Cybersecurity ‘Not Owned’ by Compliance but Shared: FINRA Exec

Cybersecurity is an "an operational risk issue, not generally owned" by a firm's chief compliance officer and legal department, Daniel Sibears, FINRA's EVP of regulatory operations said Tuesday at the joint FINRA and Securities and Exchange Commission Broker-Dealer Compliance Outreach Seminar in Washington.

However, while cybersecurity isn't "owned by the CCO community," the partnership between compliance and operational risk personnel should be "strong," and compliance should be "an advocate and understanding risks to the business," Sibears told attendees at the seminar held at SEC headquarters in Washington. For instance, compliance can help the BD "understand how to convert a [cyber] threat or intrusion into dollars" that it could cost a firm.

Jenny Menna, Cybersecurity Partnership Executive at U.S. Bank, who spoke on the cybersecurity panel with Sibears at the BD Outreach Seminar, stated that cybersecurity is a "growth industry with job security as adversaries are getting more sophisticated" and they have "more tools" at their disposal. Cybercrime, she said, is "the biggest issue" for compliance and risk management professionals.

(Check out: Shedding a Light on Shadow IT)

Lon Dolber, CEO of American Portfolio Financial Services, another panel member, stated that among the cyberattacks his BD has seen includes 20 different instances where someone impersonating a client has emailed one of the BD's advisors asking them to perform a certain transaction, such as a wire transfer.

Menna added that there are also incidences of extortion, where cyber criminals will threaten a certain action if their request isn't honored.

FINRA's Sibears added that "ransoms" are "getting more sophisticated," with cyber criminals willing to show the harm they can do.

SEC Chairwoman Mary Jo White told compliance officers at the seminar that it's not the SEC's "intention to use our enforcement program to target compliance professionals," however the agency "must, of course, take enforcement action against compliance professionals if we see significant misconduct or failures by them."

Being a CCO "obviously does not provide immunity from liability, but neither should our enforcement actions be seen by conscientious and diligent compliance professionals as a threat," White said. "We do not bring cases based on second guessing compliance officers' good faith judgments, but rather when their actions or inactions cross a clear line that deserve sanction."

Sibears also noted that FINRA has encouraged firms to share information about cyber threats, but said that legal issues may impede some of this information sharing.

He pointed to the U.S. Chamber of Commerce announcing on July 7 its launch of a new Cybersecurity Leadership Council, which includes businesses–including JP Morgan–and associations that will promote cybersecurity policy by advancing the adoption of best practices.

SEC Commissioner Luis Aguilar noted in a recent speech that another barrier to a "more robust approach to cybersecurity lies in the legal risks associated with sharing threat intelligence."

Many firms, Aguilar said, "claim that such liability is one of the principal hurdles they face when they seek to share information."

While this is a legitimate concern, he continued, "there is but one solution: legislation is needed to allow firms to share information with each other and with the government without fear of liability."

He pointed to several bills that have been proposed, but added that nothing has materialized to date.

"Without such legislation, we are all at risk."

– Related stories: