As scrutiny of well-known financial services firms' security practices continues to make news, the SEC has chosen to turn its attention to risks facing a certain subset of the industry - registered broker-dealers and investment advisers - who according to public reports, continue to face cybersecurity breaches related to weaknesses in basic controls.
For the second year in a row, the SEC has included cybersecurity on its annual review of compliance inspection and examination priorities for investment services firms. It's certainly a move that indicates ongoing oversight, more investigations and hefty fines for those found not to be up to snuff, like investment advisor, R.T. Jones. A hack in 2013 led to the compromise of personally identifiable information of more than 100,000 individuals; despite finding no indications of a client suffering financial harm as a result, the SEC fined R.T. Jones in September for failing to adopt basic policies and procedures designed to safeguard customer information. In addition to personally identifiable information, the SEC is keenly aware that investment firms may have knowledge of market-moving information and sensitive data on institutional investor clients that could wreak havoc on capital markets if compromised.
Balancing oversight and collaboration
To really drive the breadth of change needed to meet the SEC's requirements and minimize risk for both the firm and its clients, a systemic change needs to be made and it needs to come from the top down. That means starting with the board of directors, who continue to be beleaguered by important cyber risk management issues.
The board must be involved in the oversight of cybersecurity preparedness, akin to its other risk oversight for the organization. This does not necessarily mean being experts in cybersecurity - that's your job. But it does mean knowing that the cybersecurity policies and procedures designed and implemented by the security team are consistent with the company's strategy and are functioning as intended. It also means the board needs to regularly be made aware of the type and magnitude of risks facing the company. In fact, the board and security management should work together to agree on the type, format and frequency of information required.
The board and the organization: Thinking holistically
While it's essential that the board be sufficiently prepared to protect their organization and customers, security management must also consider the importance of securing their own regular communications and materials. This is typically some of the most important and sensitive information a company has, but the fact is when both boards and IT consider the security of their organizations, they often neglect to include board-level information security.
The issue stems from the fact that the board is positioned 'above' the organization; thus, it is common that security teams may mistakenly believe that board-level information is a matter for the corporate secretary or general counsel and so the board can be omitted from organization-wide security procedures. To avoid this, you must ensure that the board's security is clearly assigned and that those responsible understand the place of board security within the overall security scheme.
Bidding adieu to outdated technologies
At the same time, boards are notorious for using basic or outdated technology, with equally subpar security practices. Board members may currently opt to access, store and share information in ways that may be convenient to them but which may be less secure than the organization's own internal procedures. You would be surprised how many board members are still using web-based email addresses like AOL, MSN, and Yahoo.
By comparison, security can be easily increased by prohibiting email- and public cloud-based communication systems and instead mandate communication through board portal technology, which controls where your data is stored, segregates the information and facilitates access and distribution in a secure platform.
Investment services firms face great challenges when it comes to cybersecurity and in particular, their boards are becoming an increasingly attractive target for hackers. To minimize risk to organizations and shareholders in the future (and under the SEC's new mandate), these boards must look to serve as an example and ensure their materials are hyper-secure by using the latest technology and data security approaches.