On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts. FINRA issued a similar, more extensive "Report on Cybersecurity Practices" on the same day.
The National Exam Program Risk Alert, "Cybersecurity Examination Sweep Summary" summarizes cybersecurity practices and policies of 57 registered broker-dealers, and 49 registered investment advisers based on examinations conducted by the SEC's Office of Compliance Inspections and Examinations ("OCIE"). These findings should be reviewed by CISOs and CIOs who have responsibility for cybersecurity protection because they highlight best practices and areas ripe for improvement. It is reasonable to assume that both the SEC and FINRA will expect firms to review the findings and tailor their own internal assessments and practices to improve their cybersecurity posture, accordingly. They also underscore that the simplest cyber-related scams (phishing, fraudulent e-mail scams, etc.) are still remarkably successful.
By way of background, on March 26, 2014, the SEC sponsored a Cybersecurity Roundtable, highlighting the role of cybersecurity in ensuring the integrity of the market system. On April 15, 2014, OCIE announced that it would conduct a series of examinations to "assess cybersecurity preparedness in the securities industry and to obtain information about the industry's recent experiences with certain types of cyber threats." As part of its examination, OCIE explained that it would focus on cybersecurity governance, identification and assessment of cybersecurity risks, protection of networks and information, risks associated with remote customer access and funds transfer requests, risks associated with vendors and third parties, detection of unauthorized activity, and experiences with certain cybersecurity threats. Although OCIE spent considerable time gathering information relating to practices and policies, it did not conduct any technical review of firms' cybersecurity related programs.
Unsurprisingly, the vast majority of broker-dealers (88%) and advisers (74%) reported having experienced a cyberattack of one kind or another. Among the most common were simple fraudulent e-mail scams, which were successful more than 25% of the time. And although broker-dealers generally reported these events to the Financial Crimes Enforcement Network (FinCEN), very few reported these cases to law enforcement.
There are a number of lessons to be gleaned from the SEC's Alert, including:
Takeaways: OCIE's examination says a lot about what the SEC and other regulatory bodies think should be emphasized in cybersecurity. Firms should consider themselves on notice of what is expected, and where they should turn their attention. It is no longer enough to focus on improving the technical security defenses and measures of their own network through encryption or cyber-threat intelligence sharing. Firms must also spend resources to address cybersecurity vulnerabilities introduced into their network through third-party vendors, and improve security training of internal employees to ensure strict compliance with established security programs and identity authentication protocols.