Tag Archives: broker-dealer

SEC & OCIE Issue Findings and Guidance from Latest Cybersecurity Examinations

SEC’s Office of Compliance Inspections and Examinations (OCIE) wrapped up their latest round of cybersecurity examinations. The recently issued report – “Observations from Cybersecurity Examinations” – offers the subsequent findings related to financial firms’ cybersecurity practices.

OCIE Cybersecurity 2 Initiative

OCIE launched their Cybersecurity 2 Initiative following the first round of examinations conducted in 2014. This time around, OCIE examined 75 firms registered with the SEC (broker-dealers, investment advisers, and Investment companies).

The purpose of the second round of examinations was to assess industry practices and compliance issues associated with cybersecurity preparedness. OCIE noted that these examinations focused more on testing of cybersecurity procedures and controls.

Observations & Findings

OCIE staff determined an overall increase in cybersecurity preparedness since the first examinations in 2014.

Areas of improvement included:

  • Maintaining cybersecurity related written policies and procedures to address the protection of customer records
  • Conducting risk assessments to identify cybersecurity threats and vulnerabilities
  • Conducting penetration tests and vulnerability scans
  • Installing software patches to address vulnerabilities
  • Identifying cybersecurity roles and responsibilities
  • Receiving customer authority for fund transfers
  • Conducting vendor risk assessments

One area of concern identified in the report was the failure of firms to tailor or enforce their cybersecurity policies and procedures. Oftentimes, firms would only provide employees with general guidance and offer limited examples of safeguards for employees to leverage.

In their report, OCIE includes a list of examples and best practices for firms to consult when implementing cybersecurity policies and procedures.

IMF Report

The International Monetary Fund (IMF) also issued a report discussing cyber risk – “Cyber Risk, Market Failures, and Financial Stability”. Their report highlights the importance of cyber risk as a part of systemic and operational risks.

FINRA Highlights Common Cybersecurity Issues for Broker-Dealers

The Financial Industry Regulation Authority (FINRA) published a series of three videos to highlight and provide guidance on common cybersecurity issues facing broker-dealers and investment advisors.

FINRA compiled the video series in response to cybersecurity deficiencies noted during examinations of member firms. The videos also offer several mitigation measures to help address these cybersecurity issues.

FINRA Cybersecurity Videos

Cybersecurity – Part I: In the first part of a three-part series, the speakers discuss common deficiencies seen during examinations of firms’ cybersecurity programs.

Cybersecurity – Part II: In the second part, the speakers discuss formalizing the oversight of cyber programs and strengthening controls around access to data and systems.

Cybersecurity – Part III: In the final part, the speakers discuss vendor management, branch controls and data protection.

Firms regulated by FINRA should review the videos and recommended security measures to know what to expect when the examiners come knocking at the door.

Colorado Adopts Cybersecurity Regulations for Broker-Dealers and Investment Advisors

Broker-dealers and investment advisors are faced with increasing regulations regarding their cybersecurity practices. The Colorado Division of Securities recently adopted cybersecurity legislation for state-regulated financial institutions.

The regulations apply to broker-dealers purchasing securities and investment advisors conducting business in the state. Guidelines and a standard of reasonable cybersecurity practices have been established for covered entities to protect confidential personal information.

Confidential Personal Information: Colorado’s new regulations define it as first and last name in combination with any of these data elements:

  • Social Security number
  • Driver’s license number or ID card number
  • Account or credit card number with security code or password
  • Electronic signature
  • Username or email address with password or authentication information

Within these guidelines, Broker-dealers and investment advisors are required to address multiple security areas:

  • Reasonable Cybersecurity Practices: Establish and maintain written procedures reasonably designed to ensure cybersecurity.
  • Annual Assessment: Take cybersecurity into account in their risk assessments, along with conducting an annual assessment of cyber risk to Confidential Personal Information.
  • Email: Use secure email for messages sent containing Confidential Personal Information, including encryption and digital signatures.
  • Authentication: Incorporate authentication practices for employee access to electronic communications, data, and media. They must also implement authentication protocols for client instructions received via electronic communications.
  • Disclosure: Disclose to clients the risks of using electronic communications to send Confidential Personal Information.

Key Takeaways

The new regulations coming from Colorado’s new legislation aren’t too novel for the financial services industry. They follow the recently adopted New York Department of Financial Services cybersecurity rules but offer covered entities some flexibility in implementing cybersecurity practices and require them to be ‘reasonable.’