SFC Issues Cybersecurity Circular
On 23 March 2016, the SFC issued a further cybersecurity circular to all Licensed Corporations highlighting their view that cybersecurity should be taken as a matter of priority by regulated entities. As part of their electronic trading initiative, the SFC has recently conducted a series of reviews of the cybersecurity within selected larger sized licensed firms, with the aim of assessing whether effective cybersecurity controls have been implemented to guard against cybersecurity threats.
This circular reinforces the prior circular from 27 November 2014, which announced that the SFC expects regulated entities to take initiative regarding emerging information security threats facing the financial services industry. The driver for the new SFC circular is clearly the increasing occurrence of cybersecurity incidents across the financial services industry. The SFC’s concerns are mirrored by regulators globally and in particular by the U.S., where the focus on cybersecurity has intensified with the publication of further guidelines by the SEC, FINRA, NFA and CFTC throughout 2015 and 2016.
The SFC’s reviews revealed that most of the larger sized regulated firms have prioritized resources dedicated to strengthening their cybersecurity control frameworks and to anticipating cybersecurity threats in a proactive manner. However, they emphasize that corporations are deficient in fully recognizing that cybersecurity risks constitute genuine and significant threats to their businesses and in augmenting their control frameworks with a view to addressing these threats. As a consequence, the SFC advises that the regulated community ensure that:
A review and assessment of their cybersecurity risks has been, or is in the process of being, comprehensively and effectively undertaken
Any weaknesses identified as a consequence of such review and assessment have been, or are in the process of being, rectified
The enhancement of their cybersecurity controls is being treated as a matter of priority
The circular also highlights areas of SFC concern regarding cybersecurity, namely inadequate coverage of cybersecurity risk assessment exercises; inadequate cybersecurity risk assessment of service providers; insufficient cybersecurity awareness training; inadequate cybersecurity incident management arrangements and inadequate data protection programs. In expressing such concerns, the SFC has detailed what should be considered in terms of controls and mechanisms by corporations to further enhance their cybersecurity control frameworks. Suggested cybersecurity controls:
Establish a strong governance framework to supervise cybersecurity management
Implement a formalized cybersecurity management process for service providers
Enhance security architecture to guard against advanced cyber-attacks
Formulate information protection programs to ensure sensitive information flow is protected
Strengthen threat, intelligence and vulnerability management to proactively identify and remediate cybersecurity vulnerabilities
Enhance incident and crisis management procedures with more details of latest cyber-attack scenarios
Establish adequate backup arrangements and a written contingency plan with the incorporation of the latest cybersecurity landscape
Reinforce user access controls to ensure access to information is only granted to users on a need-to-know basis
The SFC fully intends to continue the focus on cybersecurity assessments and controls, given the persistence of threats and the continuing need for Licensed Corporations to improve their cybersecurity defenses. They remind regulated firms that they are expected to take appropriate measures in response to the cybersecurity risks that they face. This includes expecting corporations to seek advice from external contracted vendors if they do not possess such expertise to critically review and assess the effectiveness of the cybersecurity controls in their business environments.
Duff & Phelps has completed many cyber reviews over the last 12 months, using our proven methodology to assist regulated firms in evaluating their cybersecurity risk profiles and designing appropriate control frameworks, thus protecting their investors and meeting regulatory requirements. In addition, we have conducted staff cybersecurity awareness training for many financial services clients.
Duff & Phelps provides comprehensive reviews of firms’ cybersecurity risk, assists Licensed Corporations in reducing risk and meeting regulatory expectations and ensures cyber security investment is prioritized and focused on the most important threat areas for their business. Duff & Phelps has also completed regulatory electronic trading reviews for clients to achieve compliance with the SFC electronic code of conduct.