The SEC and FINRA each issued February 3 cyber security “alerts” summarizing last year’s sweep exams and pointing out the obvious. In two parts, the SEC’s press-release covered the results of the Commission’s 2013-2014 sweep exams and an investor bulletin. SEC Press Release 2015-20, here.

The Commission’s Office of Compliance Inspections and Examinations (“OCIE”) conducted a “sweep exam” – or wide industry survey on the subject among broker-dealers and investment advisers– during 2013 and 2014. The good news is that a wide majority of them have information security policies in place, usually as part of their business continuity plans (“BCP”), based upon recognized industry standards for data-security including encryption and other protections, and engage in periodic risk assessment and testing. In fact, industry-group Securities Industry and Financial Markets Association (“SIFMA”) has conducted two years of “Quantum Dawn” exercises simulating multi-day systemic cyber-attacks in a closed-loop environment to test industry preparedness and response and to inform best practices. See description here and SIFMA offers considerable resources for member firms, here.

The bad news is that most industry respondents report having faced cyber security attacks, ranging from amateurish email scams (“send me my money” phishing or spoofing) to sophisticated network hacks. The greatest observed risk reported is back-door vulnerability through vendors and other providers of whom the industry does not always require downstream compliance.

OCIE’s sweep summary is NSEC National Exam Risk Alert, v. IV, no. 4 (Feb. 3, 2014), here.

FINRA issued its slightly-longer, substantively similar report on its own parallel sweep the same day: “Report on Cybersecurity Practices,” here.

The SEC’s Investor Bulletin was prosaic – but perhaps necessarily so. Its highlights include by-now well-worn tips like:

  • Use “strong” passwords, changed regularly
  • Set up two-step verification
  • Don’t use the same password across multiple accounts
  • Avoid public computers , wireless or other open networks
  • Read your statements.

The Investor Bulletin is here.

FINRA’s parallel alert is here.