Regulators Monitoring Cybersecurity Preparedness

By Robert Rosenberg | Bloomberg Vault

The year 2014 was dubbed by TV news magazine 60 Minutes as the “year of the security breach.” Between June and August, a breach at JPMorgan Chase, the largest U.S. bank, affected more than 75 million households and 7 million small businesses. Earlier in the year, a hole in eBay’s defenses resulted in 145 million personal records being compromised. In 2013, retailer Target fell victim to an attack that exposed the data of 110 million customers.

These high-profile cyber attacks demonstrate how vulnerable businesses and their customers are to hackers. “The ever-increasing complexity of networks, systems and data open every organization to vulnerability that is invisible,” said Ray Rothrock, chief executive officer of security analytics firm RedSeal, in an emailed comment.

If 2014 was the year of the data breach, 2015 is shaping up to be the year of data security and protection. In the U.S., the House of Representatives passed two bills in April, one for protecting cyber networks, the other to advance cybersecurity—and a third law to replace the current hodgepodge of state decrees with a single federal framework for notifying customers of a data security breach is in the works.

Cybersecurity was also a focus of FINRA’s examination guidelines released in January. Because data is an important part of compliance, FINRA is monitoring firms’ abilities to fend off cyber attacks that destroy data.

“Given the widespread use of electronic storage media for record storage and the fundamental importance of firms’ books and records to their ability to conduct business, a cyber attack that permanently destroys data may severely impact a firm’s ability to continue operating,” the report states. “In 2015, FINRA examiners will review firms’ approaches to ensuring compliance with Rule 17a-4(f) in the event of a cyber attack.”

In February, FINRA released its full cybersecurity report outlining how it will assess firms’ preparedness in light of individual risk assessments. The report encourages firms to test incident responses, make sure staff are properly trained and share best practices across the industry.

The Securities and Exchange Commission also released guidelines in May that encouraged firms to create a strategy for preventing, identifying and responding to cyber threats. In particular, companies should think about tightening control over data access, increasing encryption, limiting the use of removable storage media and implementing routine testing.

By strengthening cybersecurity and planning breach response, financial services firms can mitigate damage and make sure they’re in compliance with new regulations.

Robert Rosenberg is a contributor for the Bloomberg Vault blog.