The top risks broker-dealers face in dealing with cybersecurity threats are operational risk, “insider” risks posed by rogue employees and hackers penetrating BD systems, Daniel Sibears of the Financial Industry Regulatory Authority said Wednesday at the Securities and Exchange Commission’s cybersecurity roundtable.
Sibears, executive vice president of regulatory operations and shared services at FINRA, said those three key BD threats were found in FINRA’s recently launched cybersecurity exam sweep of BDs. “We have just started to get the results in of the sweep,” Sibears said, stressing that only a cross section of BDs had been analyzed and results were preliminary.
Indeed, for advisory firms large and small, “account takeover is the No. 1 risk” when it comes to cybersecurity, added David Tittsworth, executive director of the Investment Adviser Association in Washington.
Account takeovers have “grown in frequency in the last year or two,” Tittsworth said, and involve taking someone’s ID and having a firm transfer a client’s money to outside accounts, often outside the United States.
Sibears noted that the BD cybersecurity sweep also showed that beyond the top three threats mentioned above, BDs are also concerned about “phishing attacks” where customer information is misappropriated, trades are made and money is transferred out of a client’s account.
Another risk BDs noted is malware, Sibears said.
John Denning, senior vice president of operational policy integration, development and strategy at Bank of America/Merrill Lynch, who sat on the panel with Tittsworth and Sibears to explore cybersecurity challenges for BD and advisors, said that “firms must have robust information sharing systems” with law enforcement and regulators. “It’s the only way we’re going to be able to reduce risk to the sector, to start the information sharing.”
As for best practices, Craig Thomas, chief information security officer at Computershare, said that firms must “believe that you are going to get attacked; you have to be thinking ahead of the game; security is always trying to catch up with technology.”
What Should the SEC Do?
The “SEC should provide principles-based guidance due to the constantly changing landscape,” said Marcus Prendergast, director and corporate information security officer of ITG.
Sibear added that it was likely FINRA would “push out some effective practices,” but whether guidance would be rules-based or principles-based, he “can’t say.”
However, he said, ”we recognized this is a rapidly changing environment, so there has to be a component that allows the industry to adapt.”
Tittsworth said industry officials that he has spoken to urge the SEC to “please resist the urge to impose rigid requirements.” However, “gathering information can be very helpful.”