The top risks broker-dealers face in dealing with cybersecurity threats are operational risk, “insider” risks posed by rogue employees and hackers penetrating BD systems, Daniel Sibears of FINRA said at the Securities and Exchange Commission’s cybersecurity roundtable.
Sibears, executive vice president of regulatory operations and shared services at FINRA, said those key threats were found in FINRA’s recently launched cybersecurity exam sweep of BDs. “We have just started to get the results in of the sweep,” Sibears said, stressing that only a cross section of BDs had been analyzed and results were preliminary.
Sibears noted that beyond the top three threats mentioned above, BDs are also concerned about “phishing attacks” where customer information is misappropriated, trades are made and money is transferred out of a client’s account.
John Denning, senior vice president of operational policy integration, development and strategy at Bank of America Merrill Lynch, who sat on the panel with Sibears, said that “firms must have robust information sharing systems” with law enforcement and regulators. “It’s the only way we’re going to be able to reduce risk to the sector, to start the information sharing.”
Craig Thomas, chief information security officer at Computershare, said that firms must “believe that you are going to get attacked. You have to be thinking ahead of the game; security is always trying to catch up with technology.”
What Should the SEC Do?
The “SEC should provide principles-based guidance due to the constantly changing landscape,” said Marcus Prendergast, director and corporate information security officer of ITG.
Sibears added that it was likely FINRA would “push out some effective practices,” but whether guidance would be rules-based or principles-based, he “can’t say.”
However, he said, “we recognize this is a rapidly changing environment, so there has to be a component that allows the industry to adapt.”
Indeed, Cyrus Amir-Mokri, assistant secretary for financial institutions at the Treasury Department, noted during the first panel at the roundtable that while the financial services industry is likely the “most advanced in terms of thinking about cybersecurity” as they have “become technology firms,” they should exert a constant effort “to stay ahead” of potential threats.