Going for Brokerage: SEC Report Highlights Best (and Worst) Practices in Cybersecurity Preparedness

February.12.2015

On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts. FINRA issued a similar, more extensive "Report on Cybersecurity Practices" on the same day.

The National Exam Program Risk Alert, "Cybersecurity Examination Sweep Summary" summarizes cybersecurity practices and policies of 57 registered broker-dealers, and 49 registered investment advisers based on examinations conducted by the SEC's Office of Compliance Inspections and Examinations ("OCIE"). These findings should be reviewed by CISOs and CIOs who have responsibility for cybersecurity protection because they highlight best practices and areas ripe for improvement. It is reasonable to assume that both the SEC and FINRA will expect firms to review the findings and tailor their own internal assessments and practices to improve their cybersecurity posture, accordingly. They also underscore that the simplest cyber-related scams (phishing, fraudulent e-mail scams, etc.) are still remarkably successful.

By way of background, on March 26, 2014, the SEC sponsored a Cybersecurity Roundtable, highlighting the role of cybersecurity in ensuring the integrity of the market system. On April 15, 2014, OCIE announced that it would conduct a series of examinations to "assess cybersecurity preparedness in the securities industry and to obtain information about the industry's recent experiences with certain types of cyber threats." As part of its examination, OCIE explained that it would focus on cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats. Although OCIE spent considerable time gathering information relating to practices and policies, it did not conduct any technical review of firms' cybersecurity related programs.

Unsurprisingly, the vast majority of broker-dealers (88%) and advisers (74%) reported having experienced a cyberattack of one kind or another. Among the most common were simple fraudulent e-mail scams, which were successful more than 25% of the time. And although broker-dealers generally reported these events to the Financial Crimes Enforcement Network (FinCEN), very few reported these cases to law enforcement.

There are a number of lessons to be gleaned from the SEC's Alert, including:

Surveyed broker-dealers and advisers frequently relied on external standards to model their information security architecture and processes, such as the NIST (National Institute of Standards and Technology).
While most firms conduct periodic firm-wide cybersecurity risk assessments, far fewer subject their vendors – a common point of entry for attackers – to similar scrutiny.
Many firms (particularly financial advisers) failed to require vendors to conduct adequate cybersecurity assessments by not incorporating security requirements into agreements with vendors.
Better-prepared firms made more extensive use of industry information-sharing networks, such as FS-ISAC (the "Financial Services Information Sharing and Analysis Center"), peers and conferences to identify best practices to improve their cybersecurity.
For firms that hold customer assets, it is important to define when the firm is responsible for a client's loss associated with a cyber incident, and to implement relevant policies and procedures in advance. These should be consistent with customer agreements.
Unsophisticated fraudulent e-mail scams continue to be a significant problem, and are successful largely because individual employees fail to follow established customer identity verification policies. It is not enough to implement strong policies and procedures – firms must continually educate, train and remind their employees not to deviate from them.
Firms' continued vigilance for insider threat actors appears to be successful, as evidenced by a relatively low incident rate of employee misconduct resulting in misappropriation of funds or securities.
About one-half of broker-dealers and one-fifth of advisers maintain insurance for losses caused by cybersecurity incidents, a measure that many firms may wish to consider.

Takeaways: OCIE's examination says a lot about what the SEC and other regulatory bodies think should be emphasized in cybersecurity. Firms should consider themselves on notice of what is expected, and where they should turn their attention. It is no longer enough to focus on improving the technical security defenses and measures of their own network through encryption or cyber-threat intelligence sharing. Firms must also spend resources to address cybersecurity vulnerabilities introduced into their network through third-party vendors, and improve security training of internal employees to ensure strict compliance with established security programs and identity authentication protocols.

Authors

Daniel Dunne Senior Counsel, White Collar, Investigations, Securities Litigation & Compliance, Complex Litigation & Dispute Resolution

Seattle

See my bio

D:+1 206 839 4395
E: [email protected]

Practice:

Finance Sector
Technology & Innovation Sector
White Collar, Investigations, Securities Litigation & Compliance
Complex Litigation & Dispute Resolution
Securities Litigation, Class Actions and Shareholder Derivative Lawsuits
Internal Investigations
Corporate Governance
Whistleblower & Corporate Investigations
Trials

vCard

See full bio

Daniel Dunne Senior Counsel

Seattle

Chambers USA observed Dan’s “enviable client roster includes major corporates and financial institutions, as well as company directors, officers and accountants. He is particularly active in securities-related litigation, with additional experience in shareholder disputes. Adept in the courtroom, has tried more than a dozen cases to verdict in state and federal courts.” One client characterized his cross examination of a Nobel-Laureate economist as simply “amazing.”

Dan has enjoyed considerable success in high-profile national matters with the finest law firms in the country from coast to coast, from the Delaware Court of Chancery to New York Supreme Court to the Washington Supreme Court, where he recently argued an issue of first impression under the Washington State Securities Act. Dan has active matters advising Washington’s most sophisticated legal clients with respect to securities and shareholder matters.

Dan has also been a key part of the winning Orrick team leading the defense of Credit Suisse in against an avalanche of litigation related to claims involving residential mortgage-backed securities (RMBS). Dan has acted as co-lead partner on a number of successful constitutional challenges to state and local taxes and legislation.

Aravind Swaminathan Partner, Cyber, Privacy & Data Innovation, Class Action Defense

Seattle; Boston

See my bio

Practice:

Finance Sector
Technology & Innovation Sector
Cyber, Privacy & Data Innovation
Class Action Defense
White Collar, Investigations, Securities Litigation & Compliance
Government Investigations and Enforcement Actions
Trials
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Aravind Swaminathan Partner

Seattle; Boston

A leading cybersecurity and online safety authority, Aravind is recognized by Chambers USA in Privacy and Data Security in both Litigation and Incident Response. Clients describe him as “a very talented lawyer experienced with incident responses” and “incredibly responsive and technically savvy.”

Aravind’s deep knowledge of his clients’ business objectives and technological capabilities distinguishes him as a strategic advisor and frontline crisis responder. He advises some of the world’s leading online platforms, public and private financial institutions, tech companies, higher education institutions, and critical infrastructure providers on cybersecurity, and their obligations to monitor and remove harmful or illegal content online and root out instances of child exploitation.

He is adept at guiding companies through cybersecurity incidents, having directed more than 500 data breach investigations, including enterprise-wide network intrusions to cyberattacks with national security implications. Aravind defends clients in an array of cybersecurity and privacy class actions and regulatory enforcement actions brought by the SEC, FTC, NY DFS and State AGs, and also represents individual C-level executives in criminal and civil regulatory enforcement matters.

As a former assistant United States attorney, he investigated and prosecuted a broad array of cybercrime, child exploitation cases, digital crimes, and white-collar crime cases. This first-hand knowledge of federal agencies allows him to navigate the system, partner with investigators and find creative solutions for clients.

Aravind is a member of Orrick’s Board of Directors, and he devotes much of his free time to advising independent schools on AI, online safety, and cybersecurity, and teaching and coaching.