On 3 February 2015, the U.S. Securities and Exchange Commission ("SEC") released publications addressing the legal, regulatory and compliance issues associated withcybersecurity at brokerage and advisory firms, and providing suggestions to investors on methods to protect their online investment accounts from cyber threats. The first publication, released by the Office of Compliance Inspections and Examinations, summarizes its findings based upon an exploration of the practices of broker-dealers and investment advisers, relating to:
- Identifying cybersecurity risks;
- Establishing and adopting cybersecurity governance, including policies, procedures, and oversight processes;
- Safeguarding firm networks and information;
- Identifying and addressing risks associated with remote access to client information, funds transfer requests, third-party vendors and other third parties; and
- Detecting unauthorized activity;
The publication notes that the vast majority of the firms which were examined, reported that they have been the subject of a cyber-related incident (e.g. receiving fraudulent emails seeking to transfer client funds), and over a quarter of those broker-dealers reported losses related to such incidents that exceed $5,000.
The second publication provides key common-sense techniques to aid investors safeguard their online brokerage and investment accounts from fraud.
FINRA report and best practice recommendations
In addition, the Financial Industry Regulatory Authority ("FINRA") issued a report presenting anapproach to cybersecurity, grounded in risk management, in order to address cybersecurity threats.
The FINRA report identifies key principles and outlines effective practices for firms to consider for the purpose of providing a better response to cyber threats, while recognizing that there is no “one-size-fits-all” approach to cybersecurity. These principles include:
- Governance and risk management for a cybersecurity principle - firms should establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization, in order to identify and manage cybersecurity risks. The framework should include defined risk management policies, processes and structures coupled with relevant controls tailored to the nature of the cybersecurity risks which the firm confronts, and the resources available to the firm;
- Cybersecurity risk assessment - firms should conduct regular assessments to identify cybersecurity risks associated with the firm’s assets and vendors and prioritize their remediation;
- Technical controls - firms should implement technical controls to protect firm software and hardware that stores and processes data, as well as the data itself;
- Incident response planning - firms should establish policies and procedures, as well as roles and responsibilities for escalating and responding to cybersecurity incidents;
- Vendor management - firms should manage cybersecurity risk that can arise across the lifecycle of vendor relationships, using a risk-based approach to vendor management;
- Staff training - firms should provide cybersecurity training that is tailored to staff needs;
- Cyber intelligence and information sharing - firms should use cyber threat intelligence to improve their ability to identify, detect and respond to cybersecurity threats; and
- Cyber insurance - firms should evaluate the utility of cyber insurance as a way to transfer some risk as part of their risk management processes.
These recent reports reflect the growing concerns of the rapidly evolving nature and pervasiveness of cyberattacks in the financial landscape, in particular, in the broker-dealers firms, as a result of the interplay between a variety of factors that are driving the firms’ exposure to cybersecurity threats (including advances in technology, changes in firms’ business models, and changes in how firms and their customers use technology). Although designated for large investment banks, clearing firms, online brokerages, high-frequency traders and independent dealers, the reports contain important insights and best practices for the industry at large.