Upload
dophuc
View
219
Download
0
Embed Size (px)
Citation preview
© 2019 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Chief Compliance Officer’s (CCO’s) Role in Cybersecurity (Cybersecurity Track) Wednesday, May 15 11:15 a.m. – 12:15 p.m. Increased use of technologies such as mobile devices, social media and cloud computing has increased the risk posed by cyber criminals. As a result, in addition to other compliance matters the CCO is now also responsible for protecting company information technology (IT) systems. During this session, panelists discuss steps CCOs should take to prevent or reduce cyber-attack risk. Moderator: Kevin Bogue Regulatory Principal, Sales Practice FINRA Chicago District Office Panelists: Leslie Jallans Chief Compliance Officer NEXT Financial Group, Inc. Judith Villarreal, Esq. General Counsel and Chief Compliance Officer CoreCap Investments, Inc. Daniel Woodring Executive Vice President and Chief Compliance Officer PFS Investments Inc.
© 2019 Financial Industry Regulatory Authority, Inc. All rights reserved. 2
Chief Compliance Officer’s (CCO’s) Role in Cybersecurity (Cybersecurity Track) Panelist Bios: Moderator: Kevin Bogue joined FINRA in January 2017 as a Regulatory Principal in the Chicago District Office. Mr. Bogue is a member of the Sales Practice Cybersecurity team responsible for examining firms' controls over their protection of sensitive client and firm information. Prior to joining FINRA, Mr. Bogue has more than 17 years of information technology (IT) and security experience working as a technology consultant with Accenture, as an internal Global IT auditor, IT Compliance Manager and SOX Program Manager with Abbott Laboratories, as an IT Compliance Manager with Brunswick and as an internal IT Audit Manager with CDW. Mr. Bogue earned an MS in Information Systems from DePaul University in Chicago, IL and a BS in Psychology from Iowa State University in Ames, IA. Panelists: Leslie B. Jallans joined NEXT Financial Group, Inc. in September 2014 as Chief Compliance Officer where she is responsible for the firm’s broker/dealer and investment adviser compliance programs. Prior to that Ms. Jallans served in Chief Compliance Officer roles over a 30-year period with Houston-based dual registrants including Sanders Morris Harris Inc., American General Securities Incorporated, Hines Securities, Inc. and Advantage Capital Corporation. Ms. Jallans earned the degrees of Master of Business Administration and Bachelor of Music Education from Loyola University in New Orleans. She holds the Series 4, 7, 24, 27, 53, 63 and 65 licenses. Ms. Jallans is a securities arbitrator with FINRA Dispute Resolution and she serves on the FINRA Content Committee for the Regulatory Element of Continuing Education. Judith A. Villarreal is a financial services compliance professional and attorney who has worked in this area since the Eighties. Beginning at the Chicago Mercantile Exchange in the Compliance and Legal Department, Ms. Villarreal has worked as inside and outside counsel and compliance officer with banks, broker-dealers, registered investment advisors, commodity trading advisors, commodity pool operators, futures commission merchants, insurance agencies and insurance field marketing organizations. Ms. Villarreal currently practices as General Counsel and Chief Compliance Officer for CoreCap Investments, Inc., a registered broker-dealer and member, FINRA/SIPC, as well as its affiliated federally registered investment adviser, CoreCap Advisors, Inc., and as Compliance Counsel to M&O Marketing, an independent marketing organization, in the state of Michigan. She is admitted to practice in Michigan, having been previously admitted in States of Illinois and Hawaii. In addition to the credentials above, Ms. Villarreal currently holds 13 FINRA series licenses, is a Certified Anti-Money Laundering Specialist (“CAMS”), a Certified Information Privacy Professional/US (“CIPP/US”), and holds additional compliance certifications in insurance and banking. She notes that she is lucky to be good at multiple-choice exams and to work in an industry where that is a marketable skill. Daniel Woodring is Executive Vice President and Chief Compliance Officer of PFS Investments Inc. and Primerica Shareholder Services, Inc. Prior to joining Primerica, Mr. Woodring worked in numerous roles within the financial services industry, including brokerage, banking, insurance and consulting firms. He graduated from the University of Georgia earning a B.B.A. with dual majors in Finance and Risk Management. In 2000, Mr. Woodring received his J.D. from the Georgia State University College of Law. He is a member of the Georgia Bar and has served as Chair of the Financial Services Institute’s Compliance Council and a member of the FINRA South Regional Committee.
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
Moderator
Kevin Bogue, Regulatory Principal, Sales Practice, FINRA Chicago District Office
Panelists
Leslie Jallans, Chief Compliance Officer, NEXT Financial Group, Inc.
Judith Villarreal, Esq., General Counsel and Chief Compliance Officer, CoreCap Investments, Inc.
Daniel Woodring, Executive Vice President and Chief Compliance Officer, PFS Investments Inc.
Panelists
1
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
Under the “Schedule” icon on the home screen,
Select the day,
Choose the Chief Compliance Officer’s (CCO’s) Role in
Cybersecurity (Cybersecurity Track) session,
Click on the polling icon:
To Access Polling
2
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
Key Topics for any Cybersecurity Program
Governance
Risk Assessment
Vendor Management
Branch Office
Incident Response Planning
Training and Security Awareness
Agenda – CCO’s Role in Cybersecurity
3
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
1. Does your firm have a formal technology risk
governance structure (i.e., steering committee) to
which important cybersecurity matters are
escalated?
a. Yes
b. No
Polling Question 1
4
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
Resources assigned and overall cybersecurity
program governance
Leaders, resources and organization
Information security roles defined
Governance groups and process (senior leadership / board
involvement)
Policies, standards and procedures
Governance
5
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
What is a risk assessment?
A systematic approach to estimating the magnitude of risks (risk analysis) and comparing risk to risk criteria (risk evaluation). It is an ongoing process, not a single point-in-time review.
Scope of a risk assessment
Critical asset inventory (Data, Hardware, Software, Systems)
Threat evaluation – both external and internal
Vulnerability assessment of assets
Risk evaluation and prioritization – governance
Technical Controls
Vendors and their Affiliates
Risk Assessment
6
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
2. Is your firm’s compliance department involved in the
vendor management program?
a. Yes
b. No
c. I don’t know
Polling Question 2
7
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
Firm’s processes to manage and oversee critical vendors:
Firm’s list of critical technology vendors
– Application systems (e.g., clearing systems, etc.) and Technology services (e.g., datacenters, network, etc.)
Life Cycle for Vendor Management:
– Onboarding: establish controls and associated contractual terms/conditions
– Operational Oversight: annual audit and testing along with contingency planning
SOC Reports
– Termination: access and disposal of sensitive / confidential data
Vendor Management
8
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
3. Does your firm provide formal cybersecurity
guidance to branch offices?
a. Yes
b. No
Polling Question 3
9
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
Branch Office
Cyber Control Areas would include:
Firm policy directly related to branch operations
Physical security and maintaining an inventory of critical data, software and hardware
Inventory of critical data, software and hardware existing at a branch
The use of complex passwords to protect devices (desktop, laptop, mobile)
Security of assets and data (both on premise and in the Cloud)
Encryption of hard drives (desktop, laptop and mobile)
Secure transmission and storage of data (including email)
Incident reporting of lost or stolen data and hardware
Patch and virus protection processes
Firm branch exams with a specific cybersecurity focus
RR training and certification (e.g., annual attestation of expected cybersecurity controls)
10
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
4. Does your firm have a written cybersecurity incident
response plan?
a. Yes
b. No
Polling Question 4
11
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
Creation of plans and procedures, and regular testing, of potential responses to cyber incidents
How to identify, react to, manage and recover from a cybersecurity incident
Internal, public media, business partner and customer communication plans
Engagement with Industry groups, law enforcement and regulators
Cyber incident handling should be integrated into firm’s existing processes
Business continuity and disaster recovery
Plans for maintaining and recovering critical business operations during and after an interruption as a result of a cyber incident
Tools, training and practice exercises
Incident Response Planning
12
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
5. Does your firm have a formal cybersecurity training
program?
a. Yes
b. No
Polling Question 5
13
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
Include employees, contractors, third-parties and potentially customers
Include cyber threats (phishing, attachments, links, etc.), privacy, and information handling
All firms should employ a formal annual training and certification program
Multiple learning approaches helpful
Class room and online self study (internally and/or externally developed)
Lunch and learns and informal roadshows
Periodic email addressing specific cyber risks
Periodic testing to raise awareness
Staged phishing emails, bad links, or “lost” flash drives delivering instructive messages
Training and Security Awareness
14
2019 FINRA Annual Conference | © 2019 FINRA. All rights reserved.
FINRA Cybersecurity Page: www.finra.org/industry/cybersecurity
Small Firm Cybersecurity Checklist
Report on Cybersecurity Practices (2015)
Report on Selected Cybersecurity Practices – 2018
Compliance Vendor Directory
NIST Cybersecurity Framework: www.nist.gov/cyberframework
2019 FINRA Cybersecurity Half-Day Seminars
References
15
© 2019 Financial Industry Regulatory Authority, Inc. All rights reserved. 1
Chief Compliance Officer’s (CCO’s) Role in Cybersecurity (Cybersecurity Track) Wednesday, May 15 11:15 a.m. – 12:15 p.m. Resources FINRA Resources
FINRA Cybersecurity Webpage www.finra.org/industry/cybersecurity
Small Firm Cybersecurity Checklist www.finra.org/sites/default/files/smallfirm_cybersecurity_checklist.xlsx
Report on Selected Cybersecurity Practices – 2018 www.finra.org/sites/default/files/Cybersecurity_Report_2018.pdf
Report on Cybersecurity Practices (2015)
www.finra.org/sites/default/files/p602363%20Report%20on%20Cybersecurity%20Practices_0.pdf
Compliance Vendor Directory www.finra.org/industry/cvd
2019 FINRA Cybersecurity Half-Day Seminars Webpage www.finra.org/industry/2019-finra-cybersecurity-half-day-seminars
Other Resource
NIST Cybersecurity Framework Webpage www.nist.gov/cyberframework