ISAC).
These SEC and FINRA reports—and their examination sweeps behind them—are just the latest steps in what will undoubtedly be both bodies’ ongoing increased attention to regulated firms’ information security practices. At the SIFMA/FINRA Cybersecurity Conference Martinez echoed the statements by SEC Chair Mary Jo White at the SEC’s March 2014 cybersecurity roundtable that the Commission views information security as crucial to protecting market-related systems and thus investors. In addition to Regulation S-P and FINRA Rule 2010, he identified several other sources of authorities the SEC may rely on in order to exercise a heightened information enforcement role, including the recently issued Regulation SCI, which he said the SEC is considering developing an analogue of for broker-dealers; Investment Advisers Act Regulation 206(4), and Exchange Act § 15B as a basis for scrutinizing credit rating agencies.3
3 Our earlier alert on Regulation SCI can be found here.