ARE YOUPROTECTINGTHE ENTIRE FIRM? by Ryan Boysenand Eugene GrygoCyber-security was initially focused on client information. But now, regulators want to know whether all of a firm’s data is safe, says Lisa Smith, a data privacy specialist from Eze Castle Integration.20Lisa Smith, business continuity/data privacy manager at Eze Castle Integration, recently spoke to FTF News about the cyber-security tests looming for many financial services firms. Earlier this year, the SEC announced that it is readying cyber-security exams for more than 50 registered broker-dealers and registered investment advisers via its Office of Compliance Inspections and Examinations. The SEC move is an attempt to help firms better protect themselves from cyber-attacks. Also, New York state officials will be adding to their regular examinations of banks registered in the Empire State, as directed by Gov. Andrew Cuomo, who ordered the Department of Financial Services to begin “regular, targeted cyber-security preparedness assessments,” according to a prepared statement.Q	How well-prepared are firms for these cyber-security exams?A	From what I’m seeing, it sounds like they’re taking it very seriously and I’m glad to see that because it is very important. Obviously, there have been a lot of incidents that have occurred in the last six months that have impacted firms and consumers. It’s not just a financial loss but there’s a reputational loss to consider as well. So it appears our clients are taking this very seriously, and reaching out to us or other providers they work with.A	I haven’t seen any changes other than firms starting to ask themselves, “How are we going to prepare? How do we make sure we’re protected?” I’ve had conversations with several firms about protecting their customers’ data. But it’s not just client information. There’s employee information, which includes Social Security numbers, direct deposit data, and so on. There’s portfolio data you don’t want to get out into the public. Bank statements, company tax information. There’s a lot of data that needs to be protected.When regulation was being formulated back in 2009 and 2010, it was centered on client information. But now, the SEC exam is asking, “How are you protecting the entire firm?”A	If there isn’t today, there will be soon because part of responding to these questions is making sure you’ve got a comprehensive information security plan in place. In order to do that, you’re going to have to get the business side as well as the chief compliance officer and chief information officer involved.A	I think that’s basically how firms should deal with this. Don’t just say you have it. You need to understand exactly what you have and what you’re doing. You can’t just answer “yes, no, yes, no” on these questions. You need to provide them with detail. I think it’s very important that you can demonstrate your due diligence.A	I think it’s going to depend on the firm. But I think overall the questions the SEC will be asking are raising awareness and knowledge at firms.It used to just be the chief technology officer and the IT department that had all this knowledge. But now firms really need to make sure it’s instilled across the entire firm. That’s how you’re going to increase awareness and employees are going to know what to look for.Q	Specifically, what middle- and back-office operational changes are firms considering?Q	Does that imply there might be more interaction among compliance, operations, IT and the business side of things?Q	It seems as if with these exams the SEC is kind of snapping the line, telling firms, “You say you’ve got cyber-security protections in place, but do you really?” What do you think?Q	There are so many points of entry for a potential cyber-attack at financial firms these days. How are firms going to stay on top of all that?FALL 2014 | FTF NEWS MAGAZINE