chief compliance officer’s (cco’s) role in … wootten is the chief compliance officer of...

© 2018 Financial Industry Regulatory Authority, Inc. All rights reserved. 1

Chief Compliance Officer’s (CCO’s) Role in Cybersecurity Thursday, February 22 10:00 a.m. – 11:00 a.m. Increased use of technologies such as mobile devices, social media and cloud computing has increased the risk posed by cyber criminals. As a result, in addition to other compliance matters, the CCO is now also responsible for assisting—and protecting—company information technology (IT) systems. During this session, panelists discuss the role CCOs can play in a firm’s cybersecurity program.

Moderator: Steven Polansky Senior Director FINRA Office of Reg Ops Shared Services Panelists: Jose Dominguez Chief Information Security Officer TD Ameritrade, Inc. Ann Grady Chief Compliance Officer Tastyworks, Inc. Ann McCague Managing Director and Global Head of Compliance Piper Jaffray & Co. Kyle Wootten Chief Compliance Officer of Operations, Finance and Technology Raymond James Financial


Chief Compliance Officer’s (CCO’s) Role in Cybersecurity Panelist Bios: Moderator: Steven Polansky is Senior Director in FINRA's Office of Shared Services. In this capacity, Mr. Polansky leads special national initiatives--including FINRA’s digital investment advice and earlier cybersecurity and conflicts of interest reviews--and special projects. In addition, he leads development of FINRA’s annual regulatory and examination priorities. Previously, Mr. Polansky worked in FINRA's International Department, where he was responsible for analyzing international regulatory developments and leading FINRA's relationships with select financial regulators in Europe and Asia as well as international financial institutions. In addition, Mr. Polansky led advisory projects in a number of jurisdictions related to, among other things, risk-based supervision, prudential oversight and market surveillance. Prior to joining FINRA, he was a management consultant with PricewaterhouseCoopers, and he served for seven years as a professional staff member on the Committee on Foreign Relations in the United States Senate. At the Committee, Mr. Polansky was responsible for advising the Chairman on funding for the Department of State and other foreign policy agencies, missile non-proliferation and international environmental issues. Mr. Polansky received his master of business administration in finance from The Wharton School at the University of Pennsylvania, his master of public administration from the Kennedy School of Government at Harvard University, and his bachelor degree in history from Colgate University. Panelists: Jose Dominguez is Chief Information Security Officer at TD Ameritrade. He joined TD Ameritrade Holding Corporation (Nasdaq: AMTD) in 1997. He has been responsible for the development, maintenance and implementation of the enterprise security program and policies since 2013. Previous to his CISO role, Mr. Dominguez was in various management positions within technology leading Infrastructure and Application Development teams. Prior to joining TD Ameritrade, Mr. Dominguez spent 10 years with the brokerage firm Gruntal & Co. in various application development roles supporting front and back-office functions. He currently sits on the SIFMA Board Subcommittee on Cybersecurity and is a member of the NJ CISO Summit Governing Body. Ann C. McCague has served as Managing Director and Global Head of Compliance for Piper Jaffray Companies since 2005, where she is responsible for regulatory compliance at all group affiliates, including Piper Jaffray & Co., the U.S. broker/dealer and primary operating entity, two foreign broker/dealers and five separate registered investment advisors. Ms. McCague’s career path covers 35 years in the industry, including CCO positions at Dain Rauscher and Think Equity Partners, as well as prior senior compliance positions at national firms. Given her broad scope of knowledge and as seasoned expert, she is a frequent conference panelist. Ms. McCague is/has been a member of numerous FINRA and SIFMA committees. Ms. McCague is a graduate of Augsburg College in Minneapolis, MN, where she earned a master’s degree in Leadership and an undergraduate degree in English, with a Communications minor. Kyle Wootten is the Chief Compliance Officer of Operations, Finance and Technology for Raymond James Financial and member of the RJF Compliance Executive Leadership Team. In this role, Mr. Wootten is responsible for providing strategic direction and management of the compliance framework for various areas that cross multiple functions and entities affiliated with RJF. Specifically, this includes the compliance advice, oversight and testing of the Operations areas of the clearing firm, Raymond James & Associates, which includes oversight of RJA’s clearing and custodial businesses for unaffiliated introducing firms and registered investment advisers, the Financial, Regulatory Reporting and Treasury functions of the affiliated broker-dealers of RJF, and Information Technology, which includes management of the RJF Informational Governance Program. Mr. Wootten is a member of the 17a-5 Steering Committee, the Enterprise Information Technology Risk Board, the Stock Loan Committee for RJA and the Operational Risk Board. Prior to joining RJF, Mr. Wootten was the Deputy Director of Regulatory and Compliance for Thomson Reuters, where he supported the assessment and development of regulatory solutions for the BETA Systems, and worked closely with end-clients on a myriad of regulatory matters, primarily focused on the street-side settlement functions. For nearly 14 years prior to that, he served in various compliance and business roles at Wells Fargo Advisors, including the predecessor firms of Wachovia Securities and A.G. Edwards. During that time, Mr. Wootten held roles providing legal and compliance support to Capital Markets, Trading, and Operations,


Technology and Finance. Additionally, he managed the Regulatory Change Management function, and was a member of the leadership team of the Wells Fargo Regulatory Reform Program managing the compliance and business analyst resources responsible for implementation of major regulatory initiatives at the firm. Mr. Wootten has an undergraduate degree in Economics and law degree from Saint Louis University.

2018 Cybersecurity ConferenceFebruary 22 | New York, NY

Chief Compliance Officer’s (CCO’s) Role in Cybersecurity

FINRA Cybersecurity Conference | © 2018 FINRA. All rights reserved.

Moderator Steven Polansky, Senior Director, FINRA Office of Regulatory

Operations / Shared ServicesPanelists Jose Dominguez, Chief Information Security Officer, TD

Ameritrade, Inc. Ann Grady, Chief Compliance Officer, Tastyworks, Inc. Ann McCague, Managing Director and Global Head of Compliance,

Piper Jaffray & Co. Kyle Wootten, Chief Compliance Officer of Operations, Finance

and Technology, Raymond James Financial

Panelists

1


Under the “Schedule” icon on the home screen,Select the day,Choose the Chief Compliance Officer’s (CCO’s) Role in

Cybersecurity session, Click on the polling icon:

To Access Polling

2


1. Does your firm have a CISO? a. Yesb. No

Polling Question 1

3


2. Does your firm have a formal technology risk governance structure (i.e., steering committee) to which important cybersecurity matters are escalated?

a. Yesb. No

Polling Question 2

4


3. Are you directly involved in responding to FINRA or SEC cybersecurity-related examinations?

a. Yes, from a compliance perspectiveb. Yes, from a technology perspectivec. Yes, from another perspectived. No

Polling Question 3

5


4. Does your firm have a cybersecurity incident response plan?

a. Yesb. No

Polling Question 4

6


5. Does your firm conduct table top exercises to test that plan?

a. Yesb. No

Polling Question 5

7


6. Are you directly involved in developing or implementing your firm’s response plan?


Polling Question 6

8


Members should

create an incident

response plan The plan should

identify all team members

The plan should address and inventory

different types of threatsThe plan should

include a methodology for

restoring compromised

systems and/or data

The plan should include escalation

procedures

The plan should include a methodology for communicating

to clients, counter-parties regulators and law enforcement

Response to Cybersecurity Threats – Where is the CCO?

9


7. Does your firm’s training include a specific focus on staff cybersecurity responsibilities?

a. Yesb. No

Polling Question 7

10


8. Does your firm use internally developed phishing or other tools designed to assess the efficacy of training?

a. Yesb. No

Polling Question 8

11


9. Are you directly involved in the development or delivery of your firm’s cybersecurity training:


Polling Question 9

12


10.Are you directly involved in the cybersecurity aspects of your firm’s vendor management program?


Polling Question 10

13

FINRA Cybersecurity Conference: Highlights for Compliance Officers

February 22, 2018

FINRA’s Cybersecurity Risk Reviews? Where does the CCO Role Lie In These Areas?

Cybersecurity governance and risk management

Cybersecurity Risk assessments

Technology governance

System change management

Technical controls

Incident Response Planning

Vendor management

Data loss prevention

Staff training

Cyber Intelligence & Information Sharing

Ann M. Grady, Feb. 22, 2018 2

Ann M. Grady, Feb. 22, 2018

CCO Role When A Cyber-Related data breach occurs

• Who Informs the CCO?• Is the CCO Part of the Response

Team?• Who decides whether regulators must

be informed?• Who decides which States or other

authorities, customers, ..need to be informed?

CCO or CISO?Staff Training Design Firms should provide cybersecurity training that is tailored to staff needs and that helps them to relate to the importance they play in protecting the firm, its clients and its data.

defining cybersecurity training needs requirements;

identifying appropriate cybersecurity training update cycles;

delivering interactive training with audience participation to increase retention; and

developing training around information from the firm’s loss incidents, risk assessment

process and threat intelligence gathering.


CCO or CISO? Staff Training

Firms should provide cybersecurity training that is tailored to staff needs.

Effective practices for cybersecurity training include:

Recognizing Risks

Social Engineering Schemes and Phishing

Handling Confidential Information

Password Protection

Escalation Policies

Physical Security

Mobile Security


Response to Cybersecurity Threats – Where is the CCO?

Members should create an incident

response plan

The plan should identify all team members

The plan should address and inventory different types of

threats

The plan should include a

methodology for restoring

compromised systems and/or

data

The plan should include escalation procedures

The plan should include a methodology for communicating

to clients, counter-parties regulators and law enforcement

I 6

Vendor Due Diligence – Where is the CCO Role?

it is important for firms to establish appropriate contractual language to govern vendor relationships.

The provisions of the contract will govern the vendor’s obligation to the firm, as well as identify the firm’s prerogatives in relation to the vendor. The stringency of these clauses should be risk-based with riskier vendor relationships requiring stronger language.

This includes:

manner in which the firm can conduct its ongoing oversight of the vendor,

the conditions for terminating the relationship,

the vendor’s obligations to protect firm information in the event the relationship terminates.

CCO Panel, Feb. 22, 2018 7

chief compliance officer’s (cco’s) role in … wootten is the chief compliance officer of...

Documents