By Horizon’s Chief Information Officer Peter Hall & Vanessa Malone
Current data management landscape
So far in 2020, FINRA has taken disciplinary action against 5 firms and 100 individuals for compliance issues surrounding information management or for failing to produce information in a timely manner.¹
With the world’s sudden and forced transition to remote offices due to the COVID-19 pandemic, it has never been more timely to re-approach how your firm is managing and protecting its data infrastructure.
While many modern workplaces have undergone significant changes to create flexible data infrastructures and innovative work environments, those in heavily regulated environments, such as those which govern financial institutions like broker-dealer firms, have been slow to adopt this new approach.
Instead, in an attempt to meet demanding security vigilance, regulatory obligations, insider risk concerns, and protect against public data breaches; many broker-dealer firms continue to rely on old technology stacks and supervisory procedures. This could in turn expose them to more sophisticated cybersecurity threats and regulatory enforcement risks.
- Firms have been maintaining costly information technology skills. Since it is not their core business, it is very easy for inexperienced staff to misconfigure a system, forget an important patch or not be aware of a new risk.
- Knowledge of a threat comes only from the local implementation of an information system. According to IBM’s 2019 Data Breach Report, the average time to identify a breach in 2019 was 206 days.²
- The current techniques and tools in use were built to address information security vulnerabilities known at the time of design and implementation. Attack vectors evolve over time as do the tools and techniques to combat them.
- Financial institutions are subject to compliance regulations and guidelines from the Securities and Exchange Commission (SEC), the Financial Industry Regulatory Authority (FINRA), the Federal Financial Institutions Examination Council (FFIEC) and the Commodity Future Trading Commission (CFTC). In addition, they are also subject to laws such as Dodd-Frank and the Sarbanes-Oxley Act of 2002.
In today’s climate, broker-dealer firms can not afford — literally or figuratively — a weak data management infrastructure.
A few sobering statistics
- The average cost of a data breach is $3.92 million as of 2019 (Security Intelligence).²
- 43% of breach victims were small businesses (Verizon 2019 Data Breach Report).³
- 60% of small businesses that suffer a cyber attack go out of business within half a year (U.S. National Cyber Security Alliance).⁴
Compliance is no longer a check the box task, its an ongoing battle that requires attention.
In FINRA’s 2019 Report on Examination Findings and Observations, they identified digital communications and cybersecurity as key areas where firms encounter challenges complying with supervision and record-keeping requirements.⁵
Specifically, these include areas of governance and risk management, access rights and controls, data loss prevention, mobile security, incident response and resiliency, vendor management, and training and awareness.
The above is merely a brief overview of the types of rules and regulations broker-dealer firms and other financial institutions must take into consideration when building out their data management platform.
A paradigm shift surrounding data protection
In addition to increasing compliance demands, there’s been a shift in how data is being protected.
The old model was to place all of an institution’s data, identities and infrastructure into an environment that was protected at the perimeter by investing into firewalls, intrusion detection systems (IDS) and intrusion prevention systems (IPS).
As the network perimeter expanded and information became more distributed, the nature of attacks changed. Increasingly, malware-less attacks have become normal. These take the form of phishing, password-spraying, social engineering and the grabbing of credentials.
The consensus was that information within the modern enterprise perimeter could no longer be secured at a network level but instead must be secured at the resource level. This ensures that the information is protected no matter where the data is or how it is being used or accessed. For example, a document opened at a physical office could be opened securely on an employee’s phone or laptop from home.
Again, this is incredibly significant in today’s climate of remote working which has been expedited by the pandemic and will leave an everlasting impact on how companies operate moving forward.
How to address your data management infrastructure
We believe an organization can gain a significant competitive advantage by giving both its employees and customers a modern collaboration platform that’s easy to adopt and easy to use. However, this cannot be to the detriment of security and compliance.
We know this first-hand, as Horizon’s securities and trading software suite was built with a compliance-focused approach. In developing our trading platform technology, Open Order Book, we realized we would have to address the information management problem head-on.
We took careful consideration for the configuration and deployment of collaboration tools and security controls, including:
- Risk assessment of common organizational collaboration and business process scenarios
- Information protection and data governance requirements
- Cybersecurity and insider threats
- Regulatory compliance requirements
In doing this we realized the value our team of Wall Street and software pioneers with 25+ years of experience could add to other firms facing the same dilemma.
What we produced was Hosting Compliance, a risk-based data management and protection platform consisting of processes, procedures and cloud hosted products built to protect your firm’s sensitive data wherever it may go.
Our cloud-first infrastructure was constructed to meet and exceed the requirements of SEC and FINRA rules on information security. Further, our governance structure is based upon the National Institute of Standards and Technology (NIST) framework.
You could attempt to implement all of this yourself without disrupting your organization’s productivity, or your firm could bring in experts to integrate and manage this for your firm.
Either way, the protection of data, identities, devices and applications is not only critical to a businesses functionality, it’s required and heavily regulated to ensure your data management infrastructure is up to par.
We’ve seen how our data management infrastructure has thrived in these trying times, and are proud to say that our team has transitioned to remote working with no cost in productivity or reduced data protections. We would love to share what we’ve learned with your broker-dealer or financial institution.
To learn more, please visit https://hostingcompliance.com/. To request a demo or if you have any questions, please email us at email@example.com.
³ Verizon 2019 Data Breach Report
⁴ National Cyber Security Alliance
⁵ 2019 Report on FINRA Examination Findings and Observations