Businesses looking to read some tea leaves about what worries the Securities and Exchange Commission these days might want to thumb through the 2015 exam priorities that the SEC and FINRA have posted.
Yes, the exams are intended for broker-dealers, financial advisers, and stock exchanges. Yet the subjects under scrutiny this year are useful signposts for any SEC registrant wondering what risk disclosures might get extra attention.
“It has to be a number one priority,” says Walter Ferstand, compliance subject matter expert for NICE Actimize, a risk and compliance software provider. “Compliance can no longer say, ‘I don’t know anything about technology.’ That won’t fly anymore. Risk management, compliance, and technology all have to speak with one another to make sure … everyone is doing what they are supposed to.”
In past years the “cyber” prefix didn’t even appear in the SEC and FINRA exam books; it fell under the more general descriptions of “technology” and “information security.” In 2015, however, both agencies are stressing breach prevention and remediation. FINRA will also review firms’ approaches to cyber-security risk management, including their governance structures and processes for conducting risk assessments, and addressing the output of those assessments.
“Given the current administration’s continuing focus on cyber-security and the controversy stirred by recent prominent cyber-breaches, it is only a matter of time before the SEC and other agencies require more organizations to have these safeguards in place,” says Ken Fleming, ?director of information security at Xerox Litigation Services.
According to a risk alert from the SEC’s Office of Compliance Inspections and Examinations published last year, OCIE examiners may ask firms to map network resources and take an inventory of all physical devices, software platforms, and applications. Connections to the firm’s network from external sources should be catalogued. Resources (hardware, data, and software) should be prioritized for protection based on their sensitivity and business value.
“Given the current administration’s continuing focus on cyber-security and the controversy stirred by recent prominent cyber-breaches, it is only a matter of time before the SEC and other agencies require more organizations to have these safeguards in place.”
Ken Fleming, Director of Information Security, Xerox Litigation Services
Firms that conduct periodic risk assessments to identify cyber-security threats, vulnerabilities, and business consequences should detail who conducts them and describe any risks that have not yet been fully remediated. Cyber-security roles and responsibilities should be documented in writing. Examiners may also ask to see a firm’s written business continuity plan (assuming you have one) to evaluate mitigation and recovery scenarios.
Firms may also be asked to identify any cyber-security risk-management standards, such as those issued by the National Institute of Standards and Technology or the International Organization for Standardization, that they use to model IT security architecture and processes. The OCIE alert details many other security initiatives, from breach insurance to encryption standards.
The importance of the alert, and the exam priorities it preceded, is that both arrived amid a push for the SEC to get more serious about cyber-security. Critics say the current post-breach disclosure requirement is unclear, insufficient, and rarely timely. The breach of Sony’s PlayStation Network in 2011, for example, cost the company an estimated $171 million. Yet the company only mentioned that fact deep in its annual report, rather than a Form 8-K filing—despite SEC guidance that “material” breaches be disclosed.
Now, a point of fact: Sony had $7.2 billion in revenue that year, so $171 million might not qualify as material from a financial perspective. Yet many others would say such a huge breach of security is important for investors to know immediately, period.
The OCIE releases, although intended for the financial services industry, provide a blueprint for any company’s cyber-security efforts, Fleming says. He breaks them down into key objectives:
Have written information security procedures, and review and test them regularly; audit compliance with these policies and inventory resources.
Have a process for assessing risks and document the steps taken to remediate them.
Designate someone responsible for cyber-security, such as a chief information security officer, and detail all duties in writing.
Provide guidance and training to employees on information security risks and responsibilities, and retain copies of all training materials and attendance records.
Have a cyber-security incident response plan, an incident response team, and a business continuity plan that addresses post-breach recovery.
Have written procedures for monitoring and detecting unauthorized access on its networks and devices, including mobile devices. It should also ensure users have access only to network resources necessary for their business functions.
An important concern is the oversight of third parties and vendors that can compromise security efforts. “At one point, regulators used to just ask if you had information security and, if so, great,” Fleming says. “Now, you really need to dig in-depth and look at not only your own services, but what your third parties have in place.”
CULTURE & RISK
The following, from the Financial Industry Regulatory Authority’s annual regulatory and examination priorities letter, touches upon two themes, culture and risk management, that regulators have stressed in guidance across industries.
Many of the problems we have observed in the financial services industry have their roots in firm culture. A poor culture may arise, for example, if firm management places undue emphasis on short-term profits or pursues rapid growth without a concomitant concern for controls.
Beyond creating the proper business environment for a good culture to flourish, firms’ boards and senior executives must articulate and practice high standards of ethical behavior that are expected and visible throughout the organization and are embedded in the firm’s incentives. These standards should come from the board and executives and not be viewed as a compliance task.
The absence of stated standards can contribute to failures at the individual broker level (e.g., disregard for customer needs in recommending securities) and can likewise bring about problems with potentially market wide implications (e.g., manipulation of indices or the manufacture and marketing of unsuitable securities). Firms must protect their culture against individual bad actors, as well as firm wide behaviors that can gradually erode that culture. Firm policies should signify that poor practices, whatever the magnitude of the harm caused or potential implications, will not be tolerated.
Supervision, Risk Management, and Controls
A firm’s systems of supervision, risk management and controls are essential safeguards to protect and reinforce a firm’s culture. Maintaining the right culture includes having robust processes around basic functions such as hiring. Strong supervisory and risk management systems also prevent inadvertent harm to customers (e.g., a firm failing to provide the proper breakpoint), as well as defend against deliberate acts of malfeasance (e.g., a trader concealing position limit breaches or an executive manipulating accounting balances to make the firm’s financial status and results appear stronger than they are).
Proactive supervisory programs and controls play a crucial role in this effort and many firms have turned to data analytics to help identify problematic behavior. One indicator that a firm is succeeding in a proactive approach would be that it has already identified and addressed the concerns FINRA identifies in this letter.
Fleming also stresses meeting the standards set forth by a security framework. “If you are able to, set up a good information management system, and there are many frameworks available to follow,” he says. “It really doesn’t matter which one. If you have an established, well-maintained management system before someone else says you need it, you are going to be in much better shape.”
In January 2014, FINRA initiated a sweep to better understand the threats facing member firms, as well as their responses to those threats. It expects to publish the results of that sweep in early 2015. That report will include best practices firms should consider in developing and implementing their cyber-security programs, such as the use of frameworks and standards, the role of risk assessments, the identification of critical assets, and the implementation of controls to protect assets.
All that being said, FINRA and the SEC do have more on their radar than cyber-security. Highlights of both exams are flagging such issues as alignment of firms’ interests with customers; standards of ethical behavior; development of strong supervisory and risk-management systems; and management of conflicts of interest.
The important trend that all companies should watch, Ferstand says, is the focus on ethics and risk management. “There used to be minimum market standards, ‘Do what your competitors do, but no more.’ That’s changing into doing more than you are supposed to be doing and being more risk averse,” he says. “Nobody wants to get on the regulatory radar, because once you are on it you can’t get off.”
The SEC and FINRA priorities also send the message that “compliance officers have personal accountability,” he says. “You used to leave at 5 p.m., and your day was over. It isn’t like that anymore. It’s now a mandate that compliance speak as a peer of, and in synergy with, the risk-management department, so you both monitor risk and minimize risk. They are cousins, but weren’t always treated that way.”
Even if you don’t face SEC and FINRA examiners, their efforts may reflect the SEC’s overall enforcement posture this year, says Koji Fukumura, a partner with the law firm Cooley. “For public companies, if last year was any indication, it is going to be another robust year for the Division of Enforcement.”
Fukumura expects the Enforcement Division to try to top last year’s record-setting pace of more than 750 actions and orders for monetary sanctions that exceeded $4 billion. OCIE’s examination priorities, although industry-specific, show that the SEC will target both egregious behavior and minor offenses that fit within Chairman Mary Jo White’s “broken windows” approach.
“They will continue to be aggressive and look for opportunities like 404, [late filing] violations, and Regulation Fair Disclosure, or other things that in the past might have been seen as just a technical violation,” he says.