What little difference a year makes.
As 2016 begins, the U.S. Securities and Exchange Commission and Finra have again placed cybersecurity at or near the top of their areas of emphasis, which could lead to a new round of enforcement activity, say compliance experts.
“The prudence of the industry demands that cybersecurity be made a top priority, if not the No. 1 priority for financial firms in 2016,” says Michelle Jacko, CEO of San Diego-based compliance consultant Core Compliance and Legal Services. “It’s important that firms be mindful of the regulatory and the business risk that cybersecurity concerns entail.”
This year, the SEC’s Office of Compliance Inspections and Examinations will look again at firms’ information security controls through testing and assessments. The announcement mirrors Finra’s guidance to brokers, which listed technology practices and cybersecurity as areas for examination in 2016.
“I believe that this year, these examinations will result in enforcement actions,” says Craig Watanabe, Core Compliance’s senior compliance consultant. “The volume is being turned up on cybersecurity.”
Financial regulators are focusing on a few main areas of vulnerability, like protecting access to clients’ personally identifiable information.
“There are small things that even a small firm can do that don’t cost very much,” Watanabe says. “Data encryption, for example, is very robust and free or economical for the most part, and offers firms a level of protection for client data.
In its autumn guidance, the OCIE focused on governance and risk assessment, access rights and controls, data loss prevention, vendor management, training, and incident response. Jacko expects the agency to retain a similar focus this year.
“For compliance professionals and firms, the starting point should be identifying and addressing vulnerabilities,” Jacko says. “In a way, we’re just applying the processes firms use for their other compliance controls to another area.”
Finra’s guidance says it will review cybersecurity policies with respect to governance, risk assessment, technical controls, incident response, vendor management, confidentiality, data loss prevention, trading system accessibility and staff training.