Cybersecurity reports released Tuesday by the Securities and Exchange Commission and the Financial Industry Regulatory Authority found that broker-dealers are further along in protecting their practices from cyberattacks than advisors.
The SEC’s Cybersecurity Exam Sweep report summarizes findings of recent exams of 57 BDs and 49 registered investment advisors conducted under the agency’s Office of Compliance Inspections and Examinations’ Cybersecurity Examination Initiative. The SEC examined a cross-section of the financial services industry to assess various firms’ vulnerability to cyberattacks.
FINRA released the same day its Report on Cybersecurity Practices, which highlights cybersecurity practices BDs should adopt.
Brian Rubin, a partner at Sutherland Asbill & Brennan who heads the Securities Litigation and Enforcement Group in Washington, told ThinkAdvisor in an email message that all BDs and advisors “would benefit from carefully reviewing both reports,” as the SEC and FINRA reports “take a different approach” to cybersecurity issues.
The SEC’s survey will allow firms to see how they compare generally to other firms, while FINRA’s report does “an excellent job” describing the background and framework for cybersecurity programs, Rubin says.
Broker-dealers and advisors “should be aware that both the SEC and FINRA will likely bring enforcement actions if firms’ policies and procedures are found to be deficient,” Rubin warned.
The reports show that “BDs appear to have addressed cybersecurity issues more robustly” than advisors, Rubin adds. “Since we don’t know the exact firms involved, it could be a functions of their size, their business model, the fact that BDs are regulated by an SRO, or something else.”
The SEC found that the “vast majority” of examined broker-dealers (93%) and advisors (83%) have adopted written information security policies, with most of the BDs (89%) and the majority of the advisors (57%) conducting periodic audits to determine compliance with them.