1. Cybersecurity: Tried and True Tactics for Assessing and Managing Risks, Employee Training and Program Testing
Brian Rubin, Partner, Sutherland
Tee Meeks, CCO/CAO, Waddell & Assocs., Inc.
David Edwards, President, Heron Financial Group Wealth Advisors
Craig Watanabe, Sr. Compliance Consultant, Advisor Solutions Group, Inc.

2. Regulations Applicable to Data Protection
Reg. S-P/The Safeguards Rule
Requires firms to establish WSPs that address “administrative, technical, and physical safeguards” reasonably designed to:
(a) Insure the security and confidentiality of customer records and information;
(b) Protect against any anticipated threats or hazards to the security or integrity of customer records and information; and
(c) Protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer.“
Reg. I-D/ The Red Flags Rule
For “covered accounts,” requires firms to have reasonable policies and procedures for
(a) “identify[ing] relevant red flags” of identify theft;
(b) detecting those red flags;
(c) responding appropriately to red flags once detected; and
(d) updating the identity theft program.
Business Continuity Plans
The SEC has stated that firm’s policies and procedures “should address,” among other things, a business continuity plan for continuing operations in the event of natural disasters or similar major events
The SEC’s cybersecurity sweep exam questioned firms on whether their BCPs addressed cyber issues

3. The Current Cybersecurity Risks Environment
Criminals, including disgruntled former employees and unaffiliated individuals who try to (1) steal financial data and customer information; or (2) extort the victim;
Hactivism, generally ideologically motivated efforts to embarrass the target;
Espionage, typically efforts to gain access to trade secrets or intellectual property; and
War, including attacks on critical infrastructure conducted by both state-sponsored actors and non-state actors.

4. The Current Cybersecurity Risks Environment
“Web app” attacks, e.g., an attack in which an unauthorized user gains access to a financial institution’s customers’ online accounts.
Accounted for 21% of data breaches from 2011 through 2013 but 35% of data breaches in 2013
The largest source of financial institutions’ data breaches in 2013.
Financially motivated web application attacks are typically accomplished by:
“Phishing techniques to either trick the user into supplying credentials or installing malware onto the client system;”
The “brute force” method of trying many passwords; or
Attacking the application itself.
Denial of Service (DoS) attacks
Accounted for less than 1% of data breaches from 2011 through 2013
But accounted for 26% of attacks on financial institutions in 2013
Source: 2014 Data Breach Investigation Report, conducted by Verizon, the U.S. Secret Service, and a number of other organizations and law enforcement agencies. Available at

5. The Current Cybersecurity Risks Environment: Other Common Weak Points
Vendors
Who else has (legitimate) access to your firm’s network?
What are their cybersecurity practices like?
Portable electronic devices and portable media
How much do your firm’s reps and other associated persons use mobile devices to access non-public customer information?
Does your firm protect its mobile devices in the same way that it protects its stationary IT infrastructure?
Your firm’s own employees
FINRA’s cybersecurity sweep exam “found that many of the cybersecurity attacks that firms identified were successful precisely because employees made mistakes, such as inadvertently downloading malware or responding to a phishing attack.”
Which employees have access to what information?
Are your employees aware of current threats and protective measures? Can you trust all of your employees to not fall for a phishing scam?
Does your company have a culture of security?

6. Lessons from SEC and FIRNA Cybersecurity Enforcement Actions
Maintaining adequate cybersecurity WSPs is important.
The SEC and FINRA have brought enforcement actions where firms’ Reg. S-P WSPs, among other things:
Contained “limited and insufficient” guidance, rather than a “complete set of policies and procedures”
Contained recommendations and suggestions rather than mandates
For example, recommendations—rather than requirements—that firm computers have antivirus software
Were “less than a page long,” “general[,] and vague”
Did not address how to respond to breaches or potential breaches
Did not require reviews of reps’ computer security measures
Regulators expect strong restrictions on user access
“Password” is not an adequate password. (Seriously.)
Other access-related enforcement actions have involved firms:
Not requiring “strong” passwords
Not requiring that usernames and passwords be changed regularly
Not disabling usernames and passwords after employees leave a firm
Not requiring a password to access an unencrypted customer database that was exposed to the Internet via a persistent Internet connection
Failure to respond to known deficiencies can invite an enforcement action
The SEC sanctioned a firm $275,000 for not “tak[ing] immediate corrective action” after receiving an audit report of the firm’s cybersecurity deficiencies. While the firm was considering implementing the report’s recommendations, the firm was hacked.
FINRA sanctioned a firm $175,000 for “fail[ing] to promptly take sufficient steps to verify” that it had been hacked after being told by a third party that it had been hacked. The firm also conducted an “inadequate investigation” of its data breach, because it reviewed server logs only for the month in which it had been informed that it had been hacked. Further review of the firm’s server logs would have showed that hackers had been accessing one of the firm’s servers for over a year

7. SEC and FINRA Cybersecurity Sweeps and Expected Follow-Up
SEC’s Cybersecurity Exam Sweep
Examined 57 BDs and 49 RIAs for general cybersecurity practices
OCIE will be performing a second round of cybersecurity technical sufficiency exams in 2015
88% of BDs and 74% of RIAs reported experiencing a cyberattack either directly or through a vendor
54% of BDs and 43% of RIAs reported receiving fraudulent funds transfer requests
RIAs have some catching up to do in certain areas:
93% of BDs have written information security policies; 83% of RIAs do
89% of BDS conduct periodic audits “to determine compliance” with these policies; 57% of RIAs do
84% of BDs perform risk assessments of their vendors with access to firm networks; 32% of RIAs do
Some near universally-accepted practices:
Use of encryption (98% of BDs and 91% of RIAs)
Inventorying physical devices (96% of BDs and 92% of RIAs)
Inventorying software platforms and applications (91% of BDs and 92% of RIAs)
FINRA’s Cybersecurity Exam Sweep
“A sound governance framework with strong leadership is essential”
Risk assessments are “foundational tools” for understanding cyber risk and developing a cybersecurity program
Technical controls should be a “central component” of a firm’s cybersecurity program but are also “highly contingent on firms’ individual situations”
Firms are expected to have incident response plans.
Should include elements for “containment and mitigation, eradication and recovery, investigation, notification and making customers whole”
Vendor risk should be evaluated before and throughout a vendor relationship
A firm’s staff can be a major source of cybersecurity risk
Firms should “take advantage of intelligence-sharing opportunities to protect themselves from cyber threats.”
What Next? Enforcement Actions and Possible Rulemaking