The North American Securities Administrators Association is mulling a model cybersecurity rule for investment advisors and is currently developing cyber guidance and a “checklist” for small advisory firms to use to assess their cyber preparedness.
“Cybersecurity is a growing challenge for the securities industry and for securities regulators at all levels,” Mike Rothman, NASAA president and Minnesota commissioner of commerce, said Friday at NASAA’s Cybersecurity Roundtable in Washington. “No securities firm or investment advisor of any size can afford the loss in client trust — much less financial losses — that will result from a serious cybersecurity failure. And no investor should have his or her personal information compromised or hard-earned money stolen.”
Rothman said that information gleaned through NASAA’s “cybersecurity module,” developed for state securities examiners’ coordinated advisor exam programs, “will help inform our consideration of a possible model cybersecurity rule for investment advisors.”
Catherine Jones, who heads NASAA’s Investment Adviser Section and its Cybersecurity and Technology Project Group and who spoke on a panel at the conference, said that the checklist will provide smaller advisors “with questions to ask themselves to do a risk assessment.”
State advisors “need education on cybersecurity issues,” Jones said. “Along with the checklist, we will be creating some guidance for the state IAs.”
NASAA also provides a resource document to help state examiners brush up on cyber issues.
Jones noted that three states — New York, Vermont and Colorado — currently have cyber regs in place.
Cyberattacks “have become increasingly sophisticated and widespread,” Rothman said.
In 2016, Rothman continued, “the number of U.S. data breaches reached an all-time high of 1,093 reported to the identity theft resource center; that’s an increase of 40% over the 780 breaches reported in 2015.”
Data breaches will cost businesses over $8 trillion over the next five years, according to a recent Juniper report, Rothman added. The report also found that the number of personal data records stolen by cybercriminals will reach $2.8 billion this year and $5 billion in 2020.
Christopher Hetner, senior cybersecurity advisor to Securities and Exchange Commission Chairman Jay Clayton, stated at the NASAA event that the agency is “keenly focused” on cybersecurity issues as it views cybersecurity as a “persistent advanced threat.”
Some of the “attack factors” the SEC has noticed against registrants include “trying to trick advisors into sending money to other parties; others are designed to pilfer private information to then be repurposed for other means,” Hetner said. “We’ve seen an increase in ransomware as well, … systems and files will be disabled and trade operations” will be halted.