In the wake of recent cybersecurity breaches, the SEC and FINRA simultaneously issued reports this week to the securities industry summarizing cybersecurity examination findings and to investors recommending certain precautions to safeguard online investment information.
In its Risk Alert – Cybersecurity Examination Sweep Summary, the SEC describes the results from examinations of more than 100 broker-dealers and investment advisors, the relative split between the two being unspecified. Nevertheless, the findings reveal that the vast majority of broker-dealers and investment advisors have made cybersecurity a priority and implemented appropriate cybersecurity policies and programs. The findings also suggest that broker-dealers have more thorough cybersecurity policies and programs in place than investment advisors.
The SEC’s more notable findings include:
- At least 88 percent of broker-dealers and 74 percent of investment advisors have been the target of cyberattacks. While the exact nature or severity of these attacks is unclear, the report indicates that no single loss exceeded $75,000 and these attacks were primarily in the areas of malware and fraudulent emails seeking to transfer client funds;
- 93 percent of broker-dealers and 83 percent of investment advisors have adopted written information security policies;
- 57 percent of investment advisors conduct periodic audits to determine compliance with these procedures; and
- The vast majority of broker-dealers (93 percent) and investment advisors (79 percent) conduct periodic risk assessments to identify cyber threats and vulnerabilities.
In its Report on Cybersecurity Practices, FINRA summarizes the findings from its 2014 cybersecurity examination sweep, which focused on cyber threats faced by firms, areas of vulnerabilities and various approaches utilized by firms to combat such threats. In its report, FINRA emphasizes it will continue to review firms’ approaches to cybersecurity risk management during 2015 routine examinations.
FINRA identified the top three cyber threats as:
- Hackers penetrating firm systems;
- Insiders compromising firm or client data; and
- Operational risks.
The report indicates that FINRA expects firms to consider the principles and effective practices presented in the report as they develop or enhance their cybersecurity programs. Those principles include:
- Dedication to cybersecurity from firms’ upper management and executives;
- Development and implementation of risk assessment and cyber threat response plans;
- Maintaining a well trained staff to identify, prevent and combat cyber threats; and
- Collaborating with other firms to share intelligence regarding cyber threats.
The SEC and FINRA also issued reports this week to investors to inform them about common-sense techniques to safeguard the security of private online information and how to become better informed about investment firms’ cybersecurity policies. The SEC’s piece, Protecting Your Online Brokerage Accounts from Fraud, suggests that investors can better protect the security of their information by doing such things as using “strong” passwords (rather than weak ones) and being “extra careful before clicking on links sent to you.” Similarly, FINRA, in Cybersecurity and Your Brokerage Firm, encourages investors to understand their firms’ cybersecurity policies by getting answers to a series of canned questions.
Although the information delivered to investors may be short of groundbreaking, the reports to the securities industry are a reminder that regulators take cybersecurity very seriously and it will undoubtedly be a future focus of regulatory efforts, likely including enforcement actions. But perhaps a relevant question is whether firms need the reminder, or perhaps even further regulation in this area. Every securities firm – indeed, every business – knows that a cybersecurity breach will be a nightmare. This is especially true in the securities industry where maintaining and preserving customer privacy and secrecy are essential elements of the relationship with every client. This is one area where every firm that wants to remain in business will take all reasonable steps possible to stay at least one step ahead of potential cyberattacks. If there is a material breakdown in this area, the firms will have a lot more to worry about than the related regulatory issue.