Going for Brokerage: SEC Report Highlights Best (and Worst) Practices in Cybersecurity Preparedness


February.12.2015

On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts.  FINRA issued a similar, more extensive "Report on Cybersecurity Practices" on the same day. 

The National Exam Program Risk Alert, "Cybersecurity Examination Sweep Summary" summarizes cybersecurity practices and policies of 57 registered broker-dealers, and 49 registered investment advisers based on examinations conducted by the SEC's Office of Compliance Inspections and Examinations ("OCIE").  These findings should be reviewed by CISOs and CIOs who have responsibility for cybersecurity protection because they highlight best practices and areas ripe for improvement.  It is reasonable to assume that both the SEC and FINRA will expect firms to review the findings and tailor their own internal assessments and practices to improve their cybersecurity posture, accordingly.  They also underscore that the simplest cyber-related scams (phishing, fraudulent e-mail scams, etc.) are still remarkably successful.
 
By way of background, on March 26, 2014, the SEC sponsored a Cybersecurity Roundtable, highlighting the role of cybersecurity in ensuring the integrity of the market system.  On April 15, 2014, OCIE announced that it would conduct a series of examinations to "assess cybersecurity preparedness in the securities industry and to obtain information about the industry's recent experiences with certain types of cyber threats."  As part of its examination, OCIE explained that it would focus on cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats.  Although OCIE spent considerable time gathering information relating to practices and policies, it did not conduct any technical review of firms' cybersecurity related programs.
 
Unsurprisingly, the vast majority of broker-dealers (88%) and advisers (74%) reported having experienced a cyberattack of one kind or another.  Among the most common were simple fraudulent e-mail scams, which were successful more than 25% of the time.  And although broker-dealers generally reported these events to the Financial Crimes Enforcement Network (FinCEN), very few reported these cases to law enforcement.
 
There are a number of lessons to be gleaned from the SEC's Alert, including:

  • Surveyed broker-dealers and advisers frequently relied on external standards to model their information security architecture and processes, such as the NIST (National Institute of Standards and Technology). 
  • While most firms conduct periodic firm-wide cybersecurity risk assessments, far fewer subject their vendors – a common point of entry for attackers – to similar scrutiny. 
  • Many firms (particularly financial advisers) failed to require vendors to conduct adequate cybersecurity assessments by not incorporating security requirements into agreements with vendors. 
  • Better-prepared firms made more extensive use of industry information-sharing networks, such as FS-ISAC (the "Financial Services Information Sharing and Analysis Center"), peers and conferences to identify best practices to improve their cybersecurity.
  • For firms that hold customer assets, it is important to define when the firm is responsible for a client's loss associated with a cyber incident, and to implement relevant policies and procedures in advance.  These should be consistent with customer agreements.
  • Unsophisticated fraudulent e-mail scams continue to be a significant problem, and are successful largely because individual employees fail to follow established customer identity verification policies.  It is not enough to implement strong policies and procedures – firms must continually educate, train and remind their employees not to deviate from them.
  • Firms' continued vigilance for insider threat actors appears to be successful, as evidenced by a relatively low incident rate of employee misconduct resulting in misappropriation of funds or securities.
  • About one-half of broker-dealers and one-fifth of advisers maintain insurance for losses caused by cybersecurity incidents, a measure that many firms may wish to consider.

Takeaways:  OCIE's examination says a lot about what the SEC and other regulatory bodies think should be emphasized in cybersecurity.  Firms should consider themselves on notice of what is expected, and where they should turn their attention.  It is no longer enough to focus on improving the technical security defenses and measures of their own network through encryption or cyber-threat intelligence sharing.  Firms must also spend resources to address cybersecurity vulnerabilities introduced into their network through third-party vendors, and improve security training of internal employees to ensure strict compliance with established security programs and identity authentication protocols.