My column in Compliance Week this month provides a series of recommendations and caveats when seeking a pen tester – or any other form of risk and security assessment. Pen testing has becoming a fairly rigorous regulatory requirement for financial firms in particular. Consider some recent history:
Financial Firms and Pen Testing
For financial firms, pen testing is particularly important because federal and state regulators now expect some form of pen testing at financial institutions such as banks, investment advisers, broker-dealers, exchanges, mutual funds, etc.
For example, the Securities and Exchange Commission (SEC) has several times publically emphasized the importance of pen testing. Specifically, in April 2014, the SEC announced its first cybersecurity sweep of brokerage and investment advisory examinations in an SEC Risk Alert, which made the unusual and almost unprecedented move of publishing, as a “resource,” the so-called “examination module” (i.e. questionnaire) that SEC staff planned to serve upon targets of the sweep. About a year after the SEC’s first sweep, the SEC then published a report containing some strong sentiments about cybersecurity. Next, on September 15, 2015, the SEC announced its second sweep of examinations into brokerage and advisory firms’ cybersecurity practices, once again providing the examination module as a resource for regulated entities. In the report and in both modules, the SEC makes clear that their examinations will be probing specifically the results of “risk assessments to identify cybersecurity threats, vulnerabilities, and potential business consequences.”
Not to be outdone, the Financial Industry Regulatory Authority (FINRA) also released in February 2015, its Report on Cybersecurity Practices, which provided an in-depth report on cybersecurity at broker-dealers. Therein, FINRA offered its own insights into what it expects from firms’ cybersecurity risk management practices, and included its expectation that firms implement “sound technical controls, such as identity and access management, data encryption and penetration testing.”
Banking regulators are also following a similar path to the SEC and FINRA. For instance, New York State’s financial services regulator recently unveiled details about potential new cyber security regulations for banks and insurance companies under its jurisdiction, which includes requiring banks “to conduct annual penetration testing and quarterly vulnerability assessments.” Moreover, Standard & Poor’s has gone so far as to threaten to downgrade banks with weak cybersecurity, even if they have not been attacked.
The SEC R.T. Jones Administrative Action
On September 22, 2015, the SEC announced that R.T. Jones Capital Equities Management, a St. Louis-based investment adviser, agreed to settle charges that it failed to establish the required cybersecurity policies and procedures in advance of a breach that compromised the personally identifiable information (PII) of approximately 100,000 individuals, including thousands of the firm’s clients.
This was the first SEC enforcement action which specifically addressed its expectations pertaining to the cybersecurity of the entities it regulates, and made a subtle but strong statement concerning the importance of pen testing.
According to the SEC, R. T. Jones stored sensitive PII of clients and others on its third party-hosted web server, which was attacked in July 2013 by an unknown hacker who gained access to the data on the server, rendering the PII of more than 100,000 individuals, including thousands of R.T. Jones’s clients, vulnerable to theft. The SEC noted that, among other things, R.T. Jones failed to conduct periodic risk assessments.
Had R.T. Jones employed the right pen tester, the firm would not likely have become the subject of an SEC administrative action. Why? Because the right pen tester becomes a long-term partner who not only enhances cybersecurity and improves data breach response, but also provides legitimate cover for regulators, shareholders, customers, 3rd party vendors and class action lawyers who suspect weak cybersecurity.