April 17, 2014

SEC plan targets cybersecurity for firms

April 18, 2014 – The Securities and Exchange Commission has joined the growing list of agencies and coalitions alerting financial institutions about cyber risks to their systems and data.

Reutersreported that the commission has unveiled an outline detailing how its examiners will ensure non-depository financial firms are prepared for various cyber attacks. The plan addresses the types of information SEC examiners might request from brokerages and asset managers during inspections, including "a comprehensive list of when they detected malware, suffered a ‘denial of service' attack or discovered a network breach since January 2013."

It was also noted in the outline that the SEC plans to examine more than 50 firms on cyber security issues. (SEC has meanwhile been flagged in a new Government Accountability Office report for weakness in its own systems.)

Last week, the Federal Financial Institutions Examination Council issued an alert to credit unions and banks about the "Heartbleed" vulnerability for OpenSSL servers. FDIC, also last week, issued a list of online resources about cyber risks and encouraged financial institutions to use them.

The Justice Department and Federal Trade Commission also circulated a policy to the Financial Services Sector Coordinating Council – NAFCU is a founding member – that encourages private entities not to let concerns about antitrust issues stop them from the prudential sharing of cybersecurity data with other parties.

Credit unions are subject to rigorous federal rules on the mitigation of cyber risks and protection of members' data. NAFCU continues to press for legislation that would require merchants to adopt data security standards similar to those required of financial institutions under the Gramm-Leach-Bliley Act.