Discover ways to protect your Financial Services clients with the SEC cybersecurity guidance through FISMA and FFIEC compliance frameworks.
U.S. Securities and Exchange Commission (SEC)
The Securities and Exchange Commission (SEC) is a U.S. government agency that prevents fraud and international deception by overseeing securities transactions, activities of financial professionals and mutual fund trading. The SEC provides cyber security guidance to help broker-dealers, investment advisers, investment companies, exchanges, and other market participants protect their customers from cyber threats.
Risk Assessment
There are a number of measures that funds and advisers may wish to consider in addressing cybersecurity risks including:
-
- Nature, sensitivity and location of information (collected and stored)
- Internal/ external cybersecurity threats and vulnerability of the firm
- Security controls and processes currently in place
- The impact should the information or technology become compromised Conducting a periodic assessment of:
- The effectiveness of the governance structure for the management of cybersecurity risk
- Creating a strategy designed to prevent, detect and respond to cybersecurity threats and respond to cybersecurity threats which should include:
- Access control to various systems and data
- Data encryption
- Protection against the loss and damage of sensitive data
- Data backup and retrieval
- Implementing the strategy through written policies and procedures and training that provides guidance and training to all employees
SEC Audits
While the Securities and Exchange Commission does not, in and of themselves, have a compliance requirement, an SEC audit looks closely into whether organizations are adhering to the compliance that are required by other laws, such as SOX, FISMA, etc. In order to maintain a high level of confidence in passing an SEC audit, organizations must ensure that they have a written Information Security Policy and proof that they have implemented and are adhering to the policy, including regular risk assessments.
FINRA Compliance
FINRA is the Financial Industry Regulatory Authority, an organization that provides oversight to brokerage firms and exchange markets. FINRA was established in 2007 by the merging of the National Association of Securities Dealers and the regulatory arm of the New York Stock Exchange.
How does it impact IT professionals?
Email archiving and retention plays a large part in the SEC and FINRA rule requirements. IT professionals may be called upon to implement and maintain an email archiving solution for clients who are subject to SEC and FINRA rules.
What do your clients need to be FINRA compliant?
FINRA 3110
Each firm must preserve accounts, records, and correspondence in adherence to applicable laws, SEC rules, and FINRA rules and regulations.
FINRA 3010
Each firm must maintain a system to supervise transactions and correspondence with their users. Firms should establish a supervisory system with written procedures that govern the regular review of incoming and outgoing electronic correspondence.
SEC 17a-3-4
Each firm must maintain a written, enforceable data retention policy, including searchable indexes of data stored. Data must furthermore by securely stored offsite in tamper-proof storage media.
What are the dangers of not being FINRA compliant?
- Initial fines of up to $100,000
- Additional monetary sanctions from $5000 to several millions of dollars
- Suspension
- Individual ban
- Firm expulsion
Firms should conduct regular assessments to identify cyber security risks associated with firm assets and vendors. Firms should establish and implement frameworks to:
- Identify and maintain an inventory of assets authorized to access the network and
critical assets - Conduct comprehensive risk assessments to include:
- An assessment of external and internal threats and asset vulnerabilities
- Recommendations to remediation to re-mediate identified risks which can be one of the following:
- Preventive - prevents harm from taking place in the first place
- Detective - identify potential threats that may have occurred
- Corrective - restore a system back to the state prior to the threat
- Predictive - predict the detrimental event happening
A cyber security risk assessment is a systematic process firms complete to identify and analyze potential dangers or risks. Such risks could include the compromise of confidential information, misuse of customer funds or securities.
FFIEC Compliance
The Federal Financial Institutions Examination Council (FFIEC) is an interagency body established to define and enforce uniform principles, standards, and report forms for financial institutions.
How does it impact IT professionals?
In June 2013, the FFIEC created the Cybersecurity and Critical Infrastructure Working Group to identify gaps in protection and strengthen the oversight of cybersecurity readiness. MSPs may be called upon to help their financial services clients built a robust security infrastructure to protect sensitive financial data and customer records.
What do your clients need to be FFIEC compliant?
The FFIEC can audit a financial institution at any time. In order to pass an FFIEC audit, the financial institution must have a documented Information Security Policy in place with proof of a recent Security Risk Assessment. In addition to these requirements, financial organizations must meet the regulatory requirements of any organizations (such as the FRB, FDIC, etc.) with direct oversight of the institution.
What are the dangers of not being FFIEC compliant?
The FFIEC does not impose fines and sanction directly. However, failure to pass an FFIEC audit can result in fines and sanctions from the Federal Reserve Board, Federal Deposit Insurance Corporation, and the National Credit Union Administration. Fines can range from $10,000 to $1,000,000 per incident, with sanctions up to and including dissolving the offending institution.
What is the FFIEC Cybersecurity Assessment?
The FFIEC Cybersecurity Assessment is designed to help organizations identify their cybersecurity risks. This process is intended to complement, not replace, an organization’s risk management process and cyber-security program.
- Assesses the complexity of an organization’s operating environment, including:
- Technologies and Connection Types
- Delivery Channels
- Online/Mobile Products and Technology Services
- Organizational Characteristics
- External Threats
- Assesses an organization’s current practices and initiatives focusing on:
- Risk Management and Oversight
- Threat Intelligence and Collaboration
- Cyber security Controls
- External Dependency Management
- Cyber Incident Management and Resilience
- Assist FFIEC member agencies in:
- Making risk-informed decisions to identify and prioritize actions
- Enhancing the effectiveness of cyber security-related initiatives
- Identifying actions that can strengthen their overall level of preparedness and ability to address the
evolving and increasing cyber security threats