The SEC has declared cybersecurity to be an examination priority for financial institutions (i.e., broker-dealers, investment advisers, and registered investment companies) in each of the past four years.[1] While the SEC’s comments in these examination priority releases are helpful for financial institutions, we believe that the SEC may have provided more useful guidance concerning cybersecurity practices through investor bulletins designed to help investors avoid online fraud.[2] This guidance reveals helpful insights into the SEC’s evolving approach to cybersecurity. Accordingly, based on the SEC’s most recently issued guidance to investors, we identify six ways financial institutions could improve their cybersecurity policies and procedures below.[3]
1. Passwords. The SEC has recommended that investors choose a strong password (e., one that includes symbols, numbers, and both capital and lowercase letters) for online access, keep their password secure, and change it regularly.[4] Consistent with this recommendation, financial institutions may want to consider requiring clients to choose strong passwords and change them regularly.
2. Biometric Safeguards. The SEC has recommended that investors contact their financial institutions to determine whether they offer biometric safeguards (g., fingerprinting, facial and voice recognition, and retina scans) for mobile device access.[5] Although biometric safeguards are not currently a standard security feature, financial institutions may want to consider ways they can add biometric safeguards as a feature of mobile device access for their clients.
3. Public Computers. The SEC has recommended that investors avoid using public computers to access investment accounts.[6] When an investor does use a public computer, the SEC recommends investors take the following precautions: disable password saving; delete files, caches, and cookies; and log out of accounts completely when finished.[7] Financial institutions could help investors follow the SEC’s helpful, but often forgotten, advice by, for example, requiring them to proactively check a box to enable password saving on each new device and automatically logging users out of their online accounts after relatively short periods of inactivity.
4. Secure Websites. The SEC has recommended that investors not log in to an account unless the relevant financial institution’s website has a secure “https” address.[8] Many financial institutions have a secure website already, but those that do not may want to consider implementing one.
5. Links. The SEC has recommended that clients never click on links sent to them by financial institutions with which they do not have a relationship, and to confirm the legitimacy of links sent to them by their financial institutions by calling or emailing the purported sender.[9] In response to this advice, financial institutions may want to use links judiciously, and ensure that those who will receive calls and emails from clients know what links have been sent to which clients and under what circumstances. Without such knowledge, financial institution employees may be unable to confirm or deny the legitimacy of the link, undermining client confidence in the financial institution’s cybersecurity policies and procedures.
6. Review Account Statements. The SEC has recommended that investors regularly review statements and trade confirmations for suspicious activity and contact their financial institution with a written complaint if there is suspicious activity.[10] In response, financial institutions may want to evaluate their security procedures with respect to redemptions and distributions. Adopting reliable technological innovations can help prevent suspicious activity and create a business advantage (g., using biometric safeguards or two-factor authentication may be more reliable and less time-consuming than requiring signature guarantees).
[1] SEC, Examination Priorities for 2014 (Jan. 9, 2014), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2014.pdf; SEC, Examination Priorities for 2015 (Jan. 13, 2015), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2015.pdf; SEC, Examination Priorities for 2016 (Jan. 11, 2016), available at http://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2016.pdf; SEC, Examination Priorities for 2017 (Jan. 12, 2017), available at https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf.
[2] SEC, Cybersecurity, the SEC and You (last visited July 25, 2017), available at https://www.sec.gov/spotlight/cybersecurity (containing a library of resources of both investors and securities industry professionals related to cybersecurity).
[3] SEC, Updated Investor Bulletin: Protecting Your Online Investment Accounts from Fraud (April 26, 2017), available at https://investor.gov/additional-resources/news-alerts/alerts-bulletins/updated-investor-bulletin-protecting-your-online.
[4] Id.
[5] Id.
[6] Id.
[7] Id.
[8] Id.
[9] Id.
[10] Id.