The top risks broker-dealers face in dealing with cybersecurity threats are operational risk, “insider” risks posed by rogue employees and hackers penetrating BD systems, Daniel Sibears of the Financial Industry Regulatory Authority said Wednesday at the Securities and Exchange Commission’s cybersecurity roundtable.
Sibears, executive vice president of regulatory operations and shared services at FINRA, said those three key BD threats were found in FINRA’s recently launched cybersecurity exam sweep of BDs. “We have just started to get the results in of the sweep,” Sibears said, stressing that only a cross section of BDs had been analyzed and results were preliminary.
Indeed, for advisory firms large and small, “account takeover is the No. 1 risk” when it comes to cybersecurity, added David Tittsworth, executive director of the Investment Adviser Association in Washington.
Account takeovers have “grown in frequency in the last year or two,” Tittsworth said, and involve taking someone’s ID and having a firm transfer a client’s money to outside accounts, often outside the United States.
Sibears noted that the BD cybersecurity sweep also showed that beyond the top three threats mentioned above, BDs are also concerned about “phishing attacks” where customer information is misappropriated, trades are made and money is transferred out of a client’s account.
Another risk BDs noted is malware, Sibears said.
John Denning, senior vice president of operational policy integration, development and strategy at Bank of America/Merrill Lynch, who sat on the panel with Tittsworth and Sibears to explore cybersecurity challenges for BD and advisors, said that “firms must have robust information sharing systems” with law enforcement and regulators. “It’s the only way we’re going to be able to reduce risk to the sector, to start the information sharing.”
As for best practices, Craig Thomas, chief information security officer at Computershare, said that firms must “believe that you are going to get attacked; you have to be thinking ahead of the game; security is always trying to catch up with technology.”
What Should the SEC Do?
The “SEC should provide principles-based guidance due to the constantly changing landscape,” said Marcus Prendergast, director and corporate information security officer of ITG.
Sibear added that it was likely FINRA would “push out some effective practices,” but whether guidance would be rules-based or principles-based, he “can’t say.”
However, he said, ”we recognized this is a rapidly changing environment, so there has to be a component that allows the industry to adapt.”
Tittsworth said industry officials that he has spoken to urge the SEC to “please resist the urge to impose rigid requirements.” However, “gathering information can be very helpful.”
Indeed, Cyrus Amir-Mokri, assistant secretary for financial institutions at the Treasury Department, noted during the first panel at the roundtable that while the financial services industry is likely the “most advanced in terms of thinking about cybersecurity” as they have “become technology firms,” financial services firms should exert a constant effort “to stay ahead” of potential cybersecurity threats. “You can never say you are completely prepared,” he said.
Larry Zelvin, director of the National Cybersecurity and Communications Integration Center at the U.S. Department of Homeland Security, added that “finance wins the cybersecurity threat award.” The financial sector, he said, is a “massive target because you are where the money is and you also represent our nation.” Those who want to perform a cyberattack in the finance sector are “looking for an opening every day,” are “getting creative” and are multiplying quickly.
SEC Commissioner Luis Aguilar said that the commission should establish a cybersecurity task force, with members from each division.
Both the SEC and the Financial Industry Regulatory Authority listed cybersecurity as one of their top exam issues for this year. FINRA issued in early February its targeted exam letter to firms stating that the self-regulator was assessing how firms manage cybersecurity threats.
The House Committee on Homeland Security unanimously approved in early February H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013.
The bill was sent to the full House for consideration.
The committee said in a statement that the Act “addresses the cyber threat by giving the Department of Homeland Security (DHS) the tools to secure our nation in cyberspace, while protecting privacy and civil liberties and prohibiting any new regulations at DHS.”
The bill codifies several cybersecurity efforts already in progress; beefs up others, like the National Cybersecurity and Communications Integration Center; and focuses on partnerships with the private sector. It is intended to be budget neutral.
Jane Jarcho, National Associate Director of OCIE’s National Exam Program, told chief compliance officers in late January that OCIE’s exams will include assessing firms’ cybersecurity policies — and noted in early March that small firms won’t get a “pass” on being required to have such policies. “In today’s world, everybody has to be concerned about cybersecurity,” Jarcho said.
Actual exams in this area haven’t commenced yet, she said, estimating that this would likely start in the fall. “Firms aren’t supposed to follow any cybersecurity policies per se,” she said.
She added that the agency is currently reviewing as a potential guide the cybersecurity framework issued in early February by the National Institute of Standards and Technology.
Check out FINRA Plans Cybersecurity Exam Sweep on ThinkAdvisor.