Both the Securities and Exchange Commission and the Financial Industry Regulatory Authority published observations of their review of cybersecurity practices at securities industry firms—on both the buy and sell sides. FINRA also identified principles and effective practices firms should consider to address cybersecurity threats.
The most dramatic observation is that 88 percent of all broker-dealers and 74 percent of all investment advisers reported already having sustained cyber-attacks directly or through one or more of their vendors, said the SEC. Most attacks were the result of malware and fraudulent emails.
According to the SEC, 54% of all broker-dealers and 43% of advisers specifically said they had received fraudulent emails to transfer customer funds. Where losses were sustained, 25% of the broker-dealers “noted that these losses were the result of employees not following the firms’ identity authentication process.”
Although a large majority of broker-dealers (72%) incorporated requirements related to cybersecurity into contracts with their vendors and business partners, only a small minority of advisers (24%) followed such practice.
Among the principal cybersecurity risks identified by FINRA members are the risk of hackers penetrating systems for account manipulation to destroy data; insiders or other authorized users abusing their access for personal purposes or to place time bombs or engage in other destructive activities; and non-nation states or terrorist groups entering systems to wreak havoc. According to FINRA,
[n]ot surprisingly, the ranking of threats varies by firm and by business model. For example, online brokerage firms and retail brokerages are more likely to rank the risk of hackers as their top priority risk. Firms that engage in algorithmic trading were more likely to rank insider risks more highly. Large investment banks or broker-dealers typically ranked risks from nation states or hacktivist groups more highly than other firms.
Although FINRA acknowledged that “there is no one-size-fits-all approach to cybersecurity,” it identified a number of practices firms should consider to minimize threats. According to FINRA, firms should:
- maintain a cybersecurity governance framework that facilitates informed decision making and escalation to identify and manage cybersecurity risks;
- regularly try to identify cybersecurity risks associated with firm assets and vendors and ensure they are addressed on a priority basis;
- ensure that software and hardware that stores and processes data, as well as the data itself, is protected through adequate technical controls;
- ensure it maintains adequate policies and procedures, as well as identifies roles and responsibilities to escalate and respond to cybersecurity incidents;
- manage cybersecurity risk in connection with its vendor relationships using a risk-based approach;
- enhance intelligence gathering to help identify, detect and react to cybersecurity threats; and
- provide tailored cybersecurity training to staff.
Firms should also consider utilizing cyber-insurance to help mitigate the economic consequences of a cybersecurity breach.
FINRA cautions that, although cyber-threats pose the potential for significant damages, firms can protect themselves:
most successful attacks take advantage of fairly basic control weaknesses. While firms need to stay on guard, they can also take some comfort from this. To be sure, cybersecurity is challenging to address, but it is certainly not impossible. What is required is rigorous attention to detail and execution. Risk assessments can help firms identify and prioritize those steps that are most urgent to undertake. Information sharing can help firms understand the types of threats they may face and available mitigation measures.
The SEC’s survey was based on a review of over 100 broker-dealers and investment advisers, while FINRA’s study was based on a “select” cross-section of large investment banks, clearing firms, online brokerage firms, high-frequency traders and independent dealers. The SEC's survey was conducted by its Office of Compliance Inspections and Examinations.
Contemporaneously with their issue of industry findings, both the SEC and FINRA issued specific recommendations to investors to help them guard against cyber-breaches with their investment accounts.
(Click here for another perspective on this development in the article, “SEC and FINRA Issue Cybersecurity Publications,” in the February 6, 2015 edition of Corporate & Financial Weekly by Katten Muchin Rosenman LLP.)
Compliance Weeds: The SEC’s and FINRA's findings confirm that, regrettably, it is likely not a matter of if a cyber breach may occur, but when and how severe. Firms must continue their efforts to minimize the likelihood of cybersecurity breaches through maintenance of strong intelligence gathering, robust policies and procedures and governance, state-of-the-art technological defenses, ongoing monitoring, and employee training. Cybersecurity has been identified as a major item of focus by many regulators during their 2015 examination of registrants (Click here to access the article, “Cybersecurity, Potential Equity Order Routing Conflicts and AML Among the Top Examination Priorities for SEC in 2015,” in the January 12 to 16 and 19, 2015 edition of Bridging the Week.)