Financial services organizations have been facing an increased level of scrutiny in regards to data security. In 2015, both the Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) announced a stronger commitment to data protection, including tighter regulations and enforcements, putting added pressure on financial institutions to prove that policies, procedures and technologies are in place to protect data and respond to breaches, should they occur. Both organizations have recently announced this commitment to data protection remains strong.
In 2015, the SEC released observations of its first round of cybersecurity examinations, with an announcement on a second round, and began enforcing cybersecurity standards and preparedness within the industry. Reinforcing its earlier commitment to data protection, the SEC announced its 2016 Examination Priorities, noting:
“To help fulfill the SEC’s mission of maintaining fair, orderly, and efficient markets, OCIE will continue its focus on cybersecurity controls at broker-dealers and investment advisers. New initiatives for 2016 include an evaluation of broker-dealers’ and investment advisers’ liquidity risk management practices, and firms’ compliance with the SEC’s Regulation SCI, designed to strengthen the technology infrastructure of the U.S. securities markets."
In 2015, FINRA released a comprehensive report on cyber threats and how to address them with a comprehensive outline of a layered security strategy. Like the SEC, FINRA backed up its recommendations with greater enforcement actions, including a $225,000 fine against a financial firm for failing to encrypt data on a lost laptop. Earlier this month, FINRA released its 2016 Regulatory and Examination Priorities Letter, outlining areas of focus and concern. One of the areas of concern identified is on a firm’s risk management practices related to technology infrastructure, outlining cybersecurity preparedness, technology management and data governance issues.
“FINRA will review firms' approaches to cybersecurity risk management, and depending on a firm's business and risk profile, we will examine one or more of the following topics: governance, risk assessment, technical controls, incident response, vendor management, data loss prevention and staff training."
It is clear from the enforcement actions of both the SEC and FINRA within 2015, and their recent commentary, that financial organizations will be held accountable for data loss, particularly as it relates to mobile devices. Compliance experts believe both regulators will increase the number of enforcement actions as a result of examinations in 2016. Given the number of regulatory and State bodies now issuing fines, these data security incidents will only become more costly. In a recent whitepaper, How Financial Services Firms Can Bolster Security by Leveraging Persistence Technology on the Endpoint, we discuss recent security trends in the industry and how Persistence technology by Absolute can play a role in data protection.