As regulators ramp up cybersecurity exams this year, advisors and brokers are racing to figure out how to address technology breaches and protect client data against growing online threats.
“Especially this year, when the SEC and FINRA released their guidelines, cybersecurity has been a heightened area of conversation,” said Neal Quon, co-founder of financial technology consultant QuonWarrene, at last week’s Technology Tools for Today (T3) conference in Dallas. “There’s a lack of a standard. It’s the minimum of what you can do today to respond to a threat. You have to be nimble to respond to every evolving threat.”
The buzz around cybersecurity at T3 came as the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations looks more closely at the quality of firms’ technical infrastructure. The SEC’s National Exam Program will continue this year with targeted information-technology exams of both broker-dealers and advisors.
Vincente Martinez, chief of the SEC’s Office of Market Intelligence, recently said the SEC is levying cyber-related actions via Regulation SP while the Financial Industry Regulatory Authority is levying actions under the SP rule as well as FINRA Rule 2010.
Registered investment advisors have a fiduciary responsibility to act prudently when it comes to cybersecurity, Quon noted. For example, he said, Charles Schwab as custodian is required to inform investors of cyber breaches, yet RIAs “from a relationship standpoint” also should take on the responsibility of keeping investors informed.
During a T3 cybersecurity session moderated by tech consultant and FPPad founder Bill Winterberg, a group of panelists talked about how already taxed and thin IT departments are now struggling to meet 28 SEC exam requests that lay out a firm’s cyber processes and procedures.
William French, vice president of risk management at Fidelity Investments, said advisory firms must educate themselves on current cyber threats and pass on that knowledge to their clients. Sophisticated phishing schemes are now targeting advisors’ clients by creating legitimate-looking requests via advisors’ email addresses and then assuming control of accounts, he said.
“We’re seeing such a focus by the fraudsters on personal email accounts,” French warned. “Advisories must be knowledgeable intermediaries and convey information to end customers.”
Guarding Against Breaches
As advisory firms review their policies and procedures, Brian Edelman, chief executive of Financial Computer Services, recommended that they assign the role of cybersecurity chief to an individual at the firm. The SEC’s cybersecurity initiative requests that advisory firms make an inventory of electronic equipment, including laptops and mobile phones, Edelman said, adding that advisory firms affiliated with a broker-dealer should learn their BD’s cyber rules.