In the wake of major attacks and security breaches upon corporate America, financial services firms and industry regulators are finally waking up to the threats posedto their sector.THE NEW REALITY OF CYBER-SECURITY COMPLIANCE14by Ryan BoysenThere was a time when cyber-security in the financial services industry was considered an area best left to the techies, more likely to be discussed over Doritos and Mountain Dew than Champagne and filet mignon.Not anymore.A series of high-profile attacks last year and recent breaches at big banks like JPMorgan have caused cyber- security concerns to jump to the top of the list for financial services executives and top government officials alike, thrusting the previously niche subject into the spotlight and into regulators’ crosshairs.Earlier this year, both the SEC and New York’s Department of Financial Services announced plans to begin testing financial services firms for preparedness of their cyber- security systems. The tone of recent comments on cyber- security threats suggests the exams could be just the tip of a very large iceberg.“Far too many hedge funds, asset managers, insurance providers, exchanges, financial market utilities and banks should and could be doing more,” says Treasury Secretary Jack Lew, speaking at the Delivering Alpha conference July 16.Meanwhile the authors of “The 9/11 Commission Report” recently described the “cyber-domain as the battlefield of the future,” warning in a July 2014 report that lawmakers do more to prevent the mistake of 9/11 from repeating itself “in the cyber-realm.It remains to be seen what exactly government involvement in the cyber-security arena will look like.At first blush, the SEC and DFS exams resemble traditional financial sector regulation, where firms are forced to comply with the rules or suffer the consequences. Other initiatives, like a White House-directed Cybersecurity Framework and talk of a government-industry “cyber-war council,” look more like a partnership.As the firms that will be examined by the SEC and DFS get ready for their close-up, however, analysts say other firms should take note. They might be next.‘Awareness Phase’The DFS cyber-security assessments were announced in early May following “an extensive, yearlong survey” of 154 banks the department regulates, and will be administered as part of the broader bank examinations it already conducts each year.The survey found that, while firms are aware of the dangers and are preparing to ramp up cyber-security spending, gaps remain in cross-firm information sharing, scrutiny of the security of third-party service providers and the adoption by firms of an overall cyber-security strategy.Like the DFS assessments, the SEC cyber-security exams will also be added on to routine examinations already administered by the commission’s Office of Compliance Inspections and Examinations.So far, those exams target 50 registered broker-dealers and registered investment advisers, asking questions like “How does the firm identify and evaluate cyber-security risks posed by vendors and other third parties?”With the DFS and SEC exams falling primarily on large banks and broker-dealers, it appears regulators are concentrating on the sell side for the time being, but an official from the Securities Industry and Financial Markets Association says that isn’t likely to last.Continued on Page 16FALL 2014 | FTF NEWS MAGAZINE