SEC staff have been conducting sweep examinations of over a hundred registered investment advisers and broker-dealers to test the preparedness and practices of these firms against cyber-security attacks. What they found convinced the SEC to issue a Risk Alert through its Office of Compliance Inspections and Examinations (OCIE).
The Risk Alert basically summarizes the findings of the examinations for the general public. Staff questioned 49 registered investment advisers and 57 registered broker-dealers about their cyber-security governance, policies, risk management, response to third party, service provider risks and ability to uncover unauthorized activities. They were also questioned on the level of management of risks associated with remote access to client fund transfers and information.
The intention was to establish how prepared these firms were to face cyber-security risks and protect their client’s money and information from attacks.
- 74% of investment advisers and 88% of broker-dealers have reported cyber-attacks in the past. They claim that these attacks are usually a result of malware or fraudulent emails. Sometimes the attacks were direct and sometimes they came through vendors the firm used.
- 83% of investment advisers and 93% of broker-dealers have adopted written information security policies. However, only a small number of investment advisers and broker-dealers (13% and 30% respectively) include provisions about whether the firm is responsible for losses to clients due to cyber-attacks.
- Only 9% of advisers and 15% of broker-dealers protect their clients against such attacks by offering security guarantees to them in the written policy statement.
- Some form of data encryption is used by almost all investment advisers and broker-dealers in their firms.
- 58% of broker-dealers maintain insurance that covers losses that may arise due to cyber-attacks, but only one in five investment advisers do the same.
- On average, 8 out of 10 broker-dealers require the assessment of cyber-security risks of vendors before giving them access to the firm’s networks. But only 32% of investment advisers have similar requirements for vendors they work with. Vendor contracts include requirements related to cyber security in a majority of broker-dealer contracts (74%) and a minority of adviser ones (24%).
- Cyber-security policies are decided by a majority of broker-dealers and advisers based on firm-wide assessments of cyber risks, weaknesses and potential consequences of attacks.
This Risk Alert published by the OCIE focused more on the existence of controls rather than their quality to defend against cyber-attacks. Cyber-security preparedness was also placed as a priority on the OCIE’s 2014 examination.
FINRA published the results of its own cyber-security examination as well. The exam was conducted on broker-dealers and was focused on understanding the threats these firms are exposed to, their level of preparedness or understanding of vulnerabilities and their procedures and policies for managing the threats.
The report published by FINRA includes individual case studies to establish the ‘threat landscape’ faced by broker-dealers in the sector. According to the report, broker-dealers face a number of threats including hackers trying to penetrate the firm’s systems and compromising client data or firm data.
FINRA Recommendations to Mitigate Risks:
- Board-level and senior-level management in a firm must engage in dealing with cyber-security issues. Firms need effective governance and leadership to establish protections against these threats.
- Asset vulnerabilities, as well as external and internal threats, must be comprehensively assessed by the firms to understand the risks they are up against.
- Technical controls must be used to protect the firm’s hardware and software from potential attacks. These controls can include access and identity management, penetration testing and data encryption.
- Staff must be assigned roles for responding to cyber security incidents in the firm. Training must be provided to staff which can reduce the chances of such incidents. The risk assessment process, intelligence gathering and past loss incidents must be highlighted in such training. Response plans must be fully developed, implemented and tested by the firm.
- When dealing with vendors who have access to the firm’s systems and data, strong due diligence must be incorporated throughout the lifecycle of the arrangement.
- The industry can be protected from such threats if firms collaborate through intelligence sharing opportunities.
FINRA and the SEC have both highlighted the growing risk of cyber security threats faced by the industry in their reports and recommendations. The rapid increase in such attacks and the fast-paced development of the attackers’ technical abilities has become a cause for concern.
The two regulatory bodies have established that, despite the efforts of broker-dealers and investment advisers, there is still a long way to go before their systems are fully secure. But with the proper procedures and policies firms can reduce this risk for themselves and their clients significantly.
About the Author: Andrew May is a FINRA arbitration attorney and the founding member of Chicago boutique financial firm May Law. He is also a frequent guest blogger on a variety of business and finance blogs and enjoys sharing his expertise with investors and entrepreneurs. Click here for more info.