Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m.

Transcription

1 Chief Compliance Officer s (CCO s) Role in Cybersecurity Thursday, February 22 10:00 a.m. 11:00 a.m. Increased use of technologies such as mobile devices, social media and cloud computing has increased the risk posed by cyber criminals. As a result, in addition to other compliance matters, the CCO is now also responsible for assisting and protecting company information technology (IT) systems. During this session, panelists discuss the role CCOs can play in a firm s cybersecurity program. Moderator: Steven Polansky Senior Director FINRA Office of Reg Ops Shared Services Panelists: Jose Dominguez Chief Information Security Officer TD Ameritrade, Inc. Ann Grady Chief Compliance Officer Tastyworks, Inc. Ann McCague Managing Director and Global Head of Compliance Piper Jaffray & Co. Kyle Wootten Chief Compliance Officer of Operations, Finance and Technology Raymond James Financial 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

2 Chief Compliance Officer s (CCO s) Role in Cybersecurity Panelist Bios: Moderator: Steven Polansky is Senior Director in FINRA's Office of Shared Services. In this capacity, Mr. Polansky leads special national initiatives--including FINRA s digital investment advice and earlier cybersecurity and conflicts of interest reviews--and special projects. In addition, he leads development of FINRA s annual regulatory and examination priorities. Previously, Mr. Polansky worked in FINRA's International Department, where he was responsible for analyzing international regulatory developments and leading FINRA's relationships with select financial regulators in Europe and Asia as well as international financial institutions. In addition, Mr. Polansky led advisory projects in a number of jurisdictions related to, among other things, risk-based supervision, prudential oversight and market surveillance. Prior to joining FINRA, he was a management consultant with PricewaterhouseCoopers, and he served for seven years as a professional staff member on the Committee on Foreign Relations in the United States Senate. At the Committee, Mr. Polansky was responsible for advising the Chairman on funding for the Department of State and other foreign policy agencies, missile non-proliferation and international environmental issues. Mr. Polansky received his master of business administration in finance from The Wharton School at the University of Pennsylvania, his master of public administration from the Kennedy School of Government at Harvard University, and his bachelor degree in history from Colgate University. Panelists: Jose Dominguez is Chief Information Security Officer at TD Ameritrade. He joined TD Ameritrade Holding Corporation (Nasdaq: AMTD) in He has been responsible for the development, maintenance and implementation of the enterprise security program and policies since Previous to his CISO role, Mr. Dominguez was in various management positions within technology leading Infrastructure and Application Development teams. Prior to joining TD Ameritrade, Mr. Dominguez spent 10 years with the brokerage firm Gruntal & Co. in various application development roles supporting front and back-office functions. He currently sits on the SIFMA Board Subcommittee on Cybersecurity and is a member of the NJ CISO Summit Governing Body. Ann C. McCague has served as Managing Director and Global Head of Compliance for Piper Jaffray Companies since 2005, where she is responsible for regulatory compliance at all group affiliates, including Piper Jaffray & Co., the U.S. broker/dealer and primary operating entity, two foreign broker/dealers and five separate registered investment advisors. Ms. McCague s career path covers 35 years in the industry, including CCO positions at Dain Rauscher and Think Equity Partners, as well as prior senior compliance positions at national firms. Given her broad scope of knowledge and as seasoned expert, she is a frequent conference panelist. Ms. McCague is/has been a member of numerous FINRA and SIFMA committees. Ms. McCague is a graduate of Augsburg College in Minneapolis, MN, where she earned a master s degree in Leadership and an undergraduate degree in English, with a Communications minor. Kyle Wootten is the Chief Compliance Officer of Operations, Finance and Technology for Raymond James Financial and member of the RJF Compliance Executive Leadership Team. In this role, Mr. Wootten is responsible for providing strategic direction and management of the compliance framework for various areas that cross multiple functions and entities affiliated with RJF. Specifically, this includes the compliance advice, oversight and testing of the Operations areas of the clearing firm, Raymond James & Associates, which includes oversight of RJA s clearing and custodial businesses for unaffiliated introducing firms and registered investment advisers, the Financial, Regulatory Reporting and Treasury functions of the affiliated brokerdealers of RJF, and Information Technology, which includes management of the RJF Informational Governance Program. Mr. Wootten is a member of the 17a-5 Steering Committee, the Enterprise Information Technology Risk Board, the Stock Loan Committee for RJA and the Operational Risk Board. Prior to joining RJF, Mr. Wootten was the Deputy Director of Regulatory and Compliance for Thomson Reuters, where he supported the assessment and development of regulatory solutions for the BETA Systems, and worked closely with end-clients on a myriad of regulatory matters, primarily focused on the street-side settlement functions. For nearly 14 years prior to that, he served in various compliance and business roles at Wells Fargo Advisors, including the predecessor firms of Wachovia Securities and A.G. Edwards. During that time, Mr. Wootten held roles providing legal and compliance support to Capital Markets, Trading, and Operations, 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 2

3 Technology and Finance. Additionally, he managed the Regulatory Change Management function, and was a member of the leadership team of the Wells Fargo Regulatory Reform Program managing the compliance and business analyst resources responsible for implementation of major regulatory initiatives at the firm. Mr. Wootten has an undergraduate degree in Economics and law degree from Saint Louis University Financial Industry Regulatory Authority, Inc. All rights reserved. 3

4 2018 Cybersecurity Conference February 22 New York, NY Chief Compliance Officer s (CCO s) Role in Cybersecurity

5 Panelists Moderator Steven Polansky, Senior Director, FINRA Office of Regulatory Operations / Shared Services Panelists Jose Dominguez, Chief Information Security Officer, TD Ameritrade, Inc. Ann Grady, Chief Compliance Officer, Tastyworks, Inc. Ann McCague, Managing Director and Global Head of Compliance, Piper Jaffray & Co. Kyle Wootten, Chief Compliance Officer of Operations, Finance and Technology, Raymond James Financial 1

6 To Access Polling Under the Schedule icon on the home screen, Select the day, Choose the Chief Compliance Officer s (CCO s) Role in Cybersecurity session, Click on the polling icon: 2

7 Polling Question 1 1. Does your firm have a CISO? a. Yes b. No 3

8 Polling Question 2 2. Does your firm have a formal technology risk governance structure (i.e., steering committee) to which important cybersecurity matters are escalated? a. Yes b. No 4

9 Polling Question 3 3. Are you directly involved in responding to FINRA or SEC cybersecurity-related examinations? a. Yes, from a compliance perspective b. Yes, from a technology perspective c. Yes, from another perspective d. No 5

10 Polling Question 4 4. Does your firm have a cybersecurity incident response plan? a. Yes b. No 6

11 Polling Question 5 5. Does your firm conduct table top exercises to test that plan? a. Yes b. No 7

12 Polling Question 6 6. Are you directly involved in developing or implementing your firm s response plan? a. Yes, from a compliance perspective b. Yes, from a technology perspective c. Yes, from another perspective d. No 8

13 Response to Cybersecurity Threats Where is the CCO? The plan should include a methodology for communicating to clients, counter-parties regulators and law enforcement Members should create an incident response plan The plan should identify all team members The plan should include escalation procedures The plan should include a methodology for restoring compromised systems and/or data The plan should address and inventory different types of threats 9

14 Polling Question 7 7. Does your firm s training include a specific focus on staff cybersecurity responsibilities? a. Yes b. No 10

15 Polling Question 8 8. Does your firm use internally developed phishing or other tools designed to assess the efficacy of training? a. Yes b. No 11

16 Polling Question 9 9. Are you directly involved in the development or delivery of your firm s cybersecurity training: a. Yes, from a compliance perspective b. Yes, from a technology perspective c. Yes, from another perspective d. No 12

17 Polling Question Are you directly involved in the cybersecurity aspects of your firm s vendor management program? a. Yes, from a compliance perspective b. Yes, from a technology perspective c. Yes, from another perspective d. No 13

18 FINRA Cybersecurity Conference: Highlights for Compliance Officers February 22, 2018

19 FINRA s Cybersecurity Risk Reviews? Where does the CCO Role Lie In These Areas? Cybersecurity governance and risk management Cybersecurity Risk assessments Technology governance System change management Technical controls Incident Response Planning Vendor management Data loss prevention Staff training Cyber Intelligence & Information Sharing Ann M. Grady, Feb. 22,

20 CCO Role When A Cyber-Related data breach occurs Who Informs the CCO? Is the CCO Part of the Response Team? Who decides whether regulators must be informed? Who decides which States or other authorities, customers,..need to be informed? Ann M. Grady, Feb. 22, 2018

21 CCO or CISO? Staff Training Design Firms should provide cybersecurity training that is tailored to staff needs and that helps them to relate to the importance they play in protecting the firm, its clients and its data. defining cybersecurity training needs requirements; identifying appropriate cybersecurity training update cycles; delivering interactive training with audience participation to increase retention; and developing training around information from the firm s loss incidents, risk assessment process and threat intelligence gathering. Ann M. Grady, Feb. 22,

22 CCO or CISO? Staff Training Firms should provide cybersecurity training that is tailored to staff needs. Effective practices for cybersecurity training include: Recognizing Risks Social Engineering Schemes and Phishing Handling Confidential Information Password Protection Escalation Policies Physical Security Mobile Security Ann M. Grady, Feb. 22,

23 Response to Cybersecurity Threats Where is the CCO? Members should create an incident response plan The plan should include a methodology for communicating to clients, counter-parties regulators and law enforcement The plan should identify all team members The plan should include escalation procedures The plan should address and inventory different types of threats The plan should include a methodology for restoring compromised systems and/or data I 6

24 Vendor Due Diligence Where is the CCO Role? it is important for firms to establish appropriate contractual language to govern vendor relationships. The provisions of the contract will govern the vendor s obligation to the firm, as well as identify the firm s prerogatives in relation to the vendor. The stringency of these clauses should be risk-based with riskier vendor relationships requiring stronger language. This includes: manner in which the firm can conduct its ongoing oversight of the vendor, the conditions for terminating the relationship, the vendor s obligations to protect firm information in the event the relationship terminates. CCO Panel, Feb. 22,