Cybersecurity: High Profile Exam Priority for FINRA and the SEC
Earlier this month, FINRA and the SEC issued their exam priorities for 2015. Both agencies continue to pinpoint cybersecurity as a top priority for 2015. Although these priority letters serve as a “roadmap” highlighting areas of regulatory focus during the coming year, most firms continue to struggle in terms of how they should conduct their internal Cybersecurity Risk Assessments and evidence their diligence and vigilance with respect to this high profile industry risk.
In the wake of the many highly publicized data-breaches in 2014, our clients have reached out to us for advice and guidance in an effort to increase the overall awareness of Cybersecurity risk within their respective organizations. Many of these clients are seeking comprehensive training and a robust framework and methodology to conduct Cybersecurity Risk Assessments on a targeted and/or enterprise basis.
Based on the risks and costs (both financial and reputational) that can result from a Cybersecurity breach, all financial services organizations, large and small must assess the following attributes:
- Identification: Can your organization identify the critical processes and the data that supports your business end-to-end? Can you recognize the difference between a “breach” and an “attack”?
- Protection: What is your company doing to protect its critical data and the infrastructure and devices it rides on? How quickly after an incident can your company realize that something is amiss?
- Detection: What mechanisms does your organization have in place to detect if something is going on with critical data, and how is that detection escalated throughout the firm?
- Response: How is your organization prepared to respond when Cyber incidents are detected?
- Recovery: How will your organization recover from a Cyber incident? How will your company keep its great name in tact at reduced risk and quickly on the mend?
Vendors and Business Partners
In addition to the items discussed above, organizations must consider the impact of their vendors and business partners in their Cybersecurity awareness efforts. When we look at many of the high profile breaches that occurred in 2014 – service providers to the companies we do business with were the targets of a significant portion of these attacks. With that said, here are some of the important questions firms must ask themselves when assessing vendor / service provider Cybersecurity risk:
- Do our business partners have good Cyber-business practices in place? How do we know?
- Do our contracts with partners and vendors require a legal level of Cyber-diligence to get and keep our business?
- Are your business units, vendors, partners, and processes compliant with ever changing regulations, reporting requirements, and industry standards?
- Does their critical data and our critical data ever co-mingle?
- Does our firm have on-boarding contracts, processes and training to ensure appropriate governance over our Cybersecurity risk?
- How does our firm keep a non-tech savvy workforce well trained and ever-vigilant against Cyber threats?
- What if you have a potential whistle-blower situation? What are our processes to handle and escalate?
The Year Ahead….
With the knowledge that FINRA and the SEC have made Cybersecurity an exam priority for the coming year, Firms should operate under the following premises:
- Assume that the criminals are already in your networks. With this in mind, organizations should respond by proactively assessing their respective risks and creating the appropriate mitigation strategies to ensure your firm is appropriately protected.
- Multiple studies are showing that in 2014 +40% of all businesses were hacked, exploited or denied service, mainly from overseas non-state actors. Due to the rise in the number of “network citizens” outside of the United States, this trend is only expected to continue.
According to J.R. Helmig, Founder of Leveraged Outcomes, LLC, a financial and national security consultancy, the primary point is for firms to implement solutions to meet future threats and regulations.
“Too often firms spend time and resources to meet yesterday’s compliance obligation or risks. Instead, look at what the requirements and risks are going to be for the time frame when you will be implementing the solution set, otherwise you will be outdated and outgunned before the start”.
How Do We “Attack” the “Attacks”?
Through our ongoing efforts to provide thought leadership and impactful guidance to our clients, we have spent a significant amount of time and resources contemplating the best ways for firms to assess Cybersecurity threats within their respective organizations. Based on our research, we have determined one of the most comprehensive and current Cyber Frameworks to apply is the National Institutes of Standards and Technology (“NIST”) Critical Infrastructure and Cybersecurity (“CICS”) Framework. NIST CICS addresses all of the FINRA and SEC Sweep letter requirements.
Incremental Tactical Wins Lead to Long Term Strategic Success
The NIST CICS Framework is very modular and can be applied incrementally as firms deem necessary and appropriate. This allows firms to “leg-in” to a Cybersecurity framework over time with a careful, thoughtful and pragmatic approach toward addressing their risk based on the risk profile of the organization and with sensitivity to internal budgetary constraints.
Firms must be mindful of partnering with third-party vendors / service providers that cannot show some acceptable “criteria-based” framework to assess Cybersecurity risk like NIST CICS. Companies need the ability to look across their entire enterprise, from the board room to the shop floor, when considering Cybersecurity. Almost all we do today has some sort of Information Technology component associated with it. The NIST CICS framework helps companies recognize the scope and breadth of the task at hand.
How Can Compliance Risk Concepts Help?
CRC has the capability to assess all or a part of your enterprise that will meet or exceed the spirit and intent of the FINRA Sweep letter. Based on our understanding and utilization of the NIST CICS framework, we can offer your organization a best-in-class, cost effective assessment, training, and technological suite of solutions that can be tailored to meet your company’s specific needs, requirements and budgetary constraints.
Use the form below to request an exploratory conversation or in-person meeting to discuss your organizations discrete needs.
Only 1 Click Required Processing may take up to 90 seconds