Close
ThinkAdvisor

Regulation and Compliance > Cybersecurity

BDs Increasing Protection Against Cyber Breaches, Survey Finds

X
Your article was successfully shared with the contacts you provided.

Thirty-two percent of broker-dealers polled in a just-released cybersecurity survey experienced a cybersecurity incident in 2013 or 2014, with a large portion of them (86%) also stating they carry cyber-insurance and have policies covering costs related to cyber-incidents attributable to vendors.

The law firm Sutherland Asbill & Brennan and the Financial Services Institute surveyed 39 FSI broker-dealer members on their use and protection of mobile devices, cybersecurity governance, technical safeguards, customer authentication as well as their vendor management.

Brian Rubin, a partner at Sutherland in Washington, noted that the SEC, by contrast, found that 88% of broker-dealers and 74% of investment advisors experienced a cybersecurity incident during the same 2013 to 2014 time period.  

Rubin says the lower number of cyber incidents among FSI BD members may suggest they are “not major targets for cyberattacks” or that “some firms have been the subject of benign incidents but haven’t realized it yet.”

As media reports have noted, even big companies that spend millions of dollars on cybersecurity “have gone months before learning about incidents,” Rubin notes.

The survey of 39 BDs (92% of which were dually registered as BDs and investment advisors and ranged in size from fewer than 100 registered reps to more than 2,000) found that 88% of the firms utilize email encryption, while 88% of them automatically update their antivirus software.

A whopping 100% of the surveyed firms terminate third parties’ passwords and system access once they have completed their work.

Indeed, Christopher Hetner, Cybersecurity Lead in the Securities and Exchange Commission’s Office of Compliance Inspections and Examinations, said Tuesday at the joint SEC and Financial Industry Regulatory Authority BD Compliance Outreach Seminar that “very high-profile [cybersecurity] incidences have occurred with third-parties.” He warned BDs to “understand who your third-party” vendors are.

Daniel Sibears, FINRA’s EVP of Regulatory Operations, agreed at the BD seminar that “vendor due diligence” must be part of a firm’s cybersecurity measures.

“Large firms tend to use more vendors,” so BDs’ cybersecurity management in this area “has to be broad and deep,” Sibears said.

Lon Dolber, CEO of American Portfolios Financial Services, stated at the seminar that his BD now has a “vendor review committee” to review vendors and their cybersecurity policies. “You need a process, and I would do it through a committee.”

Dolber also noted that his BD is also assessing the cyber risks associated with e-signatures. “We’re doing a pre-mortem test to see how an e-signature could be challenged. We’re not going rely just on what the vendor tells us because they won’t be held responsible if we have a breach.”