Cyber Security and the Investment Industry

Cyber security has been a buzzword in business for a number of years. It is especially buzzworthy in the investment industry, where investor protection is of paramount importance.

The New York Department of Financial Services (NYDFS) made recent headlines with its first-in-the-nation cyber security regulation, which went into effect in March. The regulation requires a set of minimum standards regarding the establishment and maintenance of a cyber security program for banks, insurance companies, and other financial service institutions regulated by the NYDFS, with protection of consumers’ private data in mind.

The NYDFS is not alone in its focus on cyber security. Earlier this year, the U.S. Securities and Exchange Commission (SEC) announced that cyber security would once again be on the 2017 priority list for the Office of Compliance Inspections and Examinations (OCIE). The Financial Industry Regulatory Authority (FINRA) also included cyber security on its 2017 priorities list.

The regulatory agencies have good reason for shining a spotlight on the issue. In recent years, a large investment adviser agreed to pay a $1 million penalty to settle charges related to failures to protect customer information and other investment advisers have also agreed to penalties for violations of Rule 30(a) of Regulation S-P (known as the “Safeguards Rule”).

Going forward, OCIE and FINRA examinations will likely place a greater focus on cyber security compliance procedures and controls, as well as testing the implementation of those procedures and controls. Two specific rules the regulatory agencies will likely focus on are Regulation S-P and Regulation S-ID:

Regulation S-P (17 CFR §248.30)

  • Policies and procedures play a critical role in cyber and information security. The SEC will now require organizations to adopt cyber security policies and procedures within their risk management programs that specifically address areas such as technology governance, system change management, risk assessments, technical controls, incident response, vendor management, data loss prevention, and staff/end user training.

Regulation S-ID (17 CFR §248.201-202)

  • This SEC rule applies to the detection, prevention, and mitigation of identity theft. The SEC will now require organizations to proactively monitor, detect, and respond to cyber security incidents and breaches.

In addition to Regulations S-P and S-ID, the Securities and Exchange Act of 1934 requires firms to preserve electronic records in specific formats. These regulations, amongst others, will be crucial aspects of OCIE and FINRA examinations.

While the above list is a small subset of the regulations, it is important for businesses to understand that regulators are moving from cyber security controls as “best practices” to mandatory requirements for how businesses need to handle their cyber security posture. Investment advisers, broker-dealers, and other firms in the investment industry should expect cyber security preparedness to remain on the agenda.

As more organizations adopt cyber security into their business process, the National Institute of Standards and Technology (NIST) has created a cyber security framework to aid organizations in addressing their cyber security posture. Firms may want to consider reviewing the NIST framework and comparing it to their own policies and procedures.

We would be pleased to provide further information related to this subject. For more information, contact Craig B. Evans, Director, Audit & Accounting at cevans@kmco.com or Charles Sgrillo, Senior IT Security Specialist, Technology Solutions Group at csgrillo@kmco.com.

Newsletter subscription

You may also like: