The mitigation of cybersecurity risks have come to the regulators’ attention as securities markets have grown into an interconnected web of firms and exchanges. On several media-worthy occasions, the lack of strong mitigating controls or operating controls has resulted in events that have negatively affected the market, highlighting that the mitigation of cybersecurity risks has become important, not only for the firms themselves but also for the broader market.
Regulatory attention: The regulators are watching
Companies had a preview of the regulatory scrutiny concerning cybersecurity in 2014 with the SEC’s Office of Compliance Inspections and Examinations (OCIE) cybersecurity initiative, which was a risk alert that provided information on what the SEC may require to assess the cybersecurity preparedness in the securities industry.1
In February 2015, OCIE published their examination findings associated with cybersecurity.2
Coverage of the examination included policies and procedures, risk assessments, cyberrelated incident management, best practices through information sharing, inventorying technology resources, third-party vendor management, suggestions to clients regarding their sensitive information, the designation of a chief information security officer, and use of cybersecurity insurance.
In September 2015, OCIE issued a new risk alert concerning their second round of cybersecurity examinations and the six key areas of focus, including governance and risk assessment, access rights and controls, data loss prevention, third-party vendor management, training, and incident response planning.3
Regulation Systems Compliance and Integrity went into effect on Nov. 3, 2015, and requires firms to “ensure their core technology meets certain standards, conduct business continuity testing, and provide certain notifications in the event of systems disruptions and other events.”4
How firms can prepare for regulatory inspection
Here are four areas for achieving an effective operational transformation that reflects current regulatory demands:
What organizations should be doing now
Make it an executive mandate. The importance of operational leadership can’t be overstated. Strong governance and control at the top is essential to ensure that both long-term and day-to-day goals will be met. An executive mandate should commission an effective enterprise program charter whose sole purpose is to develop a strategy to achieve regulatory compliance over the long term. Once every stakeholder understands leadership’s expectations, the culture and business strategy can be aligned with those expectations.
Allow sufficient time, investment and planning to be successful. Process and system modifications can involve approval from many layers of management, which is time-consuming. Additionally, corporate dollars intended to support regulatory compliance initiatives are often inconsistently budgeted to meet shorter corporate timelines, rather than the longer term needed for the specific regulation. For companies, achieving compliance will require many incremental steps over a long period of time and span multiple budget cycles, different governance structures, technology changes and improvements, and shifts in stakeholders. It is therefore critical to engage in comprehensive, long-term planning and strategic budgeting in order to be successful in the long term.
Understand data through data rationalization. Most companies have an array of application architectures, database structures, integration platforms and system owners all embedded into a complex IT network. Much of that legacy technology is decades old, making it not only difficult to maintain, but harder still to modify to conform to today’s standards. In order to take stock of an organization’s technology infrastructure, it’s useful to conduct an enterprise-wide data rationalization initiative or master data management (MDM) program. The MDM analysis will reveal sensitive data, data redundancies and inconsistencies due to multiple data sources, and associated reporting efficiencies. It will also help build awareness of the impact of upgrading legacy systems versus investing in replacement systems, and it will help clarify integration requirements and consolidation systems. In parallel with an MDM initiative, organizations may also consider collaborative disclosure management, which can integrate with any source system at the last stage of regulatory reporting, providing powerful and lasting capabilities with limited investment.
Focus on technology for long-term success. Firms should consider drafting a long-term roadmap that includes leveraging new technologies like the cloud or outsourcing functions where there is a lack of specialization within the firm. This will allow firms to focus on core competencies; however, it does not release the firm from understanding the controls implemented by service providers.
Here’s what we think companies should be doing now to recalibrate their operations for long-term success:
Implement an operational risk governance structure and proper training.
Define the defense areas (business, compliance, enterprise risk management, risk management and internal audit).
Assess the risks.
Assess the risk mitigation processes (controls).
Implement controls to prevent unauthorized access to systems or information.
Establish a monitoring mechanism to avoid potential data loss.
Create a reporting process — both internal and external.
Confirm automated tools that can assist in maintaining an effective, less manual risk mitigation process.
Create a process for a third-party assessment of the operating effectiveness of the risk-mitigating controls.
Implement an incident response process.
The bottom line for companies is to reduce operational risk by implementing a long-term comprehensive strategic plan for change that is mandated by the organization’s leaders, has a robust change-control element, and is backed by the necessary funding. Timely and effective completion is dependent on the organization’s willingness or ability to make and sustain the significant long-term investment.
Download the PDF.
Business Advisory Services
T +1 203 327 8295
Business Advisory Services
T +1 212 542 9717
Business Advisory Services
T +1 203 327 8295
Tax professional standards statement
This content supports Grant Thornton LLP’s marketing of professional services and is not written tax advice directed at the particular facts and circumstances of any person. If you are interested in the topics presented herein, we encourage you to contact us or an independent tax professional to discuss their potential application to your particular situation. Nothing herein shall be construed as imposing a limitation on any person from disclosing the tax treatment or tax structure of any matter addressed herein. To the extent this content may be considered to contain written tax advice, any written advice contained in, forwarded with or attached to this content is not intended by Grant Thornton LLP to be used, and cannot be used, by any person for the purpose of avoiding penalties that may be imposed under the Internal Revenue Code.