On 3 February 2015, the Securities and Exchange Commission (the "SEC") and the Financial Industry Regulatory Authority ("FINRA") both issued cybersecurity reports to the US securities industry. The SEC is the US Federal Government's securities regulatory agency, while FINRA is a private company that acts as a self-regulatory organisation for US securities firms. The publications highlight the increased US regulatory focus in this area.
The Risk Alert summarises the SEC's findings following its examination of 57 broker-dealers' and 49 investment advisers' controls regarding cybersecurity preparedness. Notable statistics from the firms examined include:
- 88% of broker-dealers and 74% of investment advisers have experienced cyberattacks either directly or through one of their vendors. The majority of the cyberattacks involved the use of malware and fraudulent emails but no single loss exceeded $75,000;
- 93% of broker-dealers and 83% of investment advisers have written information security policies in place, of those, 89% of broker-dealers and 57% of investment advisers periodically audit policy compliance;
- 58% of broker-dealers and 21% of investment advisers maintain cybersecurity insurance, however, only one broker-dealer and one investment adviser reported that they had filed claims; and
- Only 15% of broker-dealers and 9% of investment advisers offer security guarantees to protect their clients against cyber related loss.
The FINRA report summarises findings from its 2014 examination of broker-dealers' cybersecurity. The report is intended to assist firms in responding to cyber threats and outlines cybersecurity best practices, which FINRA envisages firms will adopt, such as:
- Senior management playing a leadership role in their firm's cybersecurity efforts;
- The development, implementation and testing of incident response plans;
- Staff training in identification, prevention and combatting cyber threats;
- Firm collaboration to share intelligence in relation to cyber threats; and
- The evaluation of cyber insurance as a way to transfer some risk as part of their risk management processes.
In addition to the two reports noted above, the SEC and FINRA also each issued investor guidance containing common-sense techniques to protect the security of private online information. Link to SEC bulletin and link FINRA alert.