As market participants increase their reliance on technology the threat and significance of potential cyberattacks become increasingly severe. With each day hackers are becoming more sophisticated and creative therefore appropriate risk management systems are more important than ever before. These threats are no secret and have been an area of focus for the Securities and Exchange Commission’s (“SEC”) Office of Compliance Inspections and Examinations (the “OCIE”) for the past several years. The OCIE has recently published “Cyber Security and Resiliency Observations” a ten-page report outlining the current landscape of cybersecurity threats and potential safeguards that can be implemented to protect market participants.
At the forefront of the report is the importance of each company’s senior management to prioritize and properly devise a plan to prevent or mitigate the effects of potential attacks. No matter the size of the firm, it is essential that management develop a plan that can identify, manage and mitigate cyber risks. The first step in this plan is for Management to conduct a risk assessment which entails identifying potential vulnerabilities. The OCIE mentions possible vulnerabilities as remote or traveling employees, insider threats, international operations & geopolitical risks, among others. This assessment should be followed by management adopting and implementing comprehensive written policies and procedures that address the identified risks. Since cyber threats exponentially increase in sophistication it is absolutely crucial that management test and monitor the implemented safeguards to validate the effectiveness of the cybersecurity policies. The results of these tests should be utilized to both improve the Company’s procedures and to address any identified weaknesses.
The SEC is not the only federal agency narrowing in on cybersecurity protection, the Financial Industry Regulatory Authority (“FINRA”) continues to make cyber threats and management’s assessment a top priority in its inspection process and its communications to member firms through industry alerts and conferences. Firms should expect that FINRA will assess whether the policies and procedures of all member firms are designed properly to protect customer records and information consistent with Regulation S-P Rule 30. FINRA expects firms to implement controls appropriate to their business model and scale of operations and has helped in this process by providing examples of a Small Firms Cyber Security Checklist and Core Cyber Security Controls templates.
Management, you are not alone. As the importance of cybersecurity has grown there have been members of the industry that have allocated resources to understand the risks at stake and the best methods to prevent attacks from occurring. Withum has established a team of trusted cyber and broker-dealer industry advisors that can assist management in both implementing and testing cybersecurity systems. Our team of cybersecurity and broker-dealer professionals can help you navigate the current landscape and protect against cyber and regulatory risk. As well as guide you through FINRA’s checklist and templates.
To assist management in identifying potential cyber risks Withum is capable of performing a Vulnerability Assessment, which will ensure that the Company’s applications, IT infrastructure and devices meet a minimum security baseline. This assessment will assist management in identifying areas that should be addressed in the company’s comprehensive policies and procedures, which is the first step and safeguarding an organization from cyber-attacks. Once management has established and is confident in the policies and procedures in place, Withum can perform a Penetration Test to examine the strength and sophistication of the system in place. A penetration test is a simulated cyber-attack against the company to ensure that critical applications, IT infrastructure and devices are resistant to compromise. This test will assist management in identifying areas of weakness in the current system so that they may ultimately be remedied before an actual cyber-attack is launched. Both Vulnerability Assessments & Penetration Tests can provide crucial data to management that can be leveraged to implement an effective cybersecurity system.
Withum encourages member firms to review their practices, policies and procedures around to cybersecurity. We believe that assessing your cyber controls and implementing some or all of the above measures will make all the difference in the protection of your firm’s and clients’ highly sensitive data.