By: Karl Schimmeck

On February 4, FINRA and SIFMA joined forces to host a full-day conference dedicated to discussing important issues around cybersecurity for brokerage and advisory firms. The program fostered a culture of risk management and protection from cyber threats for financial institutions and their clients, and addressed the latest regulatory developments and guidance.

Cyber attacks are increasingly a major threat to national security and the U.S. financial system, and we are all working hand in hand to protect the integrity of the markets and the millions of Americans who use financial services every day.

Only way to have no cyber risk is to “power your systems down” #cyberconf15@finra

— Matthew Goldstein (@MattGoldstein26) February 4, 2015

This joint conference underscored the fact that cybersecurity must be a collaborative effort between the industry, regulators and policymakers. For our part, the financial services industry has been dedicating tremendous resources to protect clients and protect against the risks associated with cyber attacks. Every financial firm has an obligation to be vigilant in our industry’s commitment to cybersecurity.

Average cost of a cyber incident in 2014 was $22 million; this cost will continue to soar, PwC cyber head Stephen Russell #CyberConf15

— ThinkAdvisor Career (@thinkadv_career) February 4, 2015

Conference topics focused on crucial issues and regulatory perspectives on cybersecurity, including: Establishing Cybersecurity Risk Management and Governance; Assessing Risk and Critical Assets; Implementing Measures and Controls; Detecting Threats in a Timely Manner; and Developing a Recovery Plan.

What You Should Do Now: Join FS-ISAC

The most effective way to address cyber threats is through a robust partnership between the private sector and government.

Bentsen: most important takeaway from all our work to date is info sharing essential to effective #cybersecurity defense #cyberconf15

— SIFMA (@SIFMA) February 4, 2015

“SIFMA is committed to doing our part to enhance information sharing,” stated SIFMA’s President and CEO, Kenneth E. Bentsen, Jr., “by encouraging all of our members to join the Financial Services Information Sharing and Analysis Center, or FS-ISAC. The FS-ISAC is a vitally important industry forum for collaboration on critical security threats facing the global financial services sector. It enables firms to share relevant threat information, and when attacks occur, members of the FS-ISAC receive timely notification and authoritative information specifically designed to help protect critical systems and assets.

“SIFMA has set a goal to have 100% of our members join FS-ISAC and to jump start that process, we have underwritten FS-ISAC membership for over 180 of our smaller member firms. SIFMA and its members are also joining with industry partners to underwrite enhancements to FS-ISAC’s and DTCC’s information sharing processes. I encourage every broker-dealer, whether a SIFMA member or not, to join FS-ISAC.”

For more information on membership in FS-ISAC, listen to a replay of and view presentation slides from a recent webinar with FS-ISAC, “Cyber Threat Landscape and Role of Information Sharing” (January 28, 2015).

Become Cyber Resilient: Six Steps

In his keynote address, Stephen Russell – Practice Leader, Cyber & Technology Risk Management for PricewaterhouseCoopers LLP – shared that the first Chief Information Security Officer (CISO) was appointed in 1995 at a global bank, following a breach. In today’s business environment, the role of the CISO has never been more challenging with cyber risk disrupting business, not just technology.

Russell delivered the business case for cyber resiliency as the best way to minimize financial damage and loss of trust from a cyber attack. He outlined six, actionable steps firms should take to achieve cyber resiliency:

1.  Establish cyber risk governance and oversight
2.  Understand the cyber organizational boundary
3.  Identify critical business processes and related assets
4.  Identify, assess and manage cyber business risks
5.  Improve collection, analysis and reporting of cyber related data
6.  Plan and respond – through development of playbooks, information analysis and use of relevant cybersecurity technology

Access Guidance for Small Firms

“As the saying goes, we are only as strong as our weakest link, and our board has directed us to develop standards that apply across the entire industry,” said Mr. Bentsen.

Building robust #cybersecurity program is doable, even if you’re smallest of small firms, FINRA’s Dan Sibears says #cyberconf15

— Megan Leonhardt (@Megan_Leonhardt) February 4, 2015

Many of our colleagues from small firms across the country joined our live webcast looking for actionable next steps to launch a cybersecurity program. “We’re here, we understand the magnitude of the threat,” they asked “but what’s next?” SIFMA’s attainable program designed specifically for small firms provides actionable cybersecurity guidance that is risk-based, threat-informed and supportive of their overall business model. Download the pdf. Call us. We’re here to help.

 SIFMA’s Cybersecurity Guidance for Small Firms (July 2014)

Read FINRA and the SEC’s Just-Released Reports

The day before our Conference, FINRA and the U.S. Securities and Exchange Commission (SEC) published reports and alerts intended to help in the collective cyber defense effort. FINRA revealed the top three cyber threats facing broker-dealers as:

• hackers penetrating firm systems;
• insiders compromising firm or client data; and
• operational risks.

We commend our regulators for their focus on this vitally important issue, and share their goal of promoting cybersecurity practices that are grounded in risk management and informed by specific threat information. We agree that a one size fits all approach is not the most effective way to manage cyber threats. Our member committees are closely reviewing these publications and look forward to a continued open dialogue with both FINRA and the SEC.

FINRA Press Release (February 3, 2015)
FINRA Report on Cybersecurity Practices (February 3, 2015)
FINRA Investor Alert: Cybersecurity and Your Brokerage Firm (February 3, 2015)

SEC Press Release (February 3, 2015)
SEC Risk Alert – Cybersecurity (February 3, 2015)
SEC Investor Bulletin – Cybersecurity (February 3, 2015)

Key Takeaway: Cyber Attacks Will Happen

Cyber attacks will happen. Be prepared. Your firm’s response is just as important as preventative measures. There is a framework and guidance available to financial firms to defend against threats and attacks. Awareness, staying informed and sharing information is the best defense.

Firms need to recognize that breaches will happen. It’s no longer a matter of if, but when. says Steve Randich, FINRA CIO #cyberconf15

— Andrew Welsch (@AndrewWelsch) February 4, 2015

SIFMA’s work on behalf of the financial industry continues in earnest. For additional resources to help your firm detect and manage cyber risks, visit SIFMA’s Cybersecurity Resource Center for the latest updates on legislative developments and to access:

• Guidance for Small Firms
• Best Practices for Insider Threats
• Third Party Risk Management

Karl Schimmeck
Managing Director, Financial Services Operations
SIFMA