Cybersecurity Breaches: Post SEC & Equifax Hacks, Firms Should Revisit Their Cybersecurity Program

Recently, two major cybersecurity breaches have been in the news which have been very unsettling for many Americans.  First, Equifax, one of the nation’s largest credit bureaus, was hacked exposing 143 million people’s financial data.  Second, the Securities and Exchange Commission’s (“SEC”) EDGAR filing system was hacked and it is believed that the hackers made off with information that was used to make money illegally in the stock market.News of these two cybersecurity breaches should make all firms revisit their cybersecurity program.

As discussed a few months ago in Cybersecurity for Broker Dealers, it is very important to establish a cybersecurity governance framework that includes defined risk management policies, processes and structures coupled with relevant controls tailored to the nature of your firm’s cybersecurity risks and resources available.  Although the SEC was hacked, it does not mean that the SEC or other regulatory authorities will not hold regulated firms to a high standard.  Therefore, establishing a cybersecurity governance framework will help your firm manage its cyber-risks and minimize the chance that an action is initiated against your firm as it relates to cybersecurity.

Last year, the Financial Regulatory Authority (“FINRA”) released a Cybersecurity Checklist.  Firms should review the checklist and make sure that they have considered all areas which include the following:

  • Section 1-Identify and Assess Risks: Inventory
  • Section 2-Identify and Assess Risks: Minimize Use
  • Section 3-Identify and Assess Risks: Third Party
  • Section 4-Protect: Information Assets
  • Section 5-Protect: System Assets
  • Section 6-Protect: Encryption
  • Section 7-Protect: Employee Devices
  • Section 8-Protect: Controls and Staff Training
  • Section 9-Detect: Penetration Testing
  • Section 10-Detect: Intrusion
  • Section 11-Response Plan
  • Section 12-Recovery

As mentioned in Section 9, it is important to test whether your systems can be penetrated.  The purpose of the penetration test is to see if anyone is able to penetrate your systems and gain access to sensitive information held by your firm.  You can use staff members or third parties to conduct a penetration test.  Think about surprising your firm.  By surprising your staff with a penetration test, it removes the opportunity for them to prepare or hide vulnerabilities.  After conducting the test, your firm should identify vulnerabilities and conduct a risk assessment of whether to remediate.

In light of the recent cyber breaches, please understand that you must be proactive in protecting your firm’s data.  Investors trust firms to keep their personal information private.  If your firm is ever in a position where it must prove that it took the necessary steps to protect client data, establishing a cybersecurity governance framework and addressing the areas within the FINRA’s cybersecurity checklist may show regulators that you were diligent.