Think that your firm is too small or that your cyberdefenses are too strong to worry about digital attacks on your firm’s—and your clients’—data? The SEC and FINRA don’t think so. A reading of the regulators’ official announcements and the insights of those who know how they operate suggest that advisors run the risk not only of compromised data but of major fines as the regulators gear up to make examples of firms for cybersecurity shortcomings.
Why the increased scrutiny? “We’re not in Kansas anymore,” said John Reed Stark of the digital security firm Stroz Friedberg in describing the current landscape for advisors. Over the past few years, attacks on advisors and their partners have morphed from the traditional account takeover—highjacking of passwords and user names—into more dramatic attacks involving sophisticated malware that is not only highly disruptive but hard to trace.
The SEC and FINRA are addressing the threat head-on, with both regulators listing cybersecurity as one of their top priorities this year and launching exam sweeps of broker-dealers and advisors that focus on the issue.
Failing to prepare for such exams could cost BDs and advisors dearly. The law firm Sutherland Asbill & Brennan recently predicted that future cybersecurity enforcement actions by the SEC could result in significant fines.
Brad Bondi, a partner with the law firm Cadwalader, who participated in a cybersecurity-related webinar with Stark that was sponsored by Securities Docket in early May, agreed that “there will be a ‘message’ case or two” out of the exam sweeps being conducted by the SEC and FINRA. “You don’t want to be part of that handful of firms that will have enforcement actions.”
Stark, who headed the SEC’s Office of Internet Enforcement from 1998 to 2009, told IA that the SEC will be looking to make an example of firms with lax data security policies. “That’s the way the [SEC] enforcement division does business,” he said. “They bring cases and bring them loudly and strongly, and use them to send a message to the marketplace.”
Before the latest exam sweeps began, Sutherland noted that securities regulators had already levied enforcement actions against firms based on cybersecurity governance failures like having inadequate written policies and procedures; failing to enforce written policies and procedures; failing to conduct periodic assessments of cybersecurity procedures and measures; and failing to respond to deficiencies identified through such periodic assessments. (See sidebar, “Cybersecurity: What the Regulators May Do”)
While the security breaches at retail chains like Target and Neiman Marcus prompted the House Committee on Homeland Security to unanimously approve in early February H.R. 3696, the National Cybersecurity and Critical Infrastructure Protection Act of 2013, Stark said that a “quiet evolution” has been taking place at the SEC for years to beef up its expertise regarding cybersecurity threats, first with the launch of the Office of Internet Enforcement in 1998, and then with former SEC Chairwoman Mary Schapiro’s decision to heighten the agency’s focus in 2010 on IT infrastructure issues, including requiring that an IT specialist accompany examiners for RIA exams.
Stark said that during his time at the SEC, account takeovers were the most prevalent security breach, not malware—which he described as malicious attacks that “infiltrate a network and exercises command or control with a large impact factor that is difficult to trace.” But today, broker-dealers and advisors are increasingly susceptible to such attacks.
Indeed, during a cybersecurity roundtable held at the SEC’s Washington headquarters in March, Craig Thomas, chief information security officer at Computershare, said that preparation is crucial to warding off attacks. Firms must “believe that you are going to get attacked. You have to be thinking ahead of the game; security is always trying to catch up with technology.”
What Are the Risks?
Cyrus Amir-Mokri, assistant secretary for financial institutions at the Treasury Department, noted at the SEC roundtable that while the financial services industry is likely the “most advanced in terms of thinking about cybersecurity” as they have “become technology firms,” firms should exert a constant effort to stay ahead of potential cybersecurity threats.
Top risks that broker-dealers face in dealing with cybersecurity threats are operational risk, “insider” risks posed by rogue employees and hackers penetrating BDs’ systems, according to Daniel Sibears, executive vice president of member regulation programs at FINRA.
For advisory firms both large and small, “account takeover is the No. 1 risk” when it comes to cybersecurity, added David Tittsworth, executive director of the Investment Adviser Association (IAA). Account takeovers have grown over the past couple of years, he said.
But Stark said BDs and advisors are increasingly susceptible to malware-type attacks, which is where the SEC is shifting its focus. The SEC has had a “more narrow” focus regarding protecting customer data, he said. “Now it’s more about protecting the marketplace overall from the ramifications of any data breach.”
The SEC, he added, “has a history of getting in front of things, especially emerging technologies, and figuring out how best to regulate and enforce in those areas. This is what they are doing with respect to cybersecurity.” Stark said that the commission has executed a “paradigm shift from protecting customers’ data to protecting yourself from cybersecurity breaches overall.”
Jane Jarcho, head of the SEC’s investment advisor/investment company exam program, warned advisors at the IAA’s compliance conference in March that “everybody has to be concerned about cybersecurity” and that there’s “no pass for small firms.”