The financial industry can consider it a sure thing that cyber-risk will grow in the year ahead, and it will hit different segments in different ways. Here are some issues to keep in mind.
Advisors and broker-dealers. The SEC’s Office of Compliance Inspections and Examinations issued a risk alert on cybersecurity in September. The results of OCIE’s first round of cybersecurity exams were published last February, indicating that BDs were farther along than RIAs. The new round of exams will focus on six areas: governance and risk assessment, access rights and controls, data loss prevention, vendor management, training and incident response.
According to a recent report from External IT, an IT outsourcing firm that specializes in the financial industry, neither advisors nor broker-dealers are well prepared. The report, “Financial Services Firms Face Further Scrutiny of Their Cybersecurity Practices: Is Your Firm Ready?” highlighted some examples.
Firms tend to be more reactive than proactive, according to the report, particularly regarding IT security. Failure to track data, keep records of emails and other activities or plan for breaches could mean a firm misses attempts at cyber-intrusion.
Calling in outside IT consultants can bring its own pitfalls if those experts aren’t sufficiently vetted, or if the IT firm doesn’t focus on financial firms and fails to recognize financial compliance requirements.
The use of outside devices by employees is also problematic. The best security in the world won’t help if there’s no way to track data or emails stored on or originating from an employee’s personal laptop or other device.
Then there’s cybersecurity incident response — something most firms lack. Although most firms do have “checklists and procedures to immediately invoke when disaster strikes IT systems,” the report said, “the SEC wants firms to have a response plan for data breaches and cyberterrorism.” One part of that, the paper said, should be insurance coverage.
Insurance. Insurers are looking at the effects of cyber-risk in a number of ways, from the danger of breaches at the businesses they protect to the opportunities the threat presents to create and offer new products.
Hackers have already proved adept at punching holes in financial firms’ firewalls, as became clear in November with indictments against three men the Justice Department said stole data on some 100 million customers of financial firms including JPMorgan Chase, E-Trade, Scottrade and even Dow Jones.