Cybersecurity: Investing in Your Firm’s Future

Recent cybersecurity breaches such as Target and Neiman Marcus have caused the U.S. government to start implementing security initiatives throughout all sectors to help defend against cyber-attacks. According to a 2012 global survey of securities exchanges, 89% identified cyber-crime as a potential systemic risk and 53% reported experiencing a cyber-attack in the previous year.*

The SEC Office of Compliance Inspections and Examinations (OCIE) in 2014 has started to include in its Examination Priorities a focus on technology, including cybersecurity preparedness. Major technology sections in the Examination Priorities will include but are not limited to: 1) Identification of Risks / Cybersecurity Governance; 2) Protection of Networks and Information; 3) Risks Associated with Remote Customer Access and Funds Transfer Requests; 4) Risks Associated with Vendors and Other Third Parties; and 5) Detection of Unauthorized Activity.

A recent SEC Cybersecurity roundtable was held and the purpose of the roundtable was to better inform the SEC, the marketplace, fellow agencies, and the private sector as to what the risks are and how best to combat them. The two major categories discussed at the roundtable were issues potentially impacting public companies and issues impacting the capital market infrastructure and SEC-regulated entities. Chair Mary Jo White stated that Self-Regulatory Organizations and large alternative trading systems are a key area of focus. Compliance and Integrity, which would require an entity covered by the rule to test its automated systems for vulnerabilities, test its business continuity and disaster recovery plans, notify the Commission of cyber intrusions, and recover its clearing and trading operations within specified time frames.

So, what can organizations do to prepare?

• Risk identification and assessments are the first steps in establishing a strong defense against cyber-attacks:
• Identify areas of high risk
• Mitigation plans can be created
• Security measures can be implemented to reduce risk to an appropriate level
• Perform routine audits to test the effectiveness of internal controls:
• Internal Audit – based upon risk assessments
• Service Organization Control Reports (if applicable for investments)
• Ensure third party vendors of critical business processes have strong controls:
• Implement a strong Vendor Management program
• Vendor Selection Process
• Vendor Communication
• Monitoring of Vendor Processes

Keep in mind, the names and titles of an organization’s C-Suite executives are publicly available along with detailed information via social media sites, which creates a vulnerability to allow for a targeted attack by taking advantage of knowledge of the individual’s interests to create fake emails to entice them to click on malicious links that appear to be tailored to them. If attackers know insider information regarding individuals in an organization, they can target those key individuals to gain further information, such as HR or employees with access to the organizations’ bank accounts. Password reset security questions for key accounts should be unique and not publicly available via social media sites (such as mother’s maiden name, high school or college mascot, town they grew up in, etc.).Whenever possible, security questions should be written by the account owner if such option is available.Employee education and awareness is crucial in the fight against cybersecurity.

*Reference: See Rohini Tendulkar, “Cyber-crime, securities markets and systemic risk,” Joint Staff Working Paper of the IOSCO Research Department and World Federation of Exchanges (July 16, 2013), available at http://www.iosco.org/research/pdf/swp/Cyber-Crime-Securities-Markets-and-Systemic-Risk.pdf. Forty-six securities exchanges responded to the survey.