Cyber Risk Management: Insights for CCOs

Regulator Expectations and Best Practices

By Tim Buckler and Len Derus

cyber risk management flows in an electronic river

In today’s episode of the Oyster Stew podcast, Oyster experts Len Derus and Tim Buckler delve into a crucial topic: Regulator expectations and observations regarding cyber risk management. Learn more about the responsibilities of Chief Compliance Officers (CCOs) and what the regulatory focus on cybersecurity means for compliance programs.

Regulatory Focus – Cybersecurity Compliance

As outlined in FINRA’s 2024 Annual Regulatory Oversight Report and in conjunction with the Security and Exchange Commission’s (SEC) new rules adopted to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents, it is clear that cybersecurity remains a top priority for regulators, Join us as we examine the key insights from FINRA’s report, the new SEC rules, and the implications for wealth management firms:

  • New SEC cyber risk management rules
  • Common cybersecurity compliance deficiencies
  • Effective cybersecurity practices
  • Insights for CCOs and their role in cyber risk management

Whether you’re a Compliance Officer, Chief Technology Officer, Chief Operating Officer (COO), or simply someone interested in mitigating cyber risks in financial regulatory matters, tune in as we unpack what the regulators are focusing on and provide actionable strategies for enhancing cybersecurity resilience within your organization.

It is critical that firms have a process in place to assess their cybersecurity risk and controls and to take steps to strengthen controls. Oyster’s industry professionals have first-hand experience with information security, incident management, technology infrastructure resilience and recovery, and third party vendor management. We understand how to help identify and prioritize critical activities and deliver testing plans to mitigate the impacts of business disruptions.

Oyster Solutions compliance management software includes a tailored risk assessment that identifies, assesses and prioritizes your firm’s unique risks. By defining and quantifying your risk, matching risk to your controls and monitoring process, Oyster Solutions keeps your business and controls balanced while meeting your regulatory requirements.

Additional Resources:

Cybersecurity: Tactics for Mitigating Internal and External Threats

5 Key Cybersecurity Measures to Protect Your Firm

Cybersecurity: Mitigating Vendor and Change Management Risks

Unmasking the Whaling Attack

Transcript

Transcript provided by TEMI

Bob Mooney:  Welcome to the Oyster Stew Podcast. I’m Bob Mooney, General Counsel of Oyster Consulting. In today’s podcast, we’ll discuss FINRA’s expectations and observations with respect to cybersecurity and technology management, as described in its recently released 2024 Annual Regulatory Oversight Report. With me today are experts Len Derus and Tim Butler. Len, let me start with you. Having recently left FINRA, maybe you could frame the regulatory context for our discussion.

Len Derus:  Sure. Bob, thank you for the introduction. And yeah, I’d love to start out talking about the various rules that I think most people are aware of, but they’re a little bit unique in terms of how they relate to cybersecurity and other technical aspects within firm systems and safeguarding information. So, most of these people are familiar with the rules, but why don’t we start with the general rules?  The idea about protecting information are provided in? First of all, we have Rule 30 of Reg S-P that requires firms to have reasonable procedures and policies to address the safeguards that are in place for customer information. So how are they protecting customer information, and whether it’s physical records such as a piece of paper, or whether it’s an electronic record such as an email or other trading or customer information that you may be keeping in systems and databases on servers and the like?

Also, within the rule scope here, Regulation S-ID is related to identity theft, red flags, especially looking at when individuals are opening accounts. So having a program that’s reasonably designed to detect and mitigate any kind of identity theft concerns that might be out there, you have full Rule 4370. This relates to business continuity plans. One of the things that firms should be aware of in their business continuity plans is if there is an issue that takes down their systems, what is the process to get those back up and running? How do you operate when you don’t have those systems? And, whether or not it’s some kind of a data issue or an intrusion into your firm’s systems. It could be the loss of electricity. How are you going to keep operating within that?

So, business continuity definitely falls into the scope of cybersecurity. Other issues related to ransomware, network intrusions, exposure of customer information. So, there’s a whole host of rules there that individuals that are in the compliance arena might be interested in. You have the Supervision Rules 4370 and 3110. Your control systems under 3120, and certainly books and records rules 1783, 84, and the like. So those are all kind of the historic rules that everything is based on. Firms have procedures now, they’re doing things, they’re generally based on Reg S-ID, some of the thinner rules that are out there. But I did want to talk about a couple of newer developments. These were in 2023, and the SEC did adopt a new rule in July of 2023 that has to do with requirements for public reporting companies.

Not all broker-dealers, investment advisors are public reporting companies. But something to be aware of, if you are: there’s disclosure requirements around cybersecurity incidents that you may experience, and there’s a timeframe on that. So, once you determine you have a material impact, there’s a four-day requirement for a firm to report or disclose the incident. And then the other aspect of that new rule that was passed, information regarding your risk management strategy your cybersecurity risk management, as well as the strategy and governance around, that does need to be provided and disclosed on an annual basis. So that’s something that you’ll want to be aware of.

And this is kind of a good time to talk a little bit about the CCO role. So, we’re talking about awareness and new rules. For a CCO who might have the responsibility to create the disclosures, provide the disclosure, do the reporting aspects, it’s good to understand these new rules when they come in, but also understand “What do I need to report? When do I need to report it?” And then how can you work with your IT team, your IT department, or your vendors that are providing the IT services, to get the information you need and report it in a timely manner.

Now, in addition to that new rule, there was a proposal, it was a little bit earlier in 2023. It is not effective yet, but this is more based towards the member firms that we deal with. The investment advisors, the broker-dealers and the SEC is looking to put some better structure, some rule guidance, around establishing your written supervisory procedures, maintaining those and enforcing those internally, providing the SEC with notice of a significant cybersecurity incident. They’re probably going to have to work on the definition of “significant.” But once that gets worked out, there’s going to need to be processes in place to do that. Also, there are other requirements. So, think of this internally: what might be done having the capability to report to the SEC and update information about your significant cybersecurity incidents? Much like the rule that was passed, they’re looking to make this a broader coverage into the financial services industry, covering member firms like broker-dealers and investment advisors, and then more disclosure publicly regarding summary descriptions of your cybersecurity risk incidents that may have occurred during the current or previous calendar years. So as you can see, in compliance, in the role of a CCO or someone else who might be charged with some of these disclosure creations, providing reporting issues working within the firm and with the IT department to make sure you can pull the information together that you need, that’s going to be a key point for you.

Bob Mooney:  Sounds, Len, as if the expectations for what’s acceptable continue to be stretched and extended. Tim, the release discusses a number of considerations that firms should take into account when developing a cybersecurity plan in working with clients. What have you found to be most challenging in helping firms develop cybersecurity risk management programs?

Tim Buckler:  Yes. Can I actually respond to Len first in the earlier section? Yeah, I agree totally, Len. I think the main takeaway from this proposed rule that’s not in effect yet is that firms will be required to have more cybersecurity documentation to regularly review their risks related to cybersecurity and be prepared to respond to disclose the cybersecurity incidents properly. I think the way to kind of frame it here is that likely the eventual rule will make today’s industry best practices into requirements. So your policies like cybersecurity risk, business impact assessments, vendor due diligence, the BCP, DRP (Disaster Recovery Plan) and your incident response plan will all need to be reviewed and updated regularly. And you should also make sure that you are familiar with your incident disclosure requirements for state and national regulators. You do not want to figure those out on the fly that first time while you’re in the midst of a cybersecurity incident.

Len Derus: I think that’s what the regulators are starting to get their thoughts around, is that there’s a lot of different ways to address cyber issues. Where do we think we should be guiding the industry in terms of protecting this customer information and access to that information.

Bob Mooney:  The FINRA report talked about a number of important considerations in developing a cybersecurity plan. Tim, in working with firms, how do you take the important considerations FINRA has described into helping firms to develop a cybersecurity plan?

Tim Buckler:  Many firms, if they have a cybersecurity plan at all, very often it’s a bare bones that we’re going to protect data. And it’s not really a plan that can be easily put into practice. A lot of the time what we do is try to figure out what the cybersecurity apparatus of your firm is capable of doing, making sure that it meets industry standards and best practices, and finding out a way for you to implement that plan to make sure that all the data both from client and your firm is being protected on a day-to-day basis.

Bob Mooney:  FINRA, recently announced rules that would allow for, I believe, an extension of work from home for financial professionals. How do you see more financial advisors working from home factor into the control environment?

Len Derus:  We can talk about this in terms of overall supervision of the firm. So, you have your supervision of the home office and branch offices, non-branch locations that might be out there. But given the type of firm that you are, are you a firm that is mostly independent contractors or does your firm have captive representatives, captive advisors that are using firm provided technology per firm, provided systems? Or when looking at the technology that’s out there, if your independent contractors are using their own computers or using their own software, they might have their own reporting tools or using their own phones. Those two things bring different challenges.

In the first set, they’re captive, they’re using the systems. It’s a little bit easier for you to build your controls around that because it’s centralized, right? Everything’s coming into or through a central location, a central process, a central software system. Everyone’s logging in on the same kind of computer. Where it gets more difficult is really understanding all of the technology that’s out there.

People working on their phones or in their independent offices when their independent contractors are going to have various types of technology on hand. Some are going to be on an Android, some are going to be on an Apple phone, right?

What are the differences that you might need to have there to make sure that you’re capturing the information on those?

Are there different apps you need or different ways to capture that information?

What types of computers and what kind of software, what are the operating systems they’re using?

So, there’s all kinds of different considerations on the technology front and how you capture the information you need to score, number one. And then, how is that protected? Are they maintaining all of their own records? Are they hard copy? Are they soft copies? Do they have a server of their own? Or are they in the cloud? So many questions about how to address that. From a perspective of building security around this, it’s taking that inventory, understanding how you’re set up pulling that information together, and then identifying the best way to protect this information under those rules. We talked about Reg S-ID and the various spinner rules that apply.

Tim Buckler:  Yeah, I think one of the key considerations of all this is trying to minimize the amount of data that can be easily accessed outside of the system. You don’t want to have it so that people can bring their own device, easily download files into that device, and then you lose total control of that. I think the key is setting up your environment so that as much can be done within your system as possible to minimize the chance that any data gets out of that system. Because then you lose all control.

Bob Mooney:  Why do you think firms are struggling with this? As you work with firms, what do you see as the obstacles or the hurdles for firms to really develop well designed cybersecurity risk programs?

Tim Buckler:  I think there are a few factors. A lot of people do not have the technical inclination to understand the threats that are facing them, and they don’t understand how best to mitigate those threats. A lot of people just say, “I understand that something needs to happen,” but they just don’t know where to start. And then there are other people who just don’t have the budget. They have to find creative ways to solve things that may not be ideal, but may be sufficient. And then there’s some people that just don’t know how best to document and make these controls actually effective. They try their best, but they just can’t get to it so that everything is actually protected. Even though they may understand it, they may not know how best to actually fix the problem.

Bob Mooney:  As you look at the report, does this move the needle or are you looking at new expectations from FINRA with respect to what the components of a reasonably designed program are?

Tim Buckler:  I would say no. I think that almost all of these are either repeats from previous years’ reports or are general business best practices that everyone should be well aware of, if they’re trying to design their cybersecurity system. I would say there’s no real ‘gotchas’ here. They all do a good job of trying to explain why these things are important, too. I think this report does a good job of summarizing a lot of the critical threats to business today.

Len Derus:  The other thing I would like to mention, Bob, is this information’s been out there for a while. It’s not all new information. You are asking where are firms struggling maybe to implement things? One of the challenges is that the brokerage industry, the investment advisor industry, is made up of firms of all shapes and sizes, and the recommendations are generally made in a singular manner. So, you should consider doing this when you get to the smallest firms, or you get to the largest firms, to balance out what a particular recommendation may mean to them becomes a difficult thing for some firms to deal with, especially the smaller firms. “Well, they tell me I need to do this, but I don’t know how I can implement this. I think I can do it this way.” So, they’ll try that.

They’ll start working in that direction, whether it’s training for those independent contractors on all the things they need to do to safeguard the information, and then they’re checking it out in their branch examinations, whereas, a centralized firm may have an automated process. The struggles within the industry are based on the variety of types of firms and even types of customers that they’re dealing with. How do they implement all of that to keep their customers safe? And, Tim, I know you’ve worked with a lot of firms. I’ve worked with many, and they want to keep information safe because that’s their livelihood. That’s their bread and butter. That’s their customer information. They realize their customer is their revenue.

Bob Mooney:  You talked about the variety of firms trying to comply with these expectations. My experience has been that regulators typically hold the larger firms accountable for being state-of-the-art, and then it tends to trickle down over time to where those expectations that the larger firms were held to are now the expectations that all firms are held to. Do you think we’re at the point now where FINRA’s perspective on your cybersecurity program has reached that point where, regardless of the size or the type of business you have, that they expect to see these types of programs in place when they come in to do their audit?

Len Derus:  I don’t know if I can really gauge the full FINRA perspective on this, but I think you can tell by the information they’re providing in the past few letters that they’ve put out year over year, same topics, same information. They’re trying to educate the industry: Here’s where we think it’s important. Whether you’re large or small, can you find a way to do this? So certainly, there’s different expectations, as you said, Bob, large firm versus small, but I think right now they are still working towards saying, here’s where we think it needs to be. But they’re doing it without that rule requirement that the SEC is now looking at. So, you work that, and that’s some of the change that’s happening, Bob, that you talked about before, is here’s best practices. We want people to adhere to best practices.

FINRA will say it, the SEC will say, we realize there’s different business structures, different business models, there’s different size firms, it’s going to look different everywhere. So, what’s reasonable for you is based on your facts and circumstances. But now, when they start codifying this into the rules as the SEC is looking at doing, they’re trying to put some structure around this. They’re certainly getting to the point where they’re saying, here’s the minimum standards. Because it’s not necessarily been a minimum standard, but it’s been very good practice. And then, outside of anything extremely egregious where you might have a formal case, we’re going to look at the firms very individually in terms of how they are implementing these ideas that we’ve put out there.

Bob Mooney:  Tim, any suggestions on how a firm could go about assessing their current state in this area, before a regulator comes in and does an examination?

Tim Buckler:  I think there’s a few key things to highlight. One is you need to have controls that look at the whole system; you can’t just have the sub-component controls and expect them all to work individually. I think you need to have high level, top-down rules that basically make sure that all the individual parts of the system are working, and if they’re not, that you can identify those readily. And then in order to dive into some of the individual components, I think there’s a few that are the most high level of importance. So there’s how you protect the data within your own system, and then when you have vendors that you share data with you need to understand how much data is shared with them, how you share that data, and how the data could be used down system by their vendors where that data goes when it’s not in your control anymore.

There’s a few more about making sure that you don’t have unauthorized exfiltration of data from your system, to make sure that you understand where the data is within your own environment. Making sure an email can’t be passing out information that’s not approved or you can’t send out a file with everyone’s social security number. The system should be able to identify that before that gets out of the system. Making sure that your branch controls include cybersecurity review. That’s another big one, where a lot of branches may not be following the rules or may not understand the rules. And your branch review process should be able to identify when someone doesn’t understand cybersecurity rules that they have to follow, and making sure that they are following those on a day-to-day basis.

Len Derus:  To add to that, one of the things that’s important is really understanding, taking from the higher level of CCO and how they might look at this, is if there is an issue that has come up and you’ve identified it’s an intrusion into the firm system or something else that could be problematic – our system’s down, we’ve had a certain kind of attack – that information needs to get circulated around the firm and to whom. So if it has to do with customer activity, if money’s being moved, there could be a requirement to notify the AML Chief Compliance officer, and they may need to determine, “Do I need to file a suspicious activity report and send that in?” So, there’s connectivity from these types of issues that come up around technology, but that go into the various aspects of the firm’s compliance program.  Whether it’s the CCO, the AMLCO, president of the firm, the CEO of the firm, or whoever that might be. So your policies, your processes that you’re developing are in partnership with your IT department, your technology department, develop them in partnership so you’re able to really get the information where it needs to be so it can be reported, if it needs to be reported, or any other information that needs to be distributed out or it’s to customers, to other firms or to the regulators can be done. And the teams that have to do that know about it.

Bob Mooney:  As you guys have worked with firms, where does accountability or ownership of the cyber programs sit?

Len Derus:  Tim, I know you can jump in as well, but the regulators aren’t looking for the CCO to be the Chief Technology Officer. They’re not expecting the CCO to know how all of these things are detected, how they all happen, how to prevent all of them, how it works. But there is responsibility there to know how the firm is acting in these areas. So, partnering with your technology team, your vendors, whatever it is to understand what they’re doing. How often are they testing the systems? How often and what kind of reports are they providing? Have there been issues that have been found? Are there particular vulnerabilities that need to be fixed? Are they classifying them in a certain way? And then, what’s being done to fix those items that have been found? The processes in the firm are, especially on the CCO side, to understand what’s being done to protect the information, to protect the systems, understand what’s been found around that, and then understand what’s happening with that. Because that flows through, as we said earlier, to other areas of the firm. There could be other reporting requirements that they need to be aware of.  There’s ownership in the CCO area of how does this all work in the firm. But really, the implementation of the software security, the testing that’s generally looked at, that’s the realm of the IT experts because that’s what they do. And Tim, I don’t know if you have anything else.

Tim Buckler:  I would agree, but I think the regulators are concerned to make sure that the CCO, who is supposed to be the most knowledgeable about the regulations and requirements, is responsible to make sure that they are meeting those requirements. They don’t need to know the day-to-day of how things actually get executed because they may not be a technology person, but they need to feel comfortable that they’re meeting the expectations of the regulators. I think beyond that, it’s kind of whoever in your organization is best at technology. Sometimes in small firms, you don’t have a CTO and it’s the Chief Operations Officer. As long as the rules are being followed and the CCO can feel confident, I think your firm is in a good place. And one thing that jumped out to me that we generally find difficult for many firms, is the proper log maintenance of what’s going on within your network.

Many people can figure out when someone logs with the system because your vendor may provide that from a single sign-on perspective; a lot of firms have difficulty in understanding what data was accessed when, who ran what reports, how that data moves within their system, and who has access to it on a real-time basis. Or even in an after the fact, if you have some sort of instance, you need to figure out what happened from a frontend, forensic analysis perspective. A lot of firms just don’t have the systems in place to check when things are happening and make a log of that going forward. It makes it difficult to understand after the fact how someone got into your system and what they did with it if you don’t have logs that monitor their activity.

Len Derus:  You know, Bob, I think the one thing here is that this is an area that will always be changing. If you look at how technology has changed just in the last, I’m going to say 10 years, let alone 20 years, how we’re using technology, how information is stored, how it’s transmitted, we don’t use fax machines too much, although some people still do. How we collect information is changing so much. And that’s a primary challenge for firms to keep up with. But that’s where you have to rely on and make sure you’re partnered with your vendors and your IT team to make sure that you are current, you’re up to date. Then compare that back to what did our procedures say last year. We’re changing this system; we’re changing a process. Does that match? If it matches, great. If it doesn’t, make those updates, so everyone’s aware of how the systems and controls are operating. And then when you’re running through your annual reviews of your firm, you can test those and see that yes, we have implemented them, they are working or if there are improvements needed.

Bob Mooney:  Thank you, Tim and Len, for sharing your insights today.  If you’d like to learn more about our experts and how Oyster can help your firm, visit our website at oysterllc.com. If you like what you heard today, follow us on whatever platform you listen to and give us a review. Reviews make it easier for people to find

About The Podcast Speakers
Photo of Tim Buckler

Tim Buckler

Tim Buckler has spent 10 years in the financial services industry, with a focus on project management, cybersecurity, data analysis, and compliance. Tim’s experience includes project management support for clearing platform conversions, cybersecurity assessments, GDPR and CCPA assessments, performing 12b-1 Mutual Fund fees analysis for regulatory initiatives, and ownership changes for custodial IRA held annuities.

Photo of Len Derus

Leonard Derus

Leonard Derus is a seasoned financial services professional with over 20 years of experience in Compliance and Risk Management, Control Process Development and Implementation, as well as Program Development,  Management and Training.

View Our Team