The North American Securities Administrators Association is mulling a model cybersecurity rule for investment advisors and is currently developing cyber guidance and a “checklist” for small advisory firms to use to assess their cyber preparedness.
“Cybersecurity is a growing challenge for the securities industry and for securities regulators at all levels,” Mike Rothman, NASAA president and Minnesota commissioner of commerce, said Friday at NASAA’s Cybersecurity Roundtable in Washington. “No securities firm or investment advisor of any size can afford the loss in client trust — much less financial losses — that will result from a serious cybersecurity failure. And no investor should have his or her personal information compromised or hard-earned money stolen.”
Rothman said that information gleaned through NASAA’s “cybersecurity module,” developed for state securities examiners’ coordinated advisor exam programs, “will help inform our consideration of a possible model cybersecurity rule for investment advisors.”
Catherine Jones, who heads NASAA’s Investment Adviser Section and its Cybersecurity and Technology Project Group and who spoke on a panel at the conference, said that the checklist will provide smaller advisors “with questions to ask themselves to do a risk assessment.”
State advisors “need education on cybersecurity issues,” Jones said. “Along with the checklist, we will be creating some guidance for the state IAs.”
NASAA also provides a resource document to help state examiners brush up on cyber issues.
Jones noted that three states — New York, Vermont and Colorado — currently have cyber regs in place.
Cyberattacks “have become increasingly sophisticated and widespread,” Rothman said.
In 2016, Rothman continued, “the number of U.S. data breaches reached an all-time high of 1,093 reported to the identity theft resource center; that’s an increase of 40% over the 780 breaches reported in 2015.”
Data breaches will cost businesses over $8 trillion over the next five years, according to a recent Juniper report, Rothman added. The report also found that the number of personal data records stolen by cybercriminals will reach $2.8 billion this year and $5 billion in 2020.
Christopher Hetner, senior cybersecurity advisor to Securities and Exchange Commission Chairman Jay Clayton, stated at the NASAA event that the agency is “keenly focused” on cybersecurity issues as it views cybersecurity as a “persistent advanced threat.”
Some of the “attack factors” the SEC has noticed against registrants include “trying to trick advisors into sending money to other parties; others are designed to pilfer private information to then be repurposed for other means,” Hetner said. “We’ve seen an increase in ransomware as well, … systems and files will be disabled and trade operations” will be halted.
“The commission realizes the threat landscape continues to grow, so we’re focused on ensuring our internal systems, as well as our policies … continues to evolve.”
Hetner, also the cybersecurity lead for the Technology Control Program within the SEC’s Office of Compliance Inspections and Examinations, said the cyber team helps to inform rulemaking, exam activity, and from an enforcement perspective is “largely focused on illicit trading and violations to our rules and regulations.”
Jonathan Dean, supervisory special agent, cyber division and mission critical engagement unit at the FBI, who also spoke at the event, said that there are six types of cyberattacks:
Hacktivism — “Think activist,” he said, such as an “animal rights group trying to commit [a hack] in furtherance of political or societal idealogy.”
Crime: “Straight-up criminals going after personal information for money — plain and simple”;
Insider: “Employees that are disgruntled’:
Espionage: Two forms — nation-state and economic
Terrorism: “They want to shut off the power grid, wreak havoc”;
Warfare: Military — going after the air traffic controllers; a foreign government attack, such as an attack on the U.S. election.
What’s the biggest scheme now? Business email compromise, Dean said, which “doesn’t get enough press.”
— Related on ThinkAdvisor: