SEC Emphasizes Financial Firms’ Cybersecurity Obligations

Ensuring the safety of investors and maintaining orderly financial markets are the two primary directives of the American Securities and Exchange Commission (SEC) — which includes addressing issues of cybersecurity and data integrity. In November 2016, the Commission’s Financial Industry Regulatory Authority (FINRA) issued a Letter of Consent that revealed significant new policy requirements in this area coming down the pike for financial operators.

Financial Cybersecurity Obligations: Issue Background

Since the November 2000 establishment of Regulation S-T (Privacy of Consumer Financial Information), the SEC has compelled all financial actors to maintain written procedures that create holistic safeguards for the protection of customer information. This mandate extends to a wide variety of operators, from brokers to dealers to investment companies. Failure to follow this regulation can result in investigation, official sanctions, and punitive fines.

Letter of Consent

FINRA’s recent letter was spurred by a specific incident in which over five thousand customer records were lost from a cloud-based computing server employed by the Lincoln Financial Group (LFG). The Group had contracted a third-party provider to host and maintain this electronic database, but failed to perform several of its required duties: namely ensuring antivirus protections on launch, requiring the provider to encrypt the stored information, and maintaining strict oversight of the provider’s security measures with auditing and compliance evaluation.

In accordance with Regulation S-T, LFG’s written security policy specified that “adequate firewalls” be used to protect stored data from unauthorized access. FINRA found this measure insufficient, stating that the policy failed to define what constituted “adequate” or provide guidance on how to implement it. Instead, the policy left these details up to the interpretation of various individual firm representatives — individuals who lacked the technical prowess or expertise to sufficiently implement them.

FINRA Fallout

The FINRA comments have widely been seen as a mandate by FINRA for firms to truly police the technical and administrative needs of cybersecurity plans — not pay lip service to them with unclear, undefined “best practice” policy. In the future, financial organizations will need to include detailed explanation of the protocols, tools, and systems they use to protect client information. These explanations will need to be up-to-date (challenging, given the speed at which hackers develop new invasive technology), holistic, and intelligible to those with little technical acumen. While many commentators have balked at this suggestion, calling it “unrealistic” or “overbearing,” the cybersecurity community has voiced its full-throated support. For an organization, doing ethical business means a commitment to protecting the data that clients have entrusted to them: a strong and detailed security policy is the foundation to ensuring it.

Helping Financial Firms Comply with Cybersecurity Obligations

To learn more about how CertainSafe can help Financial Firms comply with Cybersecurity Obligations, please visit our homepage or contact us directly today!