As the General Counsel for a then fledgling exchange, Direct Edge, at the end of 2010, I was not completely prepared for the level of regulatory scrutiny that the Securities and Exchange Commission’s office of Automation Review Procedure (ARP) would dedicate to our information security program following the discovery that hackers had infiltrated Nasdaq’s Directors Desk systems and were spying on the confidential communications of public company directors over a prolonged period.
Over the coming months me and my team, together with the technology team and a respected consulting firm, would work to substantially revise our existing information security program and implement it with all the requisite controls and accountability. I remember wondering whether all the measures we were undertaking would be something that the larger financial industry would have to eventually address. Three years later, I have my answer….
To many, the Financial Industry Regulatory Authority’s (FINRA’s) January sweep letter regarding cyber security was a wake-up call. While most firms have information security controls and are aware that cyber security is emerging as a FINRA hot button (see my earlier blog, FINRA’s 2014 Regulatory and Exam Priorities Boiled Down), the sweep letter foreshadows that FINRA, and securities regulators as a whole, are developing standards which will govern broker dealers’ information security programs prospectively. The Securities and Exchange Commission (SEC) has also stated that its National Examination Program will be more closely reviewing asset managers’ policies and procedures relating to cyber security.
Many firms, while appreciative of FINRA’s efforts to make the markets safer from cyber intrusion, would prefer to determine their own approach to their information security program versus facing fines and other penalties for those programs failing to meet a regulator’s standards. Further, many recognize that it is their relationships with third party providers of data and applications, such as order and execution management systems, that expose them to the greatest risk. Despite this, however, there are substantial risks to the financial industry from cyber attacks and the interconnectedness of our systems has a ripple effect emanating from the weak links in the chain. Moreover, as noted by the Office of the Comptroller of the Currency (OCC) in their Fall Semiannual Risk Perspective, industry threat reports are indicating that smaller institutions will be increasingly targeted for cyber attack as they are perceived by attackers as lacking the resources necessary to identify and prevent successful attacks. An industry mandated approach to this issue is, unfortunately, not only warranted but necessary.
There are several key developments respecting cyber security that this blog will review. The FINRA sweep letter is instructive for areas that will be necessary to focus on in order to avoid citation by FINRA in their examination process. Last November, the OCC has issued updated guidance applicable to all banks that will ultimately be adopted by the Securities and Exchange Commission as well as the Commodity Futures and Trading Commission in some form. Due to its current application to bank relationships with third party providers, it is already impacting cyber security programs. Lastly the Commerce Department’s National Institute of Standards and Technology (NIST) recent release of their Cybersecurity Framework while voluntary, will become the defacto framework for information security programs given that it incorporates elements of predecessor standards and the Commerce Department’s commitment to its ongoing development.
All these developments make this article particularly timely given the convergence of various efforts to facilitate information sharing across cyber security efforts. While potentially overwhelming, this article will also review some initial measures that firms can take to prepare for the new cyber security order.
FINRA’s Sweep Letter
FINRA’s sweep letter requests firm-specific information regarding: (i) perception of threat types faced; (ii) cyber risk appetite, exposure and major areas of IT vulnerability; and (iii) threat management, risk assessment processes, IT protocols, and application management practices. Some of the more specific areas of focus include: (i) business continuity plans in the event of cyber attack; (ii) organizational structures and reporting lines; (iii) processes for sharing and obtaining information about cybersecurity threats; (iv) impact of cyber attacks; (vi) approaches to handling distributed denial of service attacks (when hackers overwhelm the capacity of their target system); (vii) training; (viii) cyber security insurance; and (ix) third party contracts.
The OCC guidance addresses both third party provider selection and management as it relates to important systems. Some notable requirements applicable to banks for critically important services include:
The NIST Framework
On February 12, the Commerce Department’s National Institute of Standards and Technology (NIST) released the voluntary federal cybersecurity standards known as the Cybersecurity Framework (Version 1.0) and a “Roadmap”. This framework endeavors to incorporate many elements of predecessor framework and further , the Commerce Department has stated its intention to, at least until Version 2, to update the framework with the input of both the government and private sectors. For the foregoing reasons, the NIST Framework will effectively become the standardized framework.
The framework can be used by all organizations-regardless of size, degree of cyber risk or cybersecurity sophistication- to apply risk management principles to their cyber security risk management efforts. It is comprised of three main components: Core, Implementation Tiers and Profiles. For the purposes of this article, only the five main functions covered in the Core component will be briefly reviewed.
The Core component sets forth the critical functions for a comprehensive cyber security program:
The establishment of this framework will facilitates the standardization of communications respecting these areas and enables a more unified approach among impacted parties going forward. Each of these primary functions are further broken down into categories and subcategories within the framework document.
The NIST Roadmap
While the NIST framework lays out a broad structure for a comprehensive cyber security program, the Roadmap is designed to address key areas for cybersecurity development, alignment among parties and collaboration going forward. One of these areas is supply chain risk management. Reflecting concerns similar to those raised by the OCC guidance, the Roadmap notes that “although many organizations have robust internal risk management processes, supply chain criticality and dependency analysis, collaboration, information sharing and trust mechanisms remain a challenge.” Also of interest is the Roadmap’s focus on multi-factor authentication of credentials as applied not just to individuals but to automated processes, which can be mimicked and accessed by external systems, as well. The Roadmap discusses the need for more advanced automated sharing of indicators respecting incidents across organizations to ensure rapid deployment of measures to detect, mitigate and possibly prevent cyber attacks. Other areas to be addressed include conformity assessment to ensure widespread adoption of standards, development of the cybersecurity workforce, better data analytics, and common privacy standards.
The rules of enterprise cyber security are rapidly evolving and the pace of change can be overwhelming. There are some practical steps that your organization can and should start to undertake now. First and foremost is to understand your organization’s enterprise level priorities for your critical systems and risk exposures. Despite the existence of templates, one size does not fit all and allocating the resources up front (in terms of time and expertise) to properly identify and appropriate risk-weight these priorities will ensure that your organization does not unnecessarily expend more resources in implementing the program. Here are the steps you should take:
Assess your organization’s enterprise information security program. Consider policies such as those relating to access controls, incident management, peripheral device, retention of third party providers and acceptable use. Review your firm’s business continuity plan that you have in place pursuant to FINRA Rule 4370. Map the dependencies that your critical systems have to third party providers. Develop a process for maintaining accurate inventories of your technologies and third party providers.
Build your organization’s information security capabilities. Ensure that you retain or acquire the resources and expertise needed to identify, assess and mitigate known and emerging cyber security threats, as well as your organization’s vulnerabilities to those threats. Engage in forums relating to cyber security to benchmark your efforts and stay current on emerging areas and threats, such as the Financial Services Information Sharing and Analysis Center.
Address the risk and capability gaps in your information security processes. Prioritize and focus on the greatest vulnerabilities first. Ensure that your third party provider contracts incorporate the requisite protections. Ask your third party providers for their information security policies and continue to unpack what those policies are and what they mean for your organization and its exposure. Ask about their capabilities and expertise.
Test, as part of your information security program, by engaging in industry wide response testing, such as the Quantum Dawn 2 exercise conducted by SIFMA last year. Engage in scenario based table top exercises where your incident response team and senior executives have to walk through all the steps of a cyber incident response. SIFMA is conducting several table top exercises over the coming months that firms can investigate, but more customized scenarios crafting to your business should be investigated.
Vulnerability and penetration testing must be conducted on your critical systems to properly assess your systems’ weaknesses. If third parties are managing such critical systems, ensure your firm’s participation in their testing of those systems and further, ensure that the testing results are shared. In addition, ensure that there is a post mortem process for reviewing and communicating the lessons learned from testing and any incidents experienced.
Educate upper management and your board of directors to ensure that you do not have to engage in a de-brief of your processes following a material security breach of your systems. Ensure that the party who will be making risk based decisions in the event of a breach is identified and aware of that responsibility. If you are reluctant about raising such matters to the board, note that the OCC guidance assigns responsibility for approving contracts related to critical systems to the board, as well as the responsibility for ensuring that an effective ISP program is in place.
Educate employees about their anticipated respective roles during incident response down to the personnel that would be involved in outreach to impacted clients. Similarly, educate third party providers about your expectations during any material incident response to ensure alignment.
Reach Out to the law enforcement and government officials that would need to be engaged in the event of a material security breach. The mandate of the Electronic Crimes Task Force for the Secret Service is to, among other things, provide necessary support and resources to conduct field investigations for such breaches. Introducing your organization to their local office and understanding what their expectation would be of your organization in the event of a material security breach, can assist your organization in response planning as well as facilitate wider industry wide information sharing to protect against recurrence.
Taking these steps early can help your organization be better prepared for the growing threat of cyber attack. Moreover, the standards referenced in this blog will become mandated across the financial services industry, whether by regulators through formal or informal means or by clients endeavoring to implement their own third party provider diligence and minimize their organization’s risk exposure. Hedge funds in particular may find fund investment decisions negatively impacted by their fund’s or investment adviser’s lack of an adequate information security program. Do not simply react to the regulators’ mandates. Reactive planning risks producing a flawed implementation that will minimize the benefits your organization gains relative to the resources expended. Rather, take a proactive approach to your information security program by taking the devoting the resources early to adopt a risk weighted approach to determining what your organization really needs and ensuring that your information security program becomes integrated within your organization.