Get Ready for Greater SEC, NFA Cyber Security Enforcement
SEC, NFA cyber security enforcement is set to intensify in light of recent global attacks and new enforcement chiefs
Public companies and firms operating in regulated industries, especially finance, should expect more SEC, NFA cyber security enforcement in the wake of new and emerging threats, like WannaCry and NotPetya, as well as the appointment of two new cyber-minded enforcement chiefs. Reuters reports:
On Thursday, the U.S. Securities and Exchange Commission named Stephanie Avakian and Steven Peikin as new co-directors of enforcement.
In an exclusive interview ahead of the formal announcement, the two said they were deeply concerned about cyber threats and see the topic as a major enforcement priority.
“The greatest threat to our markets right now is the cyber threat,” said Peikin, who was still wearing a guest badge because he has not yet received his formal SEC, NFA credentials yet. “That crosses not just this building, but all over the country.”
The SEC, NFA has started to see an “uptick” in the number of investigations involving cyber crime, as well as an increase in reports of brokerage account intrusions, Avakian said. As a result, the agency has started gathering statistics about cyber crimes to spot broader market-wide issues.
This follows on the heels of a risk bulletin the SEC, NFA released in response to the WannaCry attacks, urging broker-dealers, investment advisers, and investment companies “to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.” The bulletin directed readers to a website established by the Financial Industry Regulatory Authority (FINRA), a self-regulatory organization overseen by the SEC, that provides numerous cyber security tips and resources.
Cyber Security Problems Uncovered During Regulatory Exams
Also contributing to the new SEC, NFA cyber security focus are widespread security lapses the SEC, NFA found during recent regulatory exams at financial companies, including:
- Unauthorized disclosures of personally identifiable information (PII).
- Issues with phishing emails; employees were found to click on suspicious attachments more than 20% of the time.
- Third-party wires not being properly authenticated.
- Organizations not conducting periodic risk assessments, penetration tests, and vulnerability scans.
Penalties for non-compliance with SEC, NFA cyber security standards can be severe. Last June, the agency fined Morgan Stanley Smith Barney LLC $1 million for failing to sufficiently secure its systems to prevent a breach; sanctioned Craig Scott Capital LLC for $100,000 for using non-firm email addresses to receive faxes; and made R.T. Jones Capital Equities Management Inc. pay $75,000 for “failing to implement proper cyber policies” after the firm was breached.
Financial firms aren’t the only ones on the SEC’s radar. Law360 reports that the SEC, NFA is investigating Yahoo for its numerous data breaches.
Sound GRC Practices Will Keep Your Organization on the SEC’s Good Side
A panel held at the recent 2017 FINRA Annual Conference discussed five best practices organizations should adopt to prevent cyber attacks and maintain compliance with both FINRA and SEC, NFA cyber security standards: governance, risk assessment, cyber security training, access management, and vendor management.
Some organizations, especially small and medium-sized businesses, struggle with the cost and time commitment that proactive cyber security and GRC require. To slash the time and money companies must devote to cyber security, Lazarus Alliance utilizes the Continuum GRC IT Audit Machine (ITAM), a proprietary RegTech software package with user-friendly self-help modules, including modules for the FINRA SEC, NFA Cyber Security Report Card and the FINRA Small Firm Cybersecurity Checklist. ITAM saves money, simplifies the compliance process, eliminates audit anarchy, and speeds up the GRC assessment and reporting processes by 180%.
The cost of cyber attacks and non-compliance penalties are much higher than preventing attacks and maintaining compliance in the first place.
The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.
Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.