Cybersecurity reports released Tuesday by the Securities and Exchange Commission and the Financial Industry Regulatory Authority found that broker-dealers are further along in protecting their practices from cyberattacks than advisors.
The SEC’s Cybersecurity Exam Sweep report summarizes findings of recent exams of 57 BDs and 49 registered investment advisors conducted under the agency’s Office of Compliance Inspections and Examinations’ Cybersecurity Examination Initiative. The SEC examined a cross-section of the financial services industry to assess various firms’ vulnerability to cyberattacks.
FINRA released the same day its Report on Cybersecurity Practices, which highlights cybersecurity practices BDs should adopt.
Brian Rubin, a partner at Sutherland Asbill & Brennan who heads the Securities Litigation and Enforcement Group in Washington, told ThinkAdvisor in an email message that all BDs and advisors “would benefit from carefully reviewing both reports,” as the SEC and FINRA reports “take a different approach” to cybersecurity issues.
The SEC’s survey will allow firms to see how they compare generally to other firms, while FINRA’s report does “an excellent job” describing the background and framework for cybersecurity programs, Rubin says.
Broker-dealers and advisors “should be aware that both the SEC and FINRA will likely bring enforcement actions if firms’ policies and procedures are found to be deficient,” Rubin warned.
The reports show that “BDs appear to have addressed cybersecurity issues more robustly” than advisors, Rubin adds. “Since we don’t know the exact firms involved, it could be a functions of their size, their business model, the fact that BDs are regulated by an SRO, or something else.”
The SEC found that the “vast majority” of examined broker-dealers (93%) and advisors (83%) have adopted written information security policies, with most of the BDs (89%) and the majority of the advisors (57%) conducting periodic audits to determine compliance with them.
The SEC also found that 88% of broker-dealers and 74% of advisors have experienced cyberattacks directly or through one or more of their vendors, with the majority of the cyber-related incidents related to malware and fraudulent emails.
FINRA notes that in both its 2014 cybersecurity sweep and 2011 cybersecurity survey, firms identified three top threats: hackers penetrating firm systems; insiders compromising firm or client data; and operational risks.
The severity of threat varies by firm and by business model, FINRA notes, with online brokerage firms and retail brokerages more likely to rank hackers as their top priority risk. Firms that engage in algorithmic trading were more likely to rank insider risks more highly, while large investment banks or broker-dealers typically ranked risks from nation states or hacktivist groups more highly than other firms.
“Firms need to understand the types of threats they face, their assets most likely to be targeted for attack and the likely sources of these threats,” FINRA states.
The SEC notes in its report that SEC staff is still reviewing the information from OCIE’s cybersecurity sweep “to discern correlations between the examined firms’ preparedness and controls and their size, complexity, or other characteristics,” and that OCIE will continue to focus on cybersecurity using risk-based examinations this year.
FINRA examiners will also review this year firms’ approaches to cybersecurity risk management, including their governance structures and processes for conducting risk assessments and addressing the output of those assessments.
— Related on ThinkAdvisor: