5 Key Elements for CAT Cybersecurity
Target, Yahoo! and even the IRS have been the targets of cybercrime in recent years. But those entities aren’t the only victims. Instead, it’s you who suffers when a company is hit with a cyberattack. This is why, in today’s increasingly digital world, it’s absolutely necessary for all companies to make cybersecurity a top priority.
However, in many instances, many financial firms don’t have basic cybersecurity precautions in place, Sarah Bloom Raskin, deputy Treasury secretary and a former Federal Reserve governor, recently told the Financial Times. This news is quite alarming as every trading organization, whether it be a registered investment advisor (RIA), broker-dealer or futures commission merchant, is responsible for securing massive sets of personally identifiable information (PII). To stay on the cutting edge, decrease costs and reduce overhead, many of these firms have made the decision to outsource their technology deployments to third-party vendors. But what happens when things go wrong, and a breach is discovered?
What happened to broker-dealer Lincoln Financial Securities Corporation can be a cautionary tale for all. The company’s cloud vendor got hacked, but it was Lincoln Financial that rightfully ended up being fined $650,000 by the Financial Industry Regulatory Authority (FINRA). Why, you ask? They had contracted a third party to secure their PII, which meant that, even though Lincoln Financial itself hadn’t been hacked, they were still on the hook for the fine. A release from FINRA stated that cybersecurity enforcement authorities are able to hold a firm liable after the fact, even when the firm itself is the victim of a criminal hack.
While the second fine levied by FINRA (the first occurred in 2011) has real financial consequences, perhaps the more damaging result to Lincoln Financial is the loss of customer trust. A firm’s reputation within the marketplace is something you can’t put a number on.
This is why it is imperative that the plan processor that eventually wins the job of creating and managing the consolidated audit trail (CAT) must consider the necessary compliance, governance and supervisory procedures that will be required for all participants to ensure the security of all data submitted both to the CAT, and all data that is used by regulators to query market activity from the CAT.
It’s not going to be easy to be compliant. In fact, to generate the information required under the recently approved CAT NMS plan, most firms will be forced to outsource some portion of the report production or developmental design. This is just one of the hurdles that trading organizations should expect to encounter when creating the governance structure for their firm’s compliance with the CAT.
As more financial firms start to grapple with how to design solutions to meet the new CAT reporting requirements, below are five cybersecurity governance guidelines trading organizations should consider to protect client’s PII:
1. Build a governance infrastructure: Based on the sensitivity of the data involved, having an established data integrity validation protocol, and escalation and communication channels, could prove critical if a breach occurs. It is important to incorporate lessons learned from past breaches experienced by financial firms into future considerations and design development. Also, firms should consider the NIST (National Institution of Standards and Technology) cybersecurity standard, which you can read here.
2. Centralize reporting: Most financial firms operate on a decentralized model, simply based on the complexity of the networks of the financial markets, and have a large number of vendors for each trading product covered under the CAT. It will be hard to centralize the reporting functionality across asset classes. However, when a crisis occurs, it’s vital that there is a central repository of reports and data. If you need to pull information from a variety of offices and regions, that could be a logistical nightmare.
3. Create a vendor oversight protocol: When vetting potential third party or vendor partners, make sure your checklist includes rigorous due diligence, enforcement procedures, mechanisms to validate data integrity, a full program of access controls, an ongoing testing schedule, verified cybersecurity security policies and procedures and cyber insurance. It’s important to consider that most vendors are not registered entities, and the broker-dealer community does not have ownership or control over a separate entity.
4. Data will be in motion: The antivirus software and firewalls that firms have in place are designed to protect internal networks and data perimeters, but as viruses, biological or digital, are known for their tenacity and ability to evolve, so has the sophistication of hackers. Keeping that in mind, the CAT data will be in motion. Consider this, CAT data embedded with your firm and customer PII will have to traverse across a network in a specified and potentially identifiable format at the same time of day, every day. In addition, CAT data will regularly be put in motion by regulators to run market activity queries. Firms and the regulators should give serious consideration to auditing CAT reporting, while the data is in motion in real time, based on the prescriptive and repetitive nature of the reporting requirement.
5. Create security protocols for the whole company: Most cyber threats are initiated at the employee level, intended or not. Keeping that in mind, it’s imperative that everyone with access to PII, whether they are top executives or junior staffers, have the proper security tools on their devices to defend against harmful malware and phishing requests. Regulators with access to CAT data may even want to consider cutting down their list of “privileged users” who can access systems without the usual authentication process to reduce the potential for such cyberthreats.
Some on Wall Street might feel a little schadenfreude.
NYSDFS will use peer data to detect reporting discrepancies.
Dearth of board-level experience hampers cybersecurity planning and rollout.
One legislator wants markets better informed in case of cyberattack.
No single firm or regulator can tackle the borderless nature of cyber-crime.