Cyber Security: How CCOs Can Help

87 7EF E 8F67E6 82 E7EFO7 907 34BC4B234 6DEF6E CYBER SECURITY: HOW CCOS CAN HELP CD AB29A891 ESCD4BD45 3AB23BC3 786757 DE ESCD4BD45 34 C4BC3450 C34B3 BAB23BC3 B 3A29A129AF07 ETFO78F67F EF6D THREATS 2 Investor lawsuits Reputational damage Regulatory actions Wasted management time and effort 3,000 U.S. companies notified by federal agents last year that their computer systems had been hacked (Washington Post) The cost of cyber crime in the U.S. $38B (Symantec) Exchanges polled last 90% year that said cyber crime in securities markets should be considered a systemic risk (International Organization of Securities Commissions, World Federation of Exchanges) A major security flaw known as the Heartbleed bug was recently revealed. It may have been leaving Internet users' passwords and personal information exposed to hackers for the past two years. Chief compliance officers can't stop their firms being hacked or being hit by a natural disaster that affects their IT systems. But they can make sure the regulatory and legal fallout is minimized. Solutions The BCP must tackle BCP Develop a business continuity and disaster recovery plan (BCP) computer networks and systems issues-threats may arise not just from crooks but also natural disasters. Consult guidance from the Securities and Exchange Commission, Commodity Futures Trading Commission and Financial Industry Regulatory Authority recommending, among other things: Prioritize time-sensitive regulatory requirements N Regularly update BCPS to include new regulatory requirements Conduct BCP tests and participate in industry testing Incorporate stress tests into BCPS Plan for communication and coordination with regulators and exchanges E DISCLOSURE Talk to regulators: More firms are entering information-sharing agreements with the FBI and other agencies Talk to clients: Disclose the firm's operational reliance on its computer networks and systems in customer account agreements; say you may be the target of cyber attacks; include liability limits Talk to investors: In public filings, disclose to shareholders the risks E RISK INSURANCE First-party insurance policies Third-party liability policies E VENDOR MANAGEMENT Conduct due diligence: Can a vendor protect your data? Impose obligations on vendors Continuing monitoring of vendors E WORK TOGETHER In-house: Involve compliance, legal, IT and human resources Out there: Develop protocols for information sharing across the industry and with regulators (With thanks to Jason Glass of Bingham McCutchen. For more details on how CcOs can limit legal and regulatory risks from cyber threats, and other guidance for CCOs in the brokerage and asset management industries, go to complianceintel.com) DInstitutional Investor Compliance Intelligence