By Jacquelyn Lumb
Commission Luis Aguilar spoke last week at the SINET Innovation Summit on the need for a public and private sector partnership to help combat cyber crime. Cybersecurity is one of the defining issues of our time, he said, and no single organization has the resources or the expertise to combat it alone.
SEC’s approach. Aguilar reviewed some of the developments over the past few years, all of which emphasize the serious and persistent threat posed by cyber crime. The financial industry, in particular, is a prime target for cyber criminals. Aguilar described the SEC’s multi-faceted approach to cyber security, which includes the adoption of new rules, the inspection and examination of regulated entities, enforcement actions, and the issuance of guidance for the industry and the public.
Regulation SCI. Key market participants must comply with the SEC’s Regulation Systems Compliance and Analysis (Reg. SCI) in November, which requires that they implement robust cybersecurity protocols to ensure that their systems are secure, and also that enables them to recover if an attack succeeds. These entities must monitor their systems for cyberattacks, promptly respond to any intrusions, and report these events to the SEC within 24 hours.
Aguilar pointed out that Reg. SCI holds the most critical systems to a higher standard. It also mandates that senior management and the board of directors be actively engaged in cybersecurity issues. Board involvement ensures greater accountability, he explained. It also may make breaches less likely and less costly when they occur.
Examinations. Aguilar reviewed the results of the sweep conducted last year by the Office of Compliance Inspections and Examinations of the cybersecurity protocols of 57 broker-dealers and 49 investment advisers. The sweep revealed that most of the firms had been subject to an attack. Most firms had written policies relating to information security and cyberattacks, but they generally failed to specify how firms would determine responsibility for client losses from an attack.
OCIE found that two-thirds of the broker-dealers and one-third of the advisers had a designated chief information officer. Just over half of the broker-dealers and less than a quarter of advisers carried cybersecurity insurance. Aguilar said that the designation of an information security officer and carrying cybersecurity insurance are commonsense precautions that will decrease the costs of a data breach. He found it disappointing that so many firms fell short in these areas.
Enforcement. Aguilar described a number of enforcement actions relating to data breaches and the failure to protect customers’ confidential information. He assured that the SEC takes cybersecurity issues very seriously and said the industry must do so as well.
Staff guidance. Aguilar also reviewed staff guidance related to cybersecurity issues, including guidance for investment advisers and investment companies, guidance for public companies about their obligation to disclosure cybersecurity risks, and guidance for investors on ways to avoid being the victims of cyber criminals.
Information sharing. Cyber crime is a common threat that requires a coordinated response, according to Aguilar. One of the best defenses against cyberattacks is the prompt sharing of actionable information about threats and potential defenses, he explained. Harnessing the industry’s collective knowledge and coordinating responses will improve cyber defense, he said.
Many experts have advised that cybersecurity defenses will not be truly effective until the process for sharing threat intelligence is automated. While there are industry specific information sharing and analysis centers, they may prevent the broader sharing of cyber threat intelligence that may help other industries and companies. Aguilar said that an executive order signed by President Obama earlier this year may help. It directs the Department of Homeland Security to develop new information sharing and analysis organizations and to develop common standards for sharing cyber threat intelligence.
Legislative fix. Aguilar said that legal risks to information sharing present another barrier that only legislation can address. He called on Congress to put aside its differences and adopt legislation that will allow firms to share information without the fear of liability.
Additional measures. The SEC also should take additional measures, in Aguilar’s view. It should expand the scope of Reg. SCI to include other market participants, ensure that public companies provide better and more timely information about their cybersecurity risks, and provide more guidance to market intermediaries about how to respond to more limited cybersecurity incidents. He reiterated, however, that the linchpin to an effective cybersecurity framework is a vibrant public and private sector partnership.