Cyber Security—“Trouble Times Two” for Securities Industry Firms

By Karen A. Steighner, MBA

In spite of the seemingly never-ending stream of new regulation in the financial services industry, failure to be aware of heightened regulatory concern and not developing an effective Cyber Security program is particularly problematic for broker dealers, advisers and other securities market participants. The consequences of not doing so not only leave the firm particularly vulnerable to the devastating effects of a cyber attack, but also to a regulatory violation—twice the trouble. Dealing with the expansive and expensive damage resulting from a cyber attack is two-fold and substantially more onerous than actually developing and implementing an effective plan.

Studies[1] have shown that heavily regulated industries such as healthcare, education, pharmaceutical and financial services are particularly attractive to cyber criminals because, among others, the volume of personal data they manage is greater. Given the continuous proliferation of new and creative cyber attacks and the frequency with which they are occurring, the SEC’s Office of Compliance Inspections and Examinations (OCIE) has significantly increased its focus on data security issues in the past year. SEC Chair Mary Jo White had previously emphasized the significance of combating cyber security challenges to ensure the stability and integrity of our market system as well as disclosing material information and protecting the market’s customer data.[2]

OCIE’s Cybersecurity Initiative[3] and FINRA’s Report on Cybersecurity Practices[4] are two examples of the broad regulatory emphasis on safeguarding the technology underlying the financial markets. Enforcement actions have already been taken against firms for failure to adopt programs to prevent, detect and manage data breaches. Securities industry firms can expect the SEC and FINRA to issue more formal cybersecurity standards or requirements for broker-dealers, investment advisers, and other securities market participants, including transfer agents, investment companies, and security-based swap dealers in the near future.

In order to avoid the binary chaos, prepare now for the inevitable cyber attack that could happen at any time as well as for inevitable forthcoming regulation. Securities industry firms would be well-advised to consider the SEC’s and FINRA’s expectations (and likely the basis for exams) outlined in their recent publications.

The Critical Elements of a successful cyber security program are—

  • Governance and Risk Management
  • Cyber security Risk Assessment
  • Technical Controls
  • Incidence Response Planning
  • Vendor Management
  • Staff Training
  • Cyber Intelligence and Information Sharing
  • Cyber Insurance


Compliance Advisers, Inc. offers Cyber Security Program development services to broker/dealers, investment advisers, and other securities markets participants including customized policies and procedures that address each of the critical elements of an effective program.

Contact us at (303) 795-0400 or online here

Citation: Steighner, Karen A. (2016). Cyber Security—“Trouble Times Two” For Securities Industry Firms.…s-industry-firms/

[1] 2014 Cost of Data Breach Study: Global Analysis, The Ponemon Institute, Sponsored by IBM (May 2014)

[2] Chair Mary Jo White, Opening Statement at SEC Roundtable on Cyber Security (Mar. 26, 2014)

[3] OCIE’s 2015 Cyber Security Examination Initiative, SEC National Exam Program, Office of Inspections and Examinations (“OCIE”), Vol IV Issue 8, September 15, 2015

[4] Report on Cyber Security Practices, FINRA, February 2015