Why it matters

Joining a growing chorus of regulators, the Securities and Exchange Commission (SEC) released two publications addressing cybersecurity: a Risk Alert based on observations from the Office of Compliance Inspections and Examinations (OCIE) of registered broker-dealers and advisers and an accompanying Investor Bulletin. The Risk Alert detailed how the examined firms handled a host of cybersecurity-related issues from policies, procedures, and oversight processes to whether they had been victims of a cyberattack. The Investor Bulletin offered suggestions on how to safeguard online investment accounts (such as picking a “strong” password and always using caution on public networks and wireless connections). The agency, which examined a cross-section of the industry for the Alert, hoped that its findings will prove beneficial to other firms. “Cybersecurity threats know no boundaries,” SEC Chair Mary Jo White said in a statement about the publications. “That’s why assessing the readiness of market participants and providing investors with information on how to better protect their online investment accounts from cyber threats has been and will continue to be an important focus of the SEC.”

Detailed discussion

In April 2014, the SEC announced a Cybersecurity Examination Initiative. Members of the OCIE examined a total of 57 registered broker-dealers and 49 registered investment advisers, selected to provide “perspectives from a cross-section of the financial services industry and to assess various firms’ vulnerability to cyber-attacks,” the SEC said.

The interviews and data collection of the selected firms focused on a range of issues related to cybersecurity. In the hopes of providing insight for the industry, the OCIE published the finding in the “Cybersecurity Examination Sweep Summary.”

According to the Risk Alert, 93 percent of broker-dealers and 83 percent of advisers have adopted written information security policies, and the majority of both groups conduct periodic audits to determine compliance with such policies. The plans themselves typically address the impact of cyberattacks or intrusions, but only a small minority (30 percent of broker-dealers and 13 percent of advisers) include provisions on how the firms determine whether they are responsible for client losses associated with cyber incidents.

Periodic risk assessments on a firmwide basis occur at the vast majority of the examined entities, although the Risk Alert noted that fewer firms (just 32 percent of the advisers) require cybersecurity risk assessments of their vendors.

A large percentage of both broker-dealers (88 percent) and advisers (74 percent) reported that they had been the subject of a cyber-related incident, either directly or through a vendor. Malware and fraudulent e-mails were the most common types of incidents. For broker-dealers, the incidents were relatively inexpensive, with no single loss in excess of $75,000 and only 26 percent reporting losses of more than $5,000. One adviser experienced a loss over $75,000 as a result of a fraudulent e-mail, the Alert noted, for which the client was made whole.

While almost two-thirds of the broker-dealers that received fraudulent e-mails reported them to the Financial Crimes Enforcement Network (FinCEN) by filing a Suspicious Activity Report, just 7 percent of those firms also reported the e-mails to other regulatory agencies or law enforcement.

More than 90 percent of all firms examined conduct firmwide inventorying, cataloguing, or mapping of technology resources, and almost all of them (98 percent of broker-dealers and 91 percent of advisers) reported using encryption in some form.

When dealing with vendors, however, the Risk Alert noted “varying findings.” Most of the broker-dealers (72 percent) said they incorporated requirements relating to cybersecurity risk into contracts with vendors and business partners while just 24 percent of advisers answered similarly. Even lower numbers—51 percent and 13 percent—told the OCIE they maintain policies and procedures related to information security training for vendors and business partners authorized to access their networks.

Many of the broker-dealers identified the Financial Services Information Sharing and Analysis Center (FS-ISAC) as a means of information sharing with regard to cybersecurity issues.

The question of cybersecurity insurance received mixed answers from the examined firms. More than half of the broker-dealers (58 percent) maintain insurance for cybersecurity incidents while only 21 percent of advisers do. Of the firms that reported the use of such insurance, just one in each category reported they had filed claims.

Noting that the agency is continuing to review the information collected during the cybersecurity examinations “to discern correlations between the examined firms’ preparedness and controls and their size, complexity, or other characteristics,” the SEC reminded the industry that the OCIE “will continue to focus on cybersecurity using risk-based examinations.”

The accompanying Investor Bulletin made suggestions for investors on how to safeguard online investment accounts, such as picking a “strong” password, using two-step verification when possible, avoid clicking on questionable links, and always using caution when on public networks and wireless connections.

Checking statements for discrepancies or inaccurate information is also important, the SEC said, and if an investor finds any mistakes or unauthorized transactions, he or she should contact his or her brokerage firm in writing immediately.

To read the SEC’s Risk Alert, click here.

To read the Investor Bulletin, click here.