Overview As firms prepare their annual ADV updates or review their compliance programs, one area […]
The Gift That Keeps on Giving…..
In early 2014, FINRA and SEC regulated firms caught a glimpse of regulatory focus in the form of targeted examination “sweep” letters focused on Cybersecurity. Although these letters raised awareness of regulatory focus and concern regarding Cybersecurity within the Broker-Dealer and Investment Adviser communities – most firms are still “in the dark” in terms of how they should conduct internal Cybersecurity Risk Assessments, ensuring they are meeting regulatory expectations if / when tasked by the FINRA or the SEC to evidence their diligence in this high profile area.
In the wake of the many highly publicized data-breaches in 2014, our clients have reached out to us for advice and guidance in an effort to increase the overall awareness of Cybersecurity risk within their respective organizations. Many of these clients are seeking comprehensive training and a robust framework and methodology to conduct Cybersecurity Risk Assessments on a targeted and/or enterprise basis.
Based on the risks and costs (both financial and reputational) that can result from a Cybersecurity breach, all financial services organizations, large and small must assess the following attributes:
In addition to the items discussed above, organizations must consider the impact of their vendors and business partners in their Cybersecurity awareness efforts. When we look at many of the high profile breaches that occurred in 2014 – service providers to the companies we do business with were the targets of a significant portion of these attacks. With that said, here are some of the important questions firms must ask themselves when assessing vendor / service provider Cybersecurity risk:
As we all contemplate our priorities for 2015, we can be rest assured that Cybersecurity will continue to be a focus area for FINRA, the SEC and other regulators in the coming year. Based on this, firms should understand the following:
According to J.R. Helmig, Founder of Leveraged Outcomes, LLC, a financial and national security consultancy, the primary point is for firms to implement solutions to meet future threats and regulations.
“Too often firms spend time and resources to meet yesterday’s compliance obligation or risks. Instead, look at what the requirements and risks are going to be for the time frame when you will be implementing the solution set, otherwise you will be outdated and outgunned before the start”.
Through our ongoing efforts to provide thought leadership and impactful guidance to our clients, we have spent a significant amount of time and resources contemplating the best ways for firms to assess Cybersecurity threats within their respective organizations. Based on our research, we have determined one of the most comprehensive and current Cyber Frameworks to apply is the National Institutes of Standards and Technology (“NIST”) Critical Infrastructure and Cybersecurity (“CICS”) Framework. NIST CICS addresses all of the FINRA and SEC Sweep letter requirements.
The NIST CICS Framework is very modular and can be applied incrementally as firms deem necessary and appropriate. This allows firms to “leg-in” to a Cybersecurity framework over time with a careful, thoughtful and pragmatic approach toward addressing their risk based on the risk profile of the organization and with sensitivity to internal budgetary constraints.
Firms must be mindful of partnering with third-party vendors / service providers that cannot show some acceptable "criteria-based" framework to assess Cybersecurity risk like NIST CICS. Companies need the ability to look across their entire enterprise, from the board room to the shop floor, when considering Cybersecurity. Almost all we do today has some sort of Information Technology component associated with it. The NIST CICS framework helps companies recognize the scope and breadth of the task at hand.
CRC has the capability to assess all or a part of your enterprise that will meet or exceed the spirit and intent of the FINRA Sweep letter. Based on our understanding and utilization of the NIST CICS framework, we can offer your organization a best-in-class, cost effective assessment, training, and technological suite of solutions that can be tailored to meet your company’s specific needs, requirements and budgetary constraints.
Use the form below to request an exploratory conversation or in-person meeting to discuss your organizations discrete needs.
Only 1 Click Required Processing may take up to 90 seconds