Wealth Management Firms are under a lot of pressure as regards information security and privacy issues. These firms are regulated by the Securities and Exchange Commission (SEC) and the nongovernmental Financial Industry Regulatory Authority (FINRA) here in America.
In 2016 the SEC itself announced a security breach of their main investor database resulting in over one hundred million dollars in illicit trading profits and other gains. This event was particularly damning and embarrassing to the SEC as the Government Accountability Office had spent the previous eight years warning them about lax security practices.
This caused the SEC to make cybersecurity a priority of its National Exam Program. This program is actually conducted by the SEC’s Office of Compliance Inspections and Examinations (OCIE). Wealth Management Firms are under scrutiny from these examinations as well as those conducted annually by FINRA. The SEC can use its civil authority to bring cyber-related enforcement actions against bad actors, and FINRA has the power to impose substantial fines and penalties (including permanent revocation of registration) for those who fail to comply with their rules.
Unfortunately, all financial institutions suffer under the same vague information security requirements found in the statute laws that they are regulated under. An example of such language from the National Credit Union Administration’s 12 CFR part 748 follows: “1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems…” As you can see, this kind of guidance gives you a goal, but it doesn’t include any specific guidance to tell credit unions how to accomplish it. It’s like that across the body of financial institution regulation.
This basically left it to the regulators themselves to determine what measures financial institutions should take to maintain proper information security. These bodies in response turned to NIST for the basis of their information security guidance. Entities such as the FFIEC, FDIC and OCC all use this guidance as the basis for their own infosec requirements.
Dissatisfaction with this guidance has seen changes and improvements in information security and privacy paradigms in the last decade or so. New thinking in information security recommendations such as the CIS Critical Security Controls and MSI’s own 80/20 Rule of Information Security have started to take hold. The goal of all these newer information security recommendations is to ensure that the most effective infosec controls are prioritized, allowing the user to get the most bang for their information security buck.
My recommendation is that Wealth Management Firms should leverage these programs to meet SEC and FINRA infosec requirements. It would also be advisable to couch these security measures according to the NIST Cybersecurity Framework. This year the focus for OCIE examiners is liable to be:
- Cyber Governance
- Cyber Resilience
- Privacy and Data Security, and
- Outsourcing Risks
The OCIE also released a handy document called Cybersecurity and Resiliency Observations (https://www.sec.gov/files/OCIE-Cybersecurity-and-Resiliency-Observations-2020-508.pdf). The purpose of this document is to relate security practices that they have observed being used by the industry. It includes sections on Governance and Risk Management, Access Rights and Controls, Data Loss Prevention, Mobile Security, Incident Response and Resiliency, Vendor Management and Training and Awareness. I suggest that Wealth Management Firms should employ these observations when structuring their own information security programs according to the guidance mentioned above. This should provide them with a compliant, effective and low-cost information security program.